Who Is Behind Petya?

The main suspect behind the recent global ransomware attack is a hacking group with suspected ties to Russia and a history of launching destructive computer viruses, according to research conducted by Czech cybersecurity firm ESET.

The company has pegged the attack to a group known as Telebots or Sandworm.
“The TeleBots group continues to evolve in order to conduct disruptive attacks against Ukraine. Instead of spear-phishing emails with documents containing malicious macros, they used a more sophisticated scheme known as a supply-chain attack,” writes Anton Cherepanov, a senior malware researcher with ESET, in a blog post. 
“The latest outbreak was directed against businesses in Ukraine, but they apparently underestimated the malware’ spreading capabilities.”

While the spread of so-called PetrWrap or NotPetya turned into global news as thousands of computers were locked down by the virus, the incident plays into a larger and already established narrative of hackers repeatedly using wiper malware and defunct ransomware, code designed to destroy or effectively lock data, against targets in Ukraine.

Researchers have attributed some of these past attacks, which share certain commonalities with PetrWrap, to Telebots. ESET pointed to three separate incidents recently in a report that ties PetrWrap to previous Telebots’ exploits. Analysts discovered that PetrWrap carries code that aligns with the tactics, techniques, and procedures of the Russian hacking group. For example, in December 2016, Telebots launched an operation to spread ransomware in Ukraine that similarly provided no avenue for victims to pay off the hackers, and which included KillDisk malware to destroy files. 

Instead of a ransom note with instructions displayed on affected computers’ screens, the malware offered a useless picture of a logo popularised by a television show.
“In the final stage of its attacks, the TeleBots group always used the KillDisk malware to overwrite files with specific file extensions on the victims’ disks,” ESET said of the December 2016 incident. 
“Putting the cart before the horse: collecting ransom money was never the top priority for the TeleBots group.”

Earlier this year, between January and March 2017, the same attack infrastructure was used to send more ransomware largely aimed at Ukrainian companies. In this incident, the malware offered a legible ransom note demanding an outrageous payment of $250,000 worth of bitcoin to unlock each computer.

Researchers believe that the lofty payment was a sign that the attack’s true intent was never financial. Notably, the January 2017 attack was able to spread inside localised computer networks by leveraging a pair of typically benign Microsoft system admin tools, named imikatz and SysInternals’ PsExec, for malicious purposes.

PetrWrap used these exact same tools, in addition to an NSA authored backdoor and exploit that was leaked to the public in April, to proliferate internationally. It’s believed that PetrWrap spread outside the country, because of VPN’s connecting of foreign businesses to, Ukrainian organisations.

Fit for Disruption 
Ukraine was the country hardest hit by PetrWrap, according to Kaspersky Lab. Evidence indicates that PetrWrap was engineered in such a way to specifically disrupt Ukrainian organisations and their affiliates. 

Experts are increasingly warming up to the idea that a nation state was involved in the launch of PetrWrap because of the fact that the ransomware itself is coded in a manner that makes it clear the authors favored disruption over financial gain.
Researchers from Cisco and Kaspersky Lab found that an infected update from accounting software company MeDoc provided the initial infection vector. MeDoc’s use is mandated by the Ukrainian government. In the past, a possibly compromised MeDoc update server carried telltale signs of Telebots activity, according to ESET.
“We identified a malicious PHP backdoor that was deployed under medoc_online.php in one of the FTP directories on M.E.Doc’s server,” ESET’s report notes. This server previously sent out a VBS backdoor that has been linked to TeleBots. The finding is significant because it underscores the fact that Telebots is familiar and capable of sending malware through MeDoc’s infrastructure.

After initially pushing back against claims that it’s software was responsible for a global ransomware outbreak, MeDoc stated that it is now conducting an investigation into the matter. Ukrainian police and the FBI are said to be involved.

Cyberscoop:

You Might Also Read:

Ukrainian Security Call in FBI, NCA & Europol:

Fallout From Petya On Global Shipping:

Ukraine Police Trace Petya Attack Source:
 

« Are Corporate Cyber Defenses Adequate?
Biometric Products Can Help Cybersecurity »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

Computer & Communications Industry Association (CCIA)

Computer & Communications Industry Association (CCIA)

CCIA supports efforts to facilitate and streamline information sharing on cyber threats between the private sector and the Federal Government.

Atlantic Council Digital Forensic Research Lab (DFRLab)

Atlantic Council Digital Forensic Research Lab (DFRLab)

The Atlantic Council’s DFRLab has operationalized the study of disinformation by exposing falsehoods and fake news, documenting human rights abuses, and building digital resilience worldwide.

VietSunshine

VietSunshine

VietSunshine is a leading provider of network security infrastructure and solutions in Vietnam.

CERT.lu

CERT.lu

CERT.lu is an initiative to enhance cyber security practices and techniques, and support security professionals in Luxembourg.

Polish Centre for Accreditation (PCA)

Polish Centre for Accreditation (PCA)

PCA is the national accreditation body for Poland. The directory of members provides details of organisations offering certification services for ISO 27001.

RIA in a Box

RIA in a Box

MyRIACompliance combines our team of RIA compliance experts with an online software platform to help investment advisers better manage regulatory compliance and cybersecurity responsibilities.

Inpher

Inpher

Inpher has pioneered cryptographic Secret Computing® that enables advanced analytics and machine learning while keeping data private, secure, and distributed.

FortKnoxster

FortKnoxster

FortKnoxster is a cybersecurity company within the Crypto & FinTech space. Our encryption technologies are blockchain integrated.

Noetic Cyber

Noetic Cyber

Noetic provides a proactive approach to cyber asset and controls management, empowering security teams to see, understand, and optimize their cybersecurity posture.

Data Protection Commission (DPC)

Data Protection Commission (DPC)

The Data Protection Commission (DPC) is the national independent authority responsible for upholding the fundamental right of individuals in the EU to have their personal data protected.

Jit

Jit

Jit empowers developers to own security for the product they are building from day zero.

StarLink

StarLink

StarLink is an acclaimed Value-Added Distributor across the Middle East, Turkey and Africa regions with on-the-ground presence in 20 countries including UK and USA.

Anatomy IT

Anatomy IT

Anatomy IT empowers healthcare providers to deliver exceptional patient care with cutting-edge technology and cybersecurity solutions.

Worksent Technologies

Worksent Technologies

Worksent is a Trusted white-label offshore support partner for MSPs and MSSPs.

Hiya

Hiya

Hiya's mission is to secure voice with trust, identity and intelligence. We're protecting people from spam and fraud calls, and helping carriers secure their networks for all.

Defence Logic

Defence Logic

Defence Logic is a cyber security company serving clients in many business sectors. Our consultancy services include Penetration Testing, Security Reviews and Monitoring.