Type of attack or intrusion: NotPetya1 is a variety of malware 2 known as a worm.

Worms

operate by infiltrating and multiplying across computer networks and then pulling compromised

devices offline, often by encrypting their contents (Rhysider). The adversary deploying the worm

can require those affected to pay a ransom to regain access to their devices (“ransomware”) or

leave the devices unusable. NotPetya was named because of its similarity to the ransomware

Petya. However, unlike Petya, NotPetya appears to have been purely destructive; individuals

who paid the ransom specified on affected computers’ screens did not regain access (Greenberg).

NotPetya utilizes two hacking tools: Mimikatz and EternalBlue. Mimikatz is an exploit that

extracts username and password information from the Windows program LSASS.exe (Rhysider),

and the vulnerability it exploits cannot be terminally patched. EternalBlue is a zero-day exploit,

also affecting Windows operating systems, which was leaked by “The Shadow Brokers” hacking

group. While Microsoft patched that vulnerability prior to NotPetya’s release, many computers

had not installed the update that included that patch (Rhysider). Finally, NotPetya was

disseminated through the updates server of M.E.Doc, accounting software commonly used by

individuals and businesses resident or operating in Ukraine (Rhysider).

Result: NotPetya’s release damaged an unprecedented number of computer systems, both in

Ukraine and elsewhere. One senior Ukrainian government official estimated NotPetya rendered

ten percent of all computers in the country inoperable, including computers in almost every

agency within the Ukrainian government and over 300 businesses (Greenberg). NotPetya also

affected many companies headquartered outside of Ukraine including FedEx, Merck, and the

Russian state oil company Rosneft (Rhysider). However, the foreign company that likely

sustained the most damage from NotPetya was Danish shipping giant Maersk, which controls
1
The name of the worm used in the assignment information was “Not Petya.” However, I decided to use the spelling that I found
in much of the research material: “NotPetya.”
2
As defined by Cisco, “malware” is “intrusive software that is designed to damage and destroy computers and computer
systems.”
almost one fifth of the world’s shipping capacity (Greenberg). Exposed to the worm by the one

computer in its Odessa office running M.E.Doc, every one of the Maersk’s operating computers

running Windows at the time of NotPetya’s release was rendered inoperable (Rhysider).

Attribution and Type of Actor: The first party that publicly attributed NotPetya to a specific

actor was likely the Slovakian cybersecurity company ESET. After examining a copy of

NotPetya, ESET indicated that it was the work of Sandworm, a hacking group responsible for

dozens of attacks on public and private computer networks in Ukraine in the years prior to

NotPetya’s release (Greenberg). In February 2018 the White House released a short statement

indicating that NotPetya had been launched by the Russian military (“Statement from the Press

Secretary”), an assessment which was subsequently repeated by other members of the Five Eyes

intelligence group. Finally, in October 2020, the FBI implicated four named hackers who were

members of Unit 74455 of the GRU (Russia’s military intelligence apparatus) for their

involvement in the development of NotPetya (“Six Russian GRU Officers”). Considering that

evidence, it appears that NotPetya was developed and disseminated by Russia, a state actor.

Purpose of the Attack: By targeting accounting software used to conduct business in Ukraine,

the purpose of NotPetya appears to have been to take down as many computer networks (both

private and public) in the country as possible, while limiting the damage to networks outside of it

(Rhysider). “Punishing” foreign companies conducting business in Ukraine may also have been a

goal. However, if that is the case, those responsible for developing and disseminating the worm

clearly failed to appreciate the extent of the economic ties between Russia and Ukraine.

Impacts: NotPetya is estimated to have caused ten billion dollars in damage globally (Rhysider),

which includes almost one billion dollars in losses to three U.S. companies alone (“Six Russian

GRU Officers”). Maersk’s computer systems required nine days of round-the-clock work,
completed by over 600 individuals, to return to operation. This cost estimated 350 million dollars

(Rhysider). NotPetya also affected critical infrastructure; the Pennsylvania-based Heritage

Valley healthcare system lost access to its mission-critical computer systems for one week and

its administrative systems for one month because of the worm (“Six Russian GRU Officers”),

while in Ukraine NotPetya shut down the computers used at the site of the former Chernobyl

nuclear reactor (Greenberg).

Response: In March 2018 the U.S. Treasury Department sanctioned five entities and 19

individuals for their involvement in election interference and malicious cyberattacks; one of the

attacks listed was NotPetya (“Treasury Sanctions Russian Cyber Actors”). The FBI also indicted

four members of the Russian military for their involvement in developing NotPetya (“Six

Russian GRU Officers”), though Russia is unlikely to permit their extradition and trial. No

additional responses to the attack appear to have been covered in media.

Lessons Learned: NotPetya reinforced several lessons from previous cybersecurity incidents.

These include the importance of promptly patching vulnerabilities in a network and limiting

permissions within a network to the greatest extent possible. It also demonstrated the

impossibility of securing networks from hacking tools developed by nation-states, and therefore

the importance of maintaining secure backups of key network data (Perez). This bifurcated

strategy (do everything possible to secure the network and plan for eventual failure) is likely the

most significant lesson learned.

Citations
Greenberg, Andy. “The Untold Story of NotPetya, the Most Devastating Cyberattack in
History.” Wired, August 22, 2018. https://www.wired.com/story/notpetya-cyberattack-
ukraine-russia-code-crashed-the-world/.

Perez, Roi. “NotPetya Ransomware: Lessons Learned.” Infosecurity Magazine, October 20,
2017. https://www.infosecurity-magazine.com/magazine-features/notpetya-ransomware-
lessons-learned/.

Rhysider, Jack. “EP 54: NotPetya.” Darknet Diaries, December 24, 2019.
https://darknetdiaries.com/transcript/54/. Podcast Transcript.

“Six Russian GRU Officers Charged in Connection with Worldwide Deployment of Destructive
Malware and Other Disruptive Actions in Cyberspace.” The United States Department of
Justice, October 19, 2020. Federal Bureau of Investigation.
https://www.justice.gov/opa/pr/six-russian-gru-officers-charged-connection-worldwide-
deployment-destructive-malware-and.

“Statement from the Press Secretary.” The Trump White House Archives, February 15, 2018. The
White House. https://trumpwhitehouse.archives.gov/briefings-statements/statement-press-
secretary-25/.

“Treasury Sanctions Russian Cyber Actors for Interference with the 2016 U.S. Elections and
Malicious Cyber-Attacks.” U.S. Department of the Treasury, March 15, 2018. U.S.
Department of the Treasury. https://home.treasury.gov/news/press-releases/sm0312.

“What Is Malware.” Cisco. Accessed October 2, 2022.

https://www.cisco.com/c/en/us/products/security/advanced-malware-protection/what-is-
malware.html.