Early optimism that the Petya (or NotPetya/PetyaWrap) cyberattack might be a mere copycat follow-up to May’s extraordinary WannaCry incident has evaporated – it now looks both were equally serious for slightly different reasons.
Let’s start with the clutch of large companies that have lined up in an unusually public way to speak of the damage caused by the June 27 attack.
British consumer products company Reckitt Benckiser suffered production disruption it estimated might equate to £110m ($135m) in lost revenue, while chocolate maker Mondelez put the damage at three percentage points from its second-quarter sale growth.
Other household names reportedly badly affected by Petya include advertising group WPP, FedEx, shipping giant Maersk, Nuance Communications and, possibly, Russian oil company Rosneft.
Until now, there has been a tendency to see cyberattacks such as data breaches hitting the bottom line because of customer management and reputational damage. Petya, as with WannaCry before it, underlines that disruption to supply chains is the new financial worry.
Then there is the lingering question of Petya’s ultimate purpose and why it has proved so damaging. Ten days on from the attack, we have no definitive answers but we do have more clues and plenty of informed speculation.
We’ve already published a detailed teardown of the malware plus an analysis of its worm-ransomware and disk-disabling behaviour, so we’ll focus on developments in the larger background story.
It is now fairly certain that when this outbreak started it spread by co-opting the update servers for an accountancy software package called MeDoc, little known outside its native Ukraine. Certainly, the authorities seem convinced, with local police raiding the company earlier this week.
Exactly how this happened is where the story gets murky. Cisco’s Talos unit was able to access logs on site to find that the attackers had accessed source code to insert a backdoor into updates on at least three occasions this year, which would have given them control of every machine the software was installed on.
Although widely referenced, genuine backdoors – something deliberately inserted into code for malicious reasons – are still a very rare find. For once, it looks like this is the real McCoy. Was the Ukrainian company a victim or simply incompetent for allowing such a thing happen? Take your pick.
Petya’s initial stealthy sophistication and destructiveness make it unlikely that it was, as it briefly appeared to be, a ransomware attack – not least because the encryption seemed to have been designed to glitch.
That didn’t stop the attackers eventually removing the few Bitcoin ransoms that were deposited by victims. Was this another ruse to make it looked like a cybercrime group was responsible?
Ominously, within a day of the attack, Jens Stoltenberg, NATO’s secretary-general, told reporters that such attacks could be considered an aggressive act that might trigger Article 5 of the North Atlantic treaty which enshrines the principle of mutual defence.
Exactly how the article might work with cyberattacks is still unclear. Ukraine isn’t a member of NATO, and that’s ignoring the thorny issue of how one attributes attacks or responds in kind.
Further revelations about Petya seem likely. As with WannaCry, it is turning out to be not only one of the most disruptive cyberattacks of all time but one of the strangest and most disconcerting.
Steve
It’s NATO (North Atlantic Treaty Organization), not “Nato”.
Paul Ducklin
Fixed, thanks.