Security firm sees link between NotPetya and previous attacks in Ukraine

Spread the love

Slovak security firm ESET has published a further analysis of NotPetya. It sees the connection between last Tuesday’s attack and previous attacks in Ukraine, which it attributes to the so-called TeleBots group.

In the analysis, ESET lists several precursors to this week’s attacks. For example, the TeleBots group was initially mainly concerned with attacks on financial service providers. In addition, the group is alleged to be linked to the BlackEnergy group that carried out an attack on the energy grid in Ukraine in late 2015. The so-called KillDisk malware was used to overwrite files. Over the course of 2016, attacks with KillDisk continued, and the group added a warning message to the malware, asking for 222 bitcoin for “decryption.” From this unrealistic amount, ESET deduces that the group was not concerned with financial gain.

In 2017, the attacks continued and became more sophisticated. For example, the group used two different backdoors and used additional tools. These included a modified variant of Mimikatz to steal passwords from memory and psexec to enable distribution over the network. These tools were also used in the distribution of NotPetya. Then, on May 18, ESET detected an attack with the so-called XData ransomware. It used the same tools and, as with NotPetya, the distribution took place through MeDoc’s accounting software. ESET assumes that it was a test at the time.

Then came last Tuesday’s attack, in which TeleBots borrowed some of the Petya ransomware but made sure that decryption was no longer possible. The list of extensions targeted by the ransomware component, according to the company, bears strong resemblance to the KillDisk malware. In addition to the tools already mentioned, NotPetya also used Eternalblue, Eternalromance and a third way to spread further across internal networks.

ESET has some notable findings regarding the known distribution via the MeDoc software. For example, the company found a PHP backdoor on one of the MeDoc FTP servers, which made it possible to distribute a malicious update to customers in this so-called supply chain attack. The malware also spread to foreign companies that connected to affected organizations via a VPN. According to ESET, the attack did target companies in Ukraine, but the attackers underestimated its spreading capabilities. Microsoft estimates that 70 percent of affected systems are located in Ukraine. Windows 7 would be the most affected. This is also evident from figures from Avast, which, like Microsoft, assumes about 20,000 affected systems worldwide.

You might also like