Ukraine Police Trace Petya Attack Source

A vulnerability within an obscure piece of Ukrainian accounting software is the root cause of the massive Petya cyberattack that  broke out last week, according to the Ukrainian law enforcement. 

The attack hit Ukrainian utilities and airline services, US based pharmaceutical company Merck, Russian oil giant Rosneft and even forced operators at the Chernobyl nuclear power plant to switch to manual radiation monitoring of the site. 

The software is called Me.DOC, it’s basically an application for tax reporting and filing for companies that do business in Ukraine. At about 10:30 a.m. GMT Tuesday 27th June. Me.Doc ran an automatic update on the software, a routine event and that connected every version of Me.Doc on every computer on which it had been installed (so long as it was online) to this address: 92.60.184.55.

That by itself is not unusual.
As the Ukrainian police’s cyber division explained in a Facebook post, updates from Me.doc are usually rather small, about 300 bytes. This update ran 333 kilobytes, orders of magnitude larger. Once host computers download the update, becoming infected, the malware creates a new file called Rundll32.exe. Next it contacts a different network. It then starts running new commands, taking advantage of a particular Windows vulnerability, the same Microsoft vulnerability, called EternalBlue SMB, targeted by WannaCry. 

The US National Security Agency detected the vulnerability and it was contained in a group of stolen documents that made their way onto the Web via a group called the Shadowbrokers. However, the NSA did disclose the vulnerability to Microsoft, which issued a patch, long before the WannaCry virus spread. 

Defense One verified the Ukrainian police’s post with a second researcher who had direct knowledge of the attack and the malware in question. Other cyber security researchers with Russia-based Kaspersky Labs also began pointing to Me.DOC  as the likely point of spread.

At this point, no one has claimed responsibility for the attack and authorities have yet to make a hard determination about attribution. 

Actors backed by the Russian government have been targeting portions of Ukrainian infrastructure since 2015 when a massive attack by a group knocked out power to more than 225,000 people in Ukraine. But WannaCry has been linked to actors outside of Russia, namely North Korea. It’s a finding that some researchers dispute. 

DefenseOne

You Might Also Read:

How A Nation Became Russia's Cyberwar Experiment:

 

« Cyberwar: A New Front For US Military
Cybersecurity Is Too Important To Leave To IT »

ManageEngine
CyberSecurity Jobsite
Check Point

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

ENEA Qosmos Division

ENEA Qosmos Division

Qosmos, a division of Enea, leads the market for IP traffic classification and network intelligence technology used in physical, SDN and NFV architectures.

Suprema

Suprema

Suprema is a leading global provider of access control and biometrics solutions.

ThreatAware

ThreatAware

Total visibility of your business cybersecurity. Monitoring, management and compliance for your cybersecurity tools, people and processes from one easy to use dashboard.

Ensurity Technologies

Ensurity Technologies

Ensurity is a deep-tech cybersecurity engineering company; designs and manufactures specialized secure hardware, software, and mobile application solutions.

ISARR

ISARR

The ISARR software platform - your bespoke Risk, Resilience & Security Management solution. Simple, cost effective and adaptable, now and into the future.

HACKNER Security Intelligence

HACKNER Security Intelligence

HACKNER Security Intelligence is an independent security consultancy delivering comprehensive security assessments across IT security, physical security, and social engineering.

Trace3

Trace3

Trace3 is a pioneer in business transformation solutions, empowering organizations to keep pace with the rapid changes in IT innovations and maximize organizational health.

RevealSecurity

RevealSecurity

RevealSecurity's TrackerIQ detects malicious activities in enterprise applications.

Arcserve

Arcserve

Defend your data with Arcserve all-in-one data protection and management solutions designed to be the right fit for your business, regardless of size or complexity.

SignMyCode

SignMyCode

SignMyCode is a one-stop shop for trusted and authentic code signing solutions to safeguard software.

Mercury Systems

Mercury Systems

Mercury Systems is the leader in making trusted, secure mission-critical technologies profoundly more accessible to aerospace and defense.

NetSfere

NetSfere

NetSfere provides next-generation messaging and mobility solutions to carriers and enterprises globally including its enterprise-grade, secure mobile messaging platform NetSfere Enterprise.

Softcell Technologies Global

Softcell Technologies Global

Softcell is one of India's leading System Integrators. We serve enterprise customers in the areas of IT Security, Mobility, Optimised IT Infrastructure, Cloud and Engineering Services.

Whiteswan Identity Security

Whiteswan Identity Security

At Whiteswan, we are committed to protecting the digital landscapes of modern enterprises with adaptive, identity-first security solutions that ensure trust, compliance, and resilience.

Arms Cyber

Arms Cyber

Arms Cyber is redefining ransomware defense with advanced solutions that stop attacks before they start.

Sprinto

Sprinto

Ambitious tech companies all over the world trust Sprinto to power their security compliance programs and sprint through audits without breaking their stride.