Maerk is a Danish-based cargo supply shipment company that is responsible for one-fifth of global freight operations. In 2017, Maersk’s Ukraine subsidiary was infected with a malware that caused over 200 million dollars in financial impact, and over 10 billion dollars in global damages. The malware is known as NotPetya and is said to be attributed to the Russian hacker group called Sandworm. Russia denies its involvement with the cyber-attack but the behavior of the malware resembles previous tactics used by Sandworm. Previous cyber-attacks that have been linked to Sandworm involves using fake ransomware. To elaborate, the group would deploy an exploit that resembles a ransomware and would ask for bitcoin in exchange for the key used for decryption. Unbeknownst to the target is the fact that there is no key that can unlock their resources. Even after a target pays the ransom, their system is still damaged beyond repair.
Prior to the release of NotPetya, Ukraine has been the victim of a cyber-attacks that affected power grids, government IT-resources, and network operations across the country. Cyber warfare can now be joined with traditional warfare to provide hybrid effects within a battlefield. Attackers employ cyber weapons to target adversaries, while remaining anonymous. Lockheed Martin developed the Cyber Kill Chain as a systematic approach to the lifecycle of a cyber attack. The Cyber Kill Chain is a seven-step process that can be used to perform a post-mortem analysis of a cyber attack. To better explore the lifecycle of NotPetya, the Cyber Kill Chain will be used for analysis.
Step 1: Reconnaissance
The adversary that affected Maerk conducted reconnaissance of their target environment prior to the launch of NotPetya. The adversary decided to exploit the trust relationship between Maersk and M.E Doc. M.E Doc is a software vendor that provides accounting software to the country of Ukraine. The accounting system is mandated by the Ukrainian government and is relied upon by a large population of Ukrainian businesses. As attackers perform reconnaissance of their target, they also search for threat vectors outside the target’s organization. The adversary performed reconnaissance of M.E Doc’s computing environment months prior to the launch of NotPetya. The results from the reconnaissance allowed the adversary to devise their cyber weapon.
Step 2: Weaponization
Once reconnaissance of the target environment is completed, the adversary can now begin to craft his or her exploit. M.E Doc was the threat agent of the NotPetya malware. The adversary was able to infect the software code of M.E Doc with a series of backdoors. These backdoors allowed for remote code execution from the attacker. The attackers were able to infect the update server of M.E Doc after discovering vulnerabilities within its environment.
Step 3: Delivery
The adversary delivered its payload through the update server of M.E Doc. Instead of receiving software updates, the clients of M.E Doc received the NotPetya virus. The attackers used the EternalBlue vulnerability to deliver its payload to other connected systems. EternalBlue exploits a vulnerability within the server message block service. The adversary exploited interconnected systems, regardless of not having the M.E Doc software installed. Once delivered, the code transverses to infect other systems with an open server message block protocol port.
Step 4: Exploitation
The attackers were able to infect the update server of M.E Doc with instructions to propagate its malicious code, instead of pushing out its software updates to M.E Doc’s clients. This exploitation also exploits the trust relationships between M.E Doc and its clients.
Step 5: Installation
NotPetya was initially installed in target systems that require automatic updates from M.E Doc’s update server. Once installed, the virus acts as a cryptolocker, locking the user out of his or her system and demanding a ransom in the form of bitcoin. As the infected resource is degraded, the malware transverses to neighboring computers and servers.
Step 6: Command and Control
Once M.E Doc’s backdoor vulnerability was exploited, adversary would connect to the affected system through its command and control server. The command and control capabilities within the code of NotPetya included the ability to launch its exploit, open a command shell, write data to specific files, and execute commands masquerading as a known user. These instructions could be executed remotely by the adversary.
Step 7: Actions on the Objective
The payload of NotPetya is a malware that affects the file systems residing in Windows environments. Once infected, NotPetya encrypts the master file table within a system, steals user credentials, and pivots to other computers residing within the affected network through the server message block port. Unlike most ransomware, even if a user pays the bounty, the effects of NotPetya will not be reversed.
As technological advances continue to connect us to remote resources, organizations accept the risks associated with an interconnected world. Cyber warfare has evolved to introduce kinetic effects that can degrade and disrupt normal operations of servers. These kinetic effects are most destructive to critical resources such as power grids, water treatment facilities, and poses a threat to global supply chains. The actors behind NotPetya most likely spent the majority of time conducting reconnaissance on potential threat agents. This is evident by the large-scale effects of the cryptovirus. Because the attack methodology closely resembles that of WannaCry, it seems like the attack was meant to infect as many systems as possible with no defined end goal. The attackers were able to overlap some steps within the Cyber Kill Chain. To elaborate, steps five through seven of the Cyber Kill Chain all occur in seconds within an infected environment. Once the NotPetya payload was delivered, the actions on objective was conducted.
The speed of propagation of NotPetya is the fastest amongst all previously deployed malware. Due to its speed and devastating effects, Craig Williams, director of outreach at Cisco’s Talos division states that “by the second you saw it, your data center was already gone.” There was not much that Maersk or other victims could have done once the attack has reached step five within the Cyber Kill Chain.
A lesson learned from NotPetya is even is your systems are protected, attackers can exploit your affiliates and use your trust relationship to gain access to your systems. The best defense for your organization is to align your layered defense strategy to mitigate the impact of a compromised affiliate. Additionally, maintain an effective patching schedule and close unused ports to minimize your threat exposure. Given the speed of propagation of NotPetya, we must defend ourselves against every step within the Cyber Kill Chain. As our adversaries construct cyber weapons that can cause significant fiscal impacts, you must account for every avenue of approach that an attacker may utilize to gain access to your systems. I recommend ensuring that organizations that you conduct business with are maintaining operational security. Do not expose your systems to compromised environments. Even with a secure architecture, your adversaries may gain access by first infecting your trusted affiliates.