Ukraine secret service announces joint investigation with Europol, FBI, and NCA to attribute the recent Notpetya massive attack.

While security experts are investigating real motivation behind the massive NotPetya attack, Ukrainian authorities called for support in the investigation from European and US intelligence and law enforcement agencies.

The country’s security service SBU announced the international co-operation Europol, the FBI, and England’s National Crime Agency to investigate the incident and identify offenders.

Ukraine is the country with the largest number of NotPetya infections, a large number of critical infrastructure was affected in the attack.

According to the analysis conducted by Kaspersky, more than 50% of businesses targeted by NotPetya are industrial companies.

The SBU considers the NotPetya attack an “act of cyberterrorism”, the joint investigation aims to attribute the attack to a specific threat actor.

“The SBU specialists in cooperation with the experts of FBI USA, NCA of Great Britain, Europol and also leading cyber security institutions, conduct coordinated joint events on localization of damaging software PetyaA distribution, final definition of methods of this act of cyberterrorism, establishing of the attack sources, its executors, organizers and paymasters.” states the announcement from the SBU. “Currently the mechanisms of virus program distribution, its activation and operation algorithms are already identified. At the same time the work on the search of possibilities for data decoding and groundwork of guidelines for prevention of virus distribution, neutralization of other negative consequences of this emergency is in process.”

The analysis conducted by many security firms suggest that Ukraine was a possible target of the attack.

According to experts from Cisco Talos Intelligence and Microsoft, the infection started in Ukraine, where local firm named MeDoc was targeted by attackers.  Researchers believe that hackers infected software update to a Ukrainian tax accounting system called MeDoc, but MeDoc denies the allegations.

“At the time of updating the program, the system could not be infected with the virus directly from the update file,” translated version of MeDoc post reads. “We can argue that users of the MEDoc system can not infect their PC with viruses at the time of updating the program.”

However, several security researchers and even Microsoft agreed with Talo’s finding, saying MeDoc was breached and the virus was spread via updates.

“Initial infection appears to involve a software supply-chain threat involving the Ukrainian company M.E.Doc, which develops tax accounting software, MEDoc. Although this vector was speculated at length by news media and security researchers—including Ukraine’s own Cyber Police—there was only circumstantial evidence for this vector.  Microsoft now has evidence that a few active infections of the ransomware initially started from the legitimate MEDoc updater process. ” states Microsoft.

Let me close with interesting hints from the investigation conducted by F-Secure:

“How does it compare to WannaCry (which also used these exploits)?

WannaCry clearly picked these exploits up after the Shadow Brokers dumped them into the public domain in April. Also, WannaCry didn’t do the best job at implementing these exploits correctly.

By comparison, this “Petya” looks well-implemented, and seems to have seen plenty of testing. It’s fully-baked.”

“But are you still skeptical about this malware being “nation state”?”

“Less and less so. We don’t think any current attribution is rock solid (attribution never really is). We feel this is definitely worth deeper investigation. And more pizza.

We’ve changed our minds on some of our earlier conclusions. Please note this if you’re reading any previous F-Secure analysis. And, of course, this is subject to further revision, as new facts come to light.

But the great mystery behind the attack is why the author of the malware failed to add proper decryption functionality to the MBR lock screen. It is not clear if it is an intentional choice or a clamorous mistake.

How to stop Petya?

When a computer is infected with Petya it will automatically attempt to reboot in order to encrypt the hard drive’s Master Boot Record. To block the malware it is necessary to halt the reboot and keep the PC running. Another way to immunize the machine consists of creating a read-only file “perfc” and placing it inside the Windows directory.

“If you’re lucky, Petya worm might see that file and will not encrypt your machine, BUT, it will continue to spread to other machines on the same network.” reads the analysis published PureVPN.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(Security Affairs – NotPetya, SBU)

[adrotate banner=”5″]

[adrotate banner=”13″]