Cyber experts believe more behind Petya attack than just ransomware
TAMPA BAY, FL June 28, 2017 After a full 24 hours of monitoring the latest global ransomware outbreak, KnowBe4’s CEO warns IT pros that the new strain appears to be open cyber warfare, targeted at the Ukraine, with the spread of it beyond those borders as “collateral damage”. According to reports by security experts, the attack was spread through a software update to Ukrainian accounting company Intellekt Servis' product. Their June 22 update was pushed out and looks to have contained sleeper code that kicked in one day before Ukraine's Constitution Day. Ukraine’s national police warned this was only one vector of the attack and Russian security firm Group-IB says it saw companies infected through malicious email attachments.
KnowBe4 CEO Stu Sjouwerman stated, “This has been brewing under the surface for a few years, but now we are dealing with open cyber warfare here. Like it or not, as an IT Pro, you have just found yourself on the frontline of 21-st century war.” Sjouwerman noted, “The Ukraine is locked in a bitter proxy fight with Russia since the annex of the Crimean peninsula and the separatist war in eastern Ukraine. Russia's GRU, the foreign military intelligence agency of the General Staff of the Armed Forces of the Russian Federation is likely behind this.”
Nicholas Weaver, a security researcher at the International Computer Science Institute and lecturer at UC Berkeley, said Petya appears to have been well engineered to be destructive while masquerading as a ransomware strain stating, “I’m willing to say with at least moderate confidence that this was a deliberate, malicious, destructive attack or perhaps a test disguised as ransomware.”
Craig Williams, security outreach manager with Cisco Systems said: “I think not only is it out there trying to make a profit, but it’s also making a very clear political statement: it’s intentionally trying to damage businesses that interact with the Ukrainian tax system.“
Russian security firm Group-IB reports that Petya bundles a tool called “LSADump,” which can gather passwords and credential data from Windows computers and domain controllers on the network.
The official full name of the GRU is Main Intelligence Agency of the General Staff of the Russian Armed Forces. The GRU is Russia's largest foreign intelligence agency. In 1997 it deployed six times as many agents in foreign countries as the SVR, the successor of the KGB's foreign operations directorate. It also commanded 25,000 Spetsnaz troops in 1997. Source: WikiPediaThe GRU has its own cyber armies and works together with sophisticated hacker groups like APT28 which also goes by Fancy Bear. These are typically the guys behind attacks like this, however, this particular infection is a new low, because it's main goal is destructive, masked as a ransomware attack.
In a recent blog post, Sjouwerman noted reports by WSJ that Vladimir Putin recently approved of Patriotic Russian Hackers. “This is what you get when you unleash those hounds: a lot of collateral damage, even including Russia's own major oil company Rosneft, ironically owned for a good chunk by Putin himself,” said Sjouwerman.
Sjouwerman advises quick measures to combat the fallout and stay safe:
1. Make sure you have weapons-grade backups.
2. Patch religiously
3. Step users through new-school security awareness training.
For more information on KnowBe4, visit www.knowbe4.com
KnowBe4, the provider of the world’s most popular integrated new school security awareness training and simulated phishing platform, is used by more than 10,000 organizations worldwide. Founded by data and IT security expert Stu Sjouwerman, KnowBe4 helps organizations address the human element of security by raising awareness of ransomware, CEO fraud and other social engineering tactics through a new-school approach to security awareness training. Kevin Mitnick, internationally recognized computer security expert is KnowBe4’s Chief Hacking Officer. Thousands of organizations trust KnowBe4 to mobilize their end-users as the last line of corporate IT defense.
Number 139 on the 2016 Inc 500 list, #50 on 2016 Deloitte’s Technology Fast 500 and #6 in Cybersecurity Ventures Cybersecurity 500. Follow Stu on Twitter at @StuAllard.