Executive Summary
On June 27th, 2017, a day before its Independence Day, Ukraine experienced a malware attack. This malware, distributed by the hijacked supply chain of widely used software across the country, spilled beyond its borders and caused unprecedented damages to multiple international companies. The attack resulted in damages estimated to approximately 10 billion US dollars globally.
Architecture of the Attack
The attackers distributed the malware by infiltrating it through server updates of M.E.Doc, an accounting software created by the Ukrainian company Linkos Group. Thanks to this initial vector, the attackers avoided triggering any red flags in detection systems. Everybody who fills taxes in Ukraine was at the end point of this malware. While initial delivery was done through an update, the malware further rapidly propagated thanks to NSA-developed EternalBlue Exploit that was leaked by so-called Shadow Brokers, and open sources Mimikatz password extracting tool. The combination of these two tools along with the fact that the design of the malware was indiscriminate, had no time outs, no location-based execution, nor any other guardrails, made the malware spill over Ukrainian borders.
While on the surface the malware resembled a ransomware attack and offered to decrypt the infected devices for a ransom payment, it was not possible to make them. In some cases, the malware completely wiped or irreversibly encrypted the infected devices. The name of the malware was born as the attack resembled the Petya ransomware from March 2016, but it was Not Petya in reality. NotPetya was a wiper malware disguised as ransomware.
Result of the Attack
The NotPetya fulfilled its designed goal. Up to 80% of businesses in the country were affected. Widespread disruption across various sectors, including government, transportation, energy, and finance led to substantial operational paralysis and data loss that resulted in damages estimates in the country alone to be around $850 million.
The malicious M.E.Doc update got to every company that used the software or was connected to a network that used it. Among these, were FedEx, Maersk, Saint-Gobain, Reckitt Benckiser, Mondelez, public companies that had to acknowledge the attack to shareholders, and many others that did not acknowledge the attack. Because the attack spilled beyond Ukraine borders and infected multiple international companies, the overall damages are due to opportunity costs like lost sales, and lower productivity, that make up a large portion of reported costs estimated to reach about 10 billion US dollars globally. This number is considered to be the floor, not a ceiling as many companies did not acknowledge they had been hacked and therefore, it is safe to assume that real damages may be higher.
In example, Maersk international network got infected thanks to a single device in Maersk's Ukraine office in Odessa, that had M.E.Doc software on its computer. This single device served as the entry point for the attack into Maersk's network. Once the malware was activated, it rapidly propagated throughout Maersk's global infrastructure, crippling operations across ports and affecting workstations. Maersk's case serves as proof that cyberattacks can have physical effects even without ICS components.
NotPetya spread even to Russia to companies such as Rosneft, EVRAZ, and Vitro, where the total estimated damages are estimated to be around $200 million. The overall damage is assumed to be collateral and unintended, caused by poor architecture of the attack, which speaks to the recklessness of its authors. While it is difficult to explain such damages only by negligence and carelessness, a more plausible hypothesis is, that NotPetya authors wanted to signal to the world that doing business in Ukraine would lead to sever consequences.
Motivation of the Attack
Thanks to its initial delivery method, we can, with a high degree of confidence assume that the attackers wanted to target Ukraine. While the attack seemed at first instance like a financially motivated ransom operation, it quickly came to light that the intent was more political and aimed to infuse chaos, sabotage and to demoralize, destabilize Ukraine economics, and deter foreign investments. NotPetya, in bigger context, was another one of a series of cyberattacks against Ukraine. In 2015 Russia conducted a cyberattack on Western Ukraine's power grids, and in 2016, a cyberattack on another Kyiv's power grid. These cyber-attacks continued to 2022 and this very day as well.
Attribution of the Attack
The timing of the attack as well as the context of it points to Russian affiliated actor. On October 19th 2020, the DoJ indicted six Russian officers from GRU Unit 74455, also known as "Sandworm." EU Parliament along with 5 Eyes countries and a short press release by the White House , all point to Sandworm as well. Therefore, we can attribute the cyber attack, with a high level of confidence to the Sandworm that is assumed to be part of Russian GRU.
Conclusion
Stating that the NotPetya was an attack can be done so also because it had no characteristics of espionage. No data was stolen, only damaged. Its technical design, target, and timing further confirm this. Whether the spillover was intentional or not, the NotPetya attack underlines the need for safer supply chains and the importance of guardrails and assessment of collateral damages. This attack also opened the important question of cyber insurance claims and "war-exclusion" that are still not answered and invited other questions about whether such actions are acts of war.