Professional Documents
Culture Documents
Short Paper Draft #2
Short Paper Draft #2
Worms
operate by infiltrating and multiplying across computer networks and then pulling compromised
devices offline, often by encrypting their contents (Rhysider). The adversary deploying the worm
can require those affected to pay a ransom to regain access to their devices (“ransomware”) or
leave the devices unusable. NotPetya was named because of its similarity to the ransomware
Petya. However, unlike Petya, NotPetya appears to have been purely destructive; individuals
who paid the ransom specified on affected computers’ screens did not regain access (Greenberg).
NotPetya utilizes two hacking tools: Mimikatz and EternalBlue. Mimikatz is an exploit that
extracts username and password information from the Windows program LSASS.exe (Rhysider),
and the vulnerability it exploits cannot be terminally patched. EternalBlue is a zero-day exploit,
also affecting Windows operating systems, which was leaked by “The Shadow Brokers” hacking
group. While Microsoft patched that vulnerability prior to NotPetya’s release, many computers
had not installed the update that included that patch (Rhysider). Finally, NotPetya was
disseminated through the updates server of M.E.Doc, accounting software commonly used by
Ukraine and elsewhere. One senior Ukrainian government official estimated NotPetya rendered
ten percent of all computers in the country inoperable, including computers in almost every
agency within the Ukrainian government and over 300 businesses (Greenberg). NotPetya also
affected many companies headquartered outside of Ukraine including FedEx, Merck, and the
Russian state oil company Rosneft (Rhysider). However, the foreign company that likely
sustained the most damage from NotPetya was Danish shipping giant Maersk, which controls
1
The name of the worm used in the assignment information was “Not Petya.” However, I decided to use the spelling that I found
in much of the research material: “NotPetya.”
2
As defined by Cisco, “malware” is “intrusive software that is designed to damage and destroy computers and computer
systems.”
almost one fifth of the world’s shipping capacity (Greenberg). Exposed to the worm by the one
computer in its Odessa office running M.E.Doc, every one of the Maersk’s operating computers
running Windows at the time of NotPetya’s release was rendered inoperable (Rhysider).
Attribution and Type of Actor: The first party that publicly attributed NotPetya to a specific
actor was likely the Slovakian cybersecurity company ESET. After examining a copy of
NotPetya, ESET indicated that it was the work of Sandworm, a hacking group responsible for
dozens of attacks on public and private computer networks in Ukraine in the years prior to
NotPetya’s release (Greenberg). In February 2018 the White House released a short statement
indicating that NotPetya had been launched by the Russian military (“Statement from the Press
Secretary”), an assessment which was subsequently repeated by other members of the Five Eyes
intelligence group. Finally, in October 2020, the FBI implicated four named hackers who were
members of Unit 74455 of the GRU (Russia’s military intelligence apparatus) for their
involvement in the development of NotPetya (“Six Russian GRU Officers”). Considering that
evidence, it appears that NotPetya was developed and disseminated by Russia, a state actor.
Purpose of the Attack: By targeting accounting software used to conduct business in Ukraine,
the purpose of NotPetya appears to have been to take down as many computer networks (both
private and public) in the country as possible, while limiting the damage to networks outside of it
(Rhysider). “Punishing” foreign companies conducting business in Ukraine may also have been a
goal. However, if that is the case, those responsible for developing and disseminating the worm
clearly failed to appreciate the extent of the economic ties between Russia and Ukraine.
Impacts: NotPetya is estimated to have caused ten billion dollars in damage globally (Rhysider),
which includes almost one billion dollars in losses to three U.S. companies alone (“Six Russian
GRU Officers”). Maersk’s computer systems required nine days of round-the-clock work,
completed by over 600 individuals, to return to operation. This cost estimated 350 million dollars
Valley healthcare system lost access to its mission-critical computer systems for one week and
its administrative systems for one month because of the worm (“Six Russian GRU Officers”),
while in Ukraine NotPetya shut down the computers used at the site of the former Chernobyl
Response: In March 2018 the U.S. Treasury Department sanctioned five entities and 19
individuals for their involvement in election interference and malicious cyberattacks; one of the
attacks listed was NotPetya (“Treasury Sanctions Russian Cyber Actors”). The FBI also indicted
four members of the Russian military for their involvement in developing NotPetya (“Six
Russian GRU Officers”), though Russia is unlikely to permit their extradition and trial. No
Lessons Learned: NotPetya reinforced several lessons from previous cybersecurity incidents.
These include the importance of promptly patching vulnerabilities in a network and limiting
permissions within a network to the greatest extent possible. It also demonstrated the
impossibility of securing networks from hacking tools developed by nation-states, and therefore
the importance of maintaining secure backups of key network data (Perez). This bifurcated
strategy (do everything possible to secure the network and plan for eventual failure) is likely the
Citations
Greenberg, Andy. “The Untold Story of NotPetya, the Most Devastating Cyberattack in
History.” Wired, August 22, 2018. https://www.wired.com/story/notpetya-cyberattack-
ukraine-russia-code-crashed-the-world/.
Perez, Roi. “NotPetya Ransomware: Lessons Learned.” Infosecurity Magazine, October 20,
2017. https://www.infosecurity-magazine.com/magazine-features/notpetya-ransomware-
lessons-learned/.
Rhysider, Jack. “EP 54: NotPetya.” Darknet Diaries, December 24, 2019.
https://darknetdiaries.com/transcript/54/. Podcast Transcript.
“Six Russian GRU Officers Charged in Connection with Worldwide Deployment of Destructive
Malware and Other Disruptive Actions in Cyberspace.” The United States Department of
Justice, October 19, 2020. Federal Bureau of Investigation.
https://www.justice.gov/opa/pr/six-russian-gru-officers-charged-connection-worldwide-
deployment-destructive-malware-and.
“Statement from the Press Secretary.” The Trump White House Archives, February 15, 2018. The
White House. https://trumpwhitehouse.archives.gov/briefings-statements/statement-press-
secretary-25/.
“Treasury Sanctions Russian Cyber Actors for Interference with the 2016 U.S. Elections and
Malicious Cyber-Attacks.” U.S. Department of the Treasury, March 15, 2018. U.S.
Department of the Treasury. https://home.treasury.gov/news/press-releases/sm0312.