What Have We Learned from NotPetya Six Years On?

June 2023 marked the sixth anniversary of NotPetya, one of the most devastating cyber-attacks in history.

This wiper attack, deployed in 2017, has changed how organizations deal with cybersecurity, placing digital threats front and center on their risk management playbook.

In a blog post reflecting on the legacy of the attack, Tom Gol, CTO for research at Armis, also argued that NotPetya has had a transformative effect on cyber warfare: “It demonstrated the potential for highly destructive malware to cause widespread economic and operational disruptions, posing significant risks to national security and global stability.”

On 27 June 2017, a major global cyber-attack struck banks, airports and energy companies in Ukraine – which, as the most impacted country, was likely the intended target – as well as in Russia and parts of Europe.

Security experts who analysed the attack determined its behaviour was consistent with a form of ransomware called Petya.

However, the malware showed many differences in its operations compared to earlier Petya variants.

On the one hand, the new malware used EternalBlue, an exploit developed by the US National Security Agency (NSA) and later leaked by a hacker group known as the Shadow Brokers. Attackers capitalized on this exposure by incorporating the exploit into a new variant of WannaCry ransomware, which allowed it to spread itself across systems.

On the other hand, the threat actor behind the attack didn’t offer the chance of decrypting the data they encrypted, meaning it acted as a data wiper rather than ransomware.

Therefore, cybersecurity firm Kaspersky quickly dubbed this variant ‘NotPetya.’ 

In February 2018, the US government called NotPetya “the most destructive and costly cyber-attack in history.”

Today, the NotPetya attack has impacted over 2300 organizations in over 100 countries, with estimated total losses between $10bn and $11bn.

Moreover, because the malware has self-propagating capabilities, organizations keep getting infected today. According to Armis, while the number of computers still vulnerable to EternalBlue today is extremely low, around 74% of organizations today still have at least one vulnerable device in their network.

Armis also detected between a few hundreds and a few thousands exploit attempts of EternalBlue every day. “That’s why patching this vulnerability continues to be relevant,” Gol insisted.

Additionally, little is still known about the threat actor behind NotPetya. The US Department of State announced a $10m reward in 2022 for any helpful information to help identify them.

According to Tom Hegel, a senior threat researcher at SentinelOne’s SentinalLabs, NotPetya’s global and long-lasting impact was probably unsolicited by its perpetrators and taught a lesson to more recent wiper groups that have emerged in the wake of the war in Ukraine.

“By exploiting a zero-day vulnerability, NotPetya gained a lot of unwanted attention. Many groups with the same capabilities are not ready to take that step unless things take drastic turns,” Hegel told Infosecurity.

Many of them are, however, ready to use the ‘ransomware in disguise’ approach that the NotPeya criminals initiated, Gol added: “NotPetya blurred the lines between traditional ransomware and state-sponsored cyber operations, as its primary goal was not financial gain but the disruption of critical infrastructure and data destruction.”

The attack also sparked a new debate on the applicability of cyber insurance, with insurers Zurich and Ace initially denying covering their clients’ losses to the attack, respectively Mondelez and Merck, based on a war exclusion clause.

Zurich and Mondelez settled in November 2022, but the Ace v Merck lawsuit remains ongoing.

The legacy of NotPetya offers crucial security lessons that resonate with us today, Gol insisted.

“Foremost among them is the significance of effective vulnerability management, [as] proactive mitigation of known vulnerabilities can significantly reduce the risk of falling victim to similar devastating attacks,” he said.

Another one is “the power of asset visibility, [as] maintaining an up-to-date inventory of networked systems enables organizations to identify potential weak points and take proactive measures to strengthen their defences,” he added.

The third and last one, network segmentation, will not help prevent an attack like NotPetya. However, it “plays a vital role in containing the impact of cyber-attacks. By dividing networks into isolated segments, organizations can limit the lateral movement of malware and prevent the widespread damage associated with attacks like NotPetya,” Gol concluded.

ADVERTISEMENT

Enjoyed this article? Make sure to share it!

Looking for something else?