- Thomson Reuters
Analysts at several cybersecurity firms have confirmed that a cyberattack that struck Europe on Tuesday is using a powerful and dangerous cyberweapon created by the National Security Agency and leaked in April.
The cyberattack, dubbed “Petya,” bears the hallmarks of last month’s “WannaCry” ransomware attack, which swept across 150 countries and crippled transportation systems and major hospitals. Petya is using an NSA zero-day exploit known as EternalBlue to spread.
Zero-day exploits are tools that take advantage of software vulnerabilities hackers can use to get into computer programs and data. EternalBlue exploits a loophole in Microsoft Windows and was part of a slew of NSA cyberweapons posted online in April by the hacker group Shadow Brokers.
Matthew Hickey, a security expert, told Ars Technica that the leak was “by far the most powerful cache of exploits ever released.”
“It effectively puts cyberweapons in the hands of anyone who downloads it,” Hickey added.
Greg Martin, CEO of the cybersecurity firm JASK, described EternalBlue as “a universal skeleton key.”
“For many, many years, while it was a secret, the NSA could use [EternalBlue] to unlock any door of any computer network in the world,” Martin said. “It was the ultimate cyberweapon for espionage.”
A variation of EternalBlue was used in May’s WannaCry attack, which was stalled and shut down when Marcus Hutchins, a 22-year-old security researcher in England, found and activated a “kill switch” in the code. Since then, hackers have been tweaking WannaCry’s code to get around a potential kill switch and carry out a more widespread global attack, Politico reported.
Petya’s code was written on June 18, according to Kaspersky Lab, a Russian cybersecurity firm.
- Thomson Reuters
Petya is more sophisticated than WannaCry, said Alex Hamerstone, a cybersecurity expert at TrustedSec.
“It appears to use a lot of the same elements [as WannaCry], but it’s spreading and replicating itself in a more sophisticated way,” he said. “And this attack is not just encrypting files – it’s encrypting at a deeper level than that.”
The cybersecurity firm FireEye told The Financial Times that rather than encrypting files, Petya holds the entire system hostage until a ransom has been paid.
The ransomware hit several European countries and corporations, including Ukraine’s central bank and its capital’s main airport; the Russian state-owned oil giant, Rosneft; the British advertising company WPP; the pharmaceutical giant Merck; and the shipping company A.P. Moller-Maersk.
Though it’s unclear how far-reaching Petya’s consequences will be, “they’ll likely be quite large,” Hamerstone said. “They’re taking down systems and shutting down companies.”
The malware demands a ransom in bitcoin for victims to recover their data. Twenty-seven had paid as of Tuesday afternoon, according to Politico.
After the attack, Merck reportedly instructed all employees to turn off their work computers indefinitely amid a “companywide shutdown.”
Martin said the implications of Tuesday’s attack were “really scary, because these sophisticated cyberweapons are out in the open. Any cybercriminal, terrorist organization, or foreign government can take these tools, weaponize them, and run their own attack.”
‘Ukraine was targeted’
So far, experts have found that Ukraine was the hardest hit, followed by Russia.
The Ukrainian central bank said Tuesday that an “unknown virus” was the culprit of attacks leveled against it.
“As a result of these cyberattacks these banks are having difficulties with client services and carrying out banking operations,” the bank said in a statement.
The country’s official Twitter account also put out a statement: “Some of our gov agencies, private firms were hit by a virus. No need to panic, we’re putting utmost efforts to tackle the issue.”
Petya also forced Ukraine’s Chernobyl plant to switch to manual radiation monitoring.
Martin said that although Ukraine was the hardest hit, it was “not any more vulnerable than the US or Canada or the UK.”
Instead, he said he believed that because of its tumultuous political climate, “Ukraine was targeted by bad actors who are using it as a cyberweapon testing ground over the past couple of years.”
- Sputnik Photo Agency/Reuters
In 2015, a massive cyberattack leveled against the country’s power grid cut electricity to almost 250,000 Ukrainians. Cybersecurity experts linked the attack to IP addresses associated with Russia. Since then, Wired magazine’s Andy Greenberg reported last week, Ukraine has seen an increasing number of Ukrainian corporations and government agencies hit by cyberattacks in a “rapid, remorseless succession.”
Ukraine is now host to what may turn into a full-blown cyberwar, Greenberg reported. Two separate attacks on the country’s power grid were part of a “digital blitzkrieg” that had been waged against Ukraine for the past three years.
“You can’t really find a space in Ukraine where there hasn’t been an attack,” Kenneth Geers, a NATO ambassador focusing on cybersecurity, told Wired.
It’s unclear where Tuesday’s cyberattack originated.
“In cases like this and with the WannaCry attack, we can see that bad actors, whoever they may be, can continually up the ante and sophistication of how damaging these attacks are,” Martin said.
He added that “this is about unfettered access and being able to infect any machine in the world.”
May’s WannaCry attack was linked to the North Korean government, “and although North Korea is well-organized, they’ve been shown to have lots of mistakes in attacks they’ve waged in the past,” Martin said.
If Petya is found to have originated from hackers with links to Russia, however, “we can expect that this attack will be much more far-reaching and sophisticated.”