COMP 7003

Assignment 1
NotPetya: Perpetrator of a Notorious Cyber-Attack

Kevin Baumann Nery Huerta

A01059890

September 17, 2024

Table of Contents
Executive Summary ................................................................................................................ 3
Introduction ........................................................................................................................... 3
Historical Background ......................................................................................................... 3
Technical Analysis .................................................................................................................. 3
Delivery Mechanisms........................................................................................................... 3
Capabilities ........................................................................................................................ 5
Payload and Impact: ............................................................................................................ 6
Preventative Measures ............................................................................................................ 6
Lessons Learned: ................................................................................................................ 7
Broader Implications and Conclusion ....................................................................................... 7
References ............................................................................................................................. 9
Executive Summary
This investigation explores the damaging malware attack known as NotPetya, which
first surfaced in June 2017 and first targeted Ukrainian infrastructure before quickly
expanding to other networks throughout the world. NotPetya was first thought to be a
variation of the Petya ransomware, but its real goal was the broad damage of vital
infrastructure, especially in Ukraine, rather than monetary gain. The malware caused
significant harm to the shipping, healthcare, and energy industries by taking use of the
EternalBlue vulnerability.
The report's primary conclusions center on the methods by which NotPetya
spreads, such as its ability to destroy data, infiltrate systems using EternalBlue and
MeDoc's update system, and its wider effects on international cybersecurity regulations.
This essay highlights the weaknesses in NotPetya by examining its technological
complexity, geopolitical significance, and lessons learned from this attack.

Introduction
Historical Background
Shortly before Ukraine's Constitution Day on June 27, 2017, NotPetya surfaced
during a time of geopolitical tension between Russia and Ukraine. NotPetya was first
disguising itself as a Petya ransomware clone, but its main goal was broad harm, especially
to Ukrainian infrastructure. The malware, which took advantage of the EternalBlue
vulnerability on unpatched Microsoft Windows systems, was spread using the MeDoc
accounting program.
Significant cyberattacks had already occurred in Ukraine, notably the power grid
breaches in 2015 and 2016, which were ascribed to Russian state-sponsored
organizations. NotPetya's effects swiftly extended outside of Ukraine, resulting in billions of
dollars' worth of harm to multinational corporations like FedEx, Maersk, and Merck. The
attack demonstrated the growing threat of state-sponsored cyber warfare aimed at
undermining political objectives with worldwide collateral repercussions. It was largely
attributed to a Russian cyber effort. This was a turning point in the knowledge of
cyberthreats to critical infrastructure, causing enterprises all around the world to
reevaluate their approaches to disaster recovery and cybersecurity.

Technical Analysis
Delivery Mechanisms
NotPetya's initial distribution relied on a compromised version of MeDoc, an
accounting software prevalent in Ukraine, equivalent to TurboTax or Quicken. The malware
exploited the application's update mechanism by masquerading as a legitimate software
update. This tactic not only utilized the trust placed in the vendor but also employed Digital
Signature Verification to further authenticate the malware, allowing it to bypass security
software. As Wired states, “[the] hackers hijacked the company’s update servers to allow
them a hidden back door into the thousands of PCs around the country and the world that
have MeDoc installed.” By leveraging this method, NotPetya gained access to a vast user
base without raising immediate suspicion.

Central to NotPetya’s infection strategy was the exploitation of the EternalBlue

vulnerability, specifically identified as “CVE-2017-0144” (Microsoft) in the Common
Vulnerabilities and Exposures (CVE) catalog. EternalBlue “is a form of ransomware built
using hacking tools that were stolen from the US National Security Agency and dumped
online” (New Scientist). This vulnerability resides in the Microsoft Server Message Block
(SMBv1) protocol, which facilitates file sharing and network communication between
Windows systems. EternalBlue allows an attacker to execute arbitrary code on a target
system through crafted packets sent to the SMB server. Once executed, the attacker gains
control over the system's operating environment.
The exploit leverages the SMB Direct feature, which “leverages the full throughput
of high speed networks” (Microsoft), but also opens a vector for exploitation due to its
reliance on outdated protocol versions. According to Wired, “EternalBlue takes advantage
of a vulnerability in a particular Windows protocol, allowing hackers free rein to remotely
run their own code on any unpatched machine,” emphasizing its effectiveness in spreading
malware across unprotected systems.

After compromising an initial system, NotPetya utilized Mimikatz, a powerful tool

designed for credential harvesting. Mimikatz operates by accessing Windows Local
Security Authority Subsystem Service (LSASS), which stores user credentials. It employs
techniques such as pass-the-hash and pass-the-ticket, allowing the attacker to use stolen
hashed credentials or Kerberos tickets for lateral movement across the network.

NotPetya's ability to propagate rapidly through a network hinged on the use of

PsExec and WMIC.
• PsExec allows an attacker to execute processes on remote systems using the
command-line interface. By running commands like “psexec \\target -u user -p pass
cmd.exe” (Microsoft), NotPetya could launch a shell on the target machine, enabling it
to install and execute malicious payloads.

• WMIC (Windows Management Instrumentation Command-line) serves as a powerful

tool for querying and manipulating systems remotely. NotPetya utilized WMIC
commands to execute commands on remote machines and facilitate its spread. For
example, it could use “wmic /node:"target" process call create
“malware.exe””(Microsoft) to trigger execution on a remote host.

This combination of tools allowed NotPetya to perform what is known as Remote

Code Execution (RCE), utilizing stolen credentials to bypass network security measures
and spread laterally within the organization.
 Once inside an internal network, NotPetya demonstrated an exceptionally rapid
propagation rate. The malware was designed to scan the network for vulnerable systems
using techniques like:

• Network Scanning: Utilizing NetBIOS and Port Scanning, NotPetya identified devices
connected to the same local area network and attempted to connect to them via SMB.

• Credential Replay: By leveraging credentials obtained through Mimikatz, the malware

employed a technique called credential replay attack, allowing it to access additional
machines without requiring new authentication.

As Thomson noted, “Once inside a corporate network, this well-oiled destructive

program worms its way from computer to computer, trashing the infected machines'
filesystems.” The use of these techniques enabled NotPetya to execute its payload across
numerous systems in a short timeframe, emphasizing the malware's design for maximum
damage.

NotPetya's use of legitimate administrative tools for propagation not only enhanced
its effectiveness but also complicated detection efforts. By masquerading as routine
administrative tasks, the malware blended into normal network operations, making it
challenging for intrusion detection systems (IDS) to identify malicious activity. Additionally,
it utilized Process Injection, a “camouflage technique used by malware” to run its code in
the context of legitimate processes, further obfuscating its presence and evading
traditional security measures.
Moreover, by employing polymorphic techniques, NotPetya was able to use this
method that “mutates its features to evade detection from traditional security solutions”
(Blackberry), making it harder for signature-based detection systems to identify it as a
threat. The combination of these advanced evasion strategies and exploitation techniques
rendered traditional network defenses largely ineffective against the malware.

Capabilities
The destruction of targeted systems was the main objective of NotPetya, which was
accomplished by overwriting the Master Boot Record (MBR). Systems became unusable
because of this activity, and recovery became extremely difficult. NotPetya was primarily
meant to cause destruction, in contrast to conventional ransomware, which usually aims
to extract ransom. The malware “appears it was designed as a wiper pretending to be
ransomware,” as reported by BBC, indicating that its goal was to cause irrevocable harm as
opposed to making money through extortion.
NotPetya not only disrupted the system but also encrypted important data, such as
files and the Master File Table (MFT). By making computers unusable, this encryption
essentially prevented users from accessing their data or conducting business. The
combined strategy of encryption and destruction greatly increased the impact on the
impacted firms because it became extremely difficult to restore data.
 NotPetya further interfered with regular operations by manipulating system
processes. The infection caused major data loss and operational paralysis within
enterprises by changing necessary processes. Changes to these procedures caused
systems to become unstable and unpredictable, which resulted in widespread business
continuity failures. In the BBC article, Symantec pointed out that because of this
manipulation, the environment became chaotic, and recovery efforts were more
challenging.

NotPetya propagated swiftly over networks, however it was not very stealthy. It
frequently spread quickly before detection systems could adequately react. The malware
put short-term damage above long-term evasion tactics, concentrating on quickly taking
over compromised networks. According to Wired, “The code the hackers pushed was
honed to spread automatically, rapidly, and indiscriminately.” Its broad impact was
facilitated by this aggressive attitude, which made it difficult for organizations to fend off its
assault.

Payload and Impact:

NotPetya served as a wiper intended for widespread devastation rather than being
primarily used for money ransom. Numerous businesses were affected, including banking,
healthcare, and shipping. Maersk, a major global shipping company, for example, reported
major difficulties and ceased operations for many days. CISA stated that “this NotPetya
malware campaign has infected organizations in several sectors, including finance,
transportation, energy, commercial facilities, and healthcare.”
Due to NotPetya's destructive powers, corporate networks and vital infrastructure
suffered extensive damage. Since most victims' recovery methods were effectively
destroyed by the infection, many companies risked permanent data loss. According to The
Wall Street Journal, Princeton Community Hospital had to “scrap and replace its entire
computer network after being struck by the cyberattack paralyzing computers globally.”

NotPetya is distinct from other malware types due to its harmful intent. Compared
to more conventional ransomware like WannaCry (Kaspersky), it was more damaging
because its main objective was not financial gain. Rather, it sought to cause extensive
disruption. Furthermore, NotPetya caused widespread havoc as opposed to strategic tools
like Stuxnet (Wired), which were focused on targeting certain systems for tactical gain.
According to Zimba, the event “signifies the major turning point of the paradigm shift
towards attacking businesses and organizations on a large scale.”

Preventative Measures
The spread of NotPetya within enterprises might have been considerably curbed
with the implementation of efficient network segmentation. Organizations could stop the
malware from spreading laterally across their networks by isolating vital systems. Wired
emphasizes that “insufficient network segmentation … in particular, could allow malware
with access to one part of the network to spread wildly beyond its initial foothold”, which
 emphasizes how crucial it is to isolate critical networks to guard against broad
compromise.

Patch management on a regular basis is crucial for reducing vulnerabilities such as

EternalBlue. Updating systems with security fixes would have greatly decreased the chance
of an exploit. Ensuring “you have fully patched your systems” is first on the list of
recommended steps for prevention, according to CISA, highlighting the ability of timely
updates to avert first infections.

Advanced Intrusion Detection Systems (IDS) implementation might have made it

easier to identify unusual network activity linked to NotPetya early on. Unusual patterns
that can point to a security breach are intended to be recognized by these systems. Faster
responses to the malware's spread might have been possible with the implementation of
such technologies.

Reducing total cybersecurity risk necessitates educating staff members about the
dangers of phishing and social engineering. Initial malware penetration can be avoided with
proper training, especially when it comes to hacked software upgrades. According to CISA,
"education and the need for awareness among Internet users regarding the recent
ransomware threats are absolutely important." Establishing a security-aware culture helps
firms better fend off attacker strategies.

Lessons Learned:
The NotPetya event brought to light how vital vulnerability management and
patching are to defending systems against zero-day vulnerabilities. Updating software is
crucial to reducing the dangers brought on by known vulnerabilities. This incident makes
clear that timely patching is an essential component of cybersecurity, not just best
practice.

The attack also demonstrated how urgently nations must work together to protect
vital infrastructure against state-sponsored cyberattacks. Because cyberattacks are
worldwide in scope, international cooperation is essential for exchanging intelligence and
creating cohesive defenses.

Ultimately, the event served as further evidence of how important disaster recovery
plans and resilience are to businesses. Companies need to be ready to quickly resume
operations after a cyber event and respond appropriately. This event demonstrates how
important it is to plan to preserve operational continuity in the face of cyberattacks.

Broader Implications and Conclusion

The NotPetya catastrophe sparked a global emphasis on cyber protection policies
and techniques. To guard against sophisticated threats, governments and companies
realized they needed strong cybersecurity frameworks. The attack also highlighted the
moral conundrums that arise when cyber tools are used for military or political objectives.
There are serious ethical concerns regarding the possibility of collateral damage to civilian
infrastructure during cyberwarfare.

The vulnerabilities in vital infrastructure that include physical and cyber

components were brought to light by NotPetya. Given the increased targeting of these
interconnected systems, this incident spurred concerns on the security of industrial control
systems (ICS) and the Internet of Things.

NotPetya's long-term effects will change how businesses handle cyber resilience
and network security. Stronger international collaborations in cyber defense resulted from
the incident, which sparked advancements in malware detection and response systems.
According to the CISA, "the lessons learned from NotPetya will shape future cybersecurity
strategies, fostering a more resilient global infrastructure." This demonstrates the attack's
long-lasting impact on the cybersecurity environment.
References
Greenberg, A. (2018, August 22). The Untold Story of NotPetya, the Most Devastating Cyberattack in
History. Wired. https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-
the-world/
Microsoft. (2017). "Microsoft Security Bulletin MS17-010 - Critical." Retrieved from
https://learn.microsoft.com/en-us/security-updates/securitybulletins/2017/ms17-010

“Worldwide Cyberattack.” New Scientist 234, no. 3126 (May 20, 2017): p.4. EBSCOhost,
https://doi.org/10.1016/S0262-4079(17)30943-0

Microsoft. (2023). "SMB Direct in Windows Server." Retrieved from https://learn.microsoft.com/en-

us/windows-server/storage/file-server/smb-direct?tabs=disable

Microsoft. (2023). "PsExec - Windows Sysinternals." Retrieved from

https://learn.microsoft.com/en-us/sysinternals/downloads/psexec
Microsoft. (2009). " WMIC - Take Command-line Control over WMI" Retrieved from
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-2000-
server/bb742610(v=technet.10)

Thomson, I. (2017, June 28). "Everything you need to know about the Petya, er, NotPetya nasty
trashing PCs worldwide" The Register. Retrieved from
https://www.theregister.com/2017/06/28/petya_notpetya_ransomware/

Angelystor (2020, June 24). Process injection techniques used by malware. CSG GovTech. Medium.
https://medium.com/csg-govtech/process-injection-techniques-used-by-malware-1a34c078612c

BlackBerry. (n.d.). Polymorphic malware: Understanding the threats. BlackBerry.

https://www.blackberry.com/us/en/solutions/endpoint-security/ransomware-
protection/polymorphic-malware

Cyber-attack was about data and not money, say experts. (2017, June 29). BBC News.
https://www.bbc.com/news/technology-40442578

Cybersecurity and Infrastructure Security Agency. (2018, February 15). Petya Ransomware. CISA.
https://www.cisa.gov/news-events/alerts/2017/07/01/petya-ransomware

Kaspersky. (n.d.). What is WannaCry ransomware? Kaspersky.

https://www.kaspersky.com/resource-center/threats/ransomware-wannacry
Zetter, K. (2014, November 3). An Unprecedented Look at Stuxnet, the World’s First Digital
Weapon. Wired. https://www.wired.com/2014/11/countdown-to-zero-day-stuxnet/

Zimba, Aaron & Chishimba, Mumbi. (2019). Understanding the Evolution of Ransomware: Paradigm
Shifts in Attack Structures. International Journal of Computer Network and Information Security.
11. 26-39. 10.5815/ijcnis.2019.01.03.
R. A. Lika, D. Murugiah, S. N. Brohi and D. Ramasamy, "NotPetya: Cyber Attack Prevention through
Awareness via Gamification," 2018 International Conference on Smart Computing and Electronic
Enterprise (ICSCEE), Shah Alam, Malaysia, 2018, pp. 1-6, doi: 10.1109/ICSCEE.2018.8538431.