A few experts have said of the attack which affected everyone from multinational corporations to government organizations is supposed to be a ransomware in cover being used to get another malicious exploit known as a wiper working to affect great numbers of computers as well as destroy data in dozens of nations all over the world. The UK’s GCHQ intelligence agency had its National Cyber Security Center asking questions regarding the real aim of the attackers.
The team at the Centre has further alleged to have found evidence which has raised doubts over the initial findings that concluded Petya was primarily trying to collect ransoms. As far as Technical Director, Symantec, Vikram Thakur is concerned it was obvious from the beginning that there were hidden motives and, the financial one was simply not enough given the evidence that was collected at the start of the attack.
Thakur has reportedly said that many victims of the attack were based in Ukraine. He went on adding that the infection vector was in fact a software that was mainly used there, which has caused suspicion about the country’s connection. He said furthermore the payment method that involved one single bitcoin wallet, a single email and no command & control server along with encryption using extensions that mainly businesses use, MBR wiping and most importantly, the random key that was supposed to be used by the victim – it all has led to doubting that it was not money that was the main aim of this attack.
Other researchers have as well expressed their concern about the single email functioning. Posteo in fact shut down this mail which was being used to contact by hackers, which any professional hacker would have foreseen any way, meaning they would have made sure there were other ways of getting their ransom and releasing the data to the victims.Kaspersky Lab, which was one of the first cybersecurity firms to talk about the hidden and true nature of this attack stated on 28th June that Petya malware attack was indeed a wiper which was disguised as ransomware.
Its spokesperson Jessica Bettencourt released a statement by the firm emphasizing that their research had indicated ExPetr aka NotPetya aka Petya was written with simple data destruction as motive. The firm further added that the writers of Petya had carefully designed a malware for destruction and disguised it to be a ransomware. The statement further read that though parts of this malware may seem to function as building blocks, they can be mistaken for ransomware, but are basically for data destruction and not financial leverage.
Another expert Matthew Suiche who works at Comae Technologies has concluded the same stating that hackers and ransomware gradually are becoming the scapegoats of nation state attackers.
It is being suspected that there were nation-state(s) involved in this operation. In fact the attack was analyzed by NATO Cooperative Cyber Defense Centre of Excellence, which reached on a similar conclusion and wondered if Article 5 would be invoked, as this attack could be defined as severe as an armed one, which would have had military response. The center is accredited by NATO and gets financed by the member countries, however it does not speak for the alliance.
The Centre also called CCD COE further has confirmed that EternalBlue was used by these attackers that was initially stolen by Shadow Brokers from NSA. A researcher at CCD COE Bernhards Blumbergs further stated that NotPetya has been altered significantly to come up with a new type of threat. He further added that this was a more developed malware than the “sloppy WannaCry” and it could search for new systems to infect by digging deeper in the local computer networks instead of searching the entire net.
The researchers at the Centre have also concluded that the attack was too professional and sophisticated for unaffiliated hackers to orchestrate. It was extremely unlikely that the attack had any cybercriminals behind it given that the ransom collecting mechanism was not given any strong thoughts to, which basically meant whoever did it might not even be able to cover for the cost such an operation would have required.
On the other hand, Ukrainian Security Agency named SBU has claimed that Russia was behind the attack. The malware is said to have affected Ukraine greatly, taking down many businesses along with its international airport and Chernobyl nuclear plant before it started to spread to systems all over the globe. SBU stated that Petya was very similar to the Black Energy Attacks that aimed at the Ukranian power grid back in 2016. In fact, Kaspersky researchers also have noted how similar the extensions that were used in this attack to those that were used in Black Energy’s KillDisk wiper in both 2015 and 2016.
The firm could not ascertain if it was an exact link, but it collaborated with Palo Alto Networks and did come across some similarities in the code design. Some other researchers have also pointed out similarities in the functioning in the two attacks however, nothing is certain at this point.
Though many experts have called out North Korea to be behind the WannaCry ransomware as it has uncanny similarities to the Sony hack that happened in 2014. Kaspersky’s researchers have noted how the country has been isolated and put under strenuous limitations, which make these attacks their way of retribution.
All this has not still had any official statement from the U.S. officials who are yet to put any name out that was behind these attacks U.S. However, Department of Homeland Security had its U.S. Computer Emergency Readiness Team release an alert against Petya malware attack this month, where it malware was still called ransomware. The report further stated that Petya encrypts the files on infected system and produces a 128 bit key as well as a unique ID which have no correlation, meaning there would not be any way to decrypt these files even if the ransom gets paid.
Petya affected infrastructure and businesses alike to great extent. Shipping corporation A.P. Moeller-Maersk has stated that the company would be able to return to an almost normal working environment by July 3, however it also warned that restoring all its workstations and applications would certainly take longer. Maersk IT on the other hand shut down all its systems so that the attack could be contained. Merck & Co. has also confirmed how it was affected by the malware even after it had a security system along with patches in place.