• United States



PETYA – Darwinism applied to cyberspace

Jun 27, 20173 mins

I WannaCry all over again

On the morning of June 27th, reports began surfacing of widespread attacks against Ukrainian critical infrastructure sectors that included aviation, banking, and electricity.  An unknown malware had begun affecting IT systems in these sectors. Business systems were made unavailable and normal processes stopped.  Fortunately, no operational technology, the technology that runs the energy grid, was reported to be affected.

Affected systems were widespread.  They included Ukrenergo, the country’s electric transmission company, and Kyivenergo, the distribution company serving the Kiev region, While Ukrenergy reported no outages, Kyivenergy was forced to shut down all administratve systems, awaiting permission from the Ukraine’s Security Service (SBU) before restarting.

Others victims in Ukraine and internationally included:

  • The Ukrainian government, including parliament and cabinet
  • Ukraine’s largest bank, Oschadbank
  • Kiev’s Borysopil Airport, affecting departure boards and scheduling systems
  • The Ukrainian state postal service
  • Kiev’s metro system
  • Television stations.
  • Rosneft, a Russian government-owned oil firm
  • Steel maker Evarz
  • Three Ukrainian telecom companies, Kyivstar, LifeCell and Ukrtelecom.
  • Danish shipping company Maersk reported that systems in the UK and Ireland were affected.

The attack occurred, probably not by chance, only hours after the car bombing murder of Col. Maxim Shapoval of the Ukraine Chief Directorate of Intelligence and a day before Ukraine’s Constitution Day.

The name game

The offending malware was soon identified at PETYA, PETRYA, or PETwrap, depending upon the source. PETYA reportedly utilized the the NSA’s leaked EternalBlue, the same Windows SMBv1 vulnerability as WannaCry,   PETYA does not initially encrypt individual files, but replaces the master boot record (MBR), leaving the entire system unusable.  Should the MBR not be available, it then goes on to encrypt the individual files.

What part didn’t you get about ‘patch now?’

Perhaps the most valuable lesson we can learn from this attack is that Charles Darwin was right.  It’s survival of the fittest; right along with that goes the smartest. Unless some completely new vector is discovered in action with this new threat, victims of PETYA have no excuse.  The SMB vulnerability in question had been patched by Microsoft prior to WannaCry’s May outbreak.  During the WannaCry outbreak, Microsoft provided additional patches for legacy operating systems, those no longer supported by normal updates, like Windows XP and Server 2003.  Even with these extraordinary measures to provide users with the protection they needed, some failed to update and/or patch.

Those who failed to take action and install patches handed to them on a silver platter are now victims of PETYA, and themselves sources of the new infection to others.  Akin to a neighbor with a garage full of dynamite, this is the kind of negligence that endangers the entire cyber neighborhood.

ISACs to the rescue

Information Sharing and Analysis Centers (ISACs) in the U.S. were able to get ahead of the infection thanks to early warning and quick action.  The Downstream Natural Gas and Electric ISACS combined forces to collect, analyze, and alert their sector members, providing early indicators and even links to algorithms successfully used to earlier decrypt the PETYA ransomware.  Having just recently experienced the WannaCry worm, their members were patched and defended.  There were no reports of infection in electric or downstream natural gas sectors.

John Bryk retired from the U.S. Air Force as a colonel after a 30-year career, last serving as a military diplomat in central and western Europe and later as a civilian with the Defense Intelligence Agency. Bryk holds, among other degrees, an MBA, an M.S. in Cybersecurity, and an M.A. in Business and Organizational Security Management, a combination that gives him a unique outlook on the physical and cyberthreat landscapes. As an intelligence analyst for the private-sector, he focuses on the protection of our nation's natural gas critical cyber and physical infrastructure.

The opinions expressed in this blog are those of John Bryk and do not necessarily represent those of IDG Communications Inc. or its parent, subsidiary or affiliated companies.