Ukraine finds it­self at the epi­cen­ter of global cyberattack


On the June 27 eve of Ukrainian Constitution Day, Deputy Ukrainian Prime Min­is­ter Pavlo Rozenko sat down at his desk and started up his com­puter.

But in­stead of the fa­mil­iar boot­ing up rou­tine, his com­puter sud­denly restarted. Then his mon­i­tor showed a black screen with a warn­ing that there were prob­lems with his op­er­at­ing sys­tem.

“At first, I couldn’t un­der­stand what was go­ing on,” Rozenko told the Kyiv Post.

But when Rozenko found out that all of his col­leagues’ com­put­ers had been af­fected in the same way, he re­al­ized that they had been in­fected with a virus.

They turned off their com­put­ers, but the virus had al­ready spread through govern­ment com­puter sys­tems, en­crypt­ing in­for­ma­tion on them, and not just in Rozenko’s of­fice.

His com­puter was only one of some 12,500 ma­chines across Ukraine at­tacked by the NotPetya virus, which ini­tially ap­peared to be ran­somware, mal­ware that en­crypts vi­tal data and demands

money for the key to de­crypt it, in what is now reck­oned to be the big­gest cyberattack in coun­try’s his­tory.

The virus’ name de­rives from the Petya virus, which has been ac­tive since spring 2016, but NotPetya uses stronger en­cryp­tion, which en­abled it to seize the sys­tems of high-pro­file com­pa­nies, in­clud­ing Dan­ish ship­ping gi­ant Maersk, U.S. phar­ma­ceu­ti­cal com­pany Merck and nu­mer­ous Ukrainian govern­ment of­fices.

How it started

Shortly af­ter noon on June 27, the virus started to strike Win­dows-run com­put­ers used by Ukrainian tele­com com­pa­nies, banks, postal ser­vices, big re­tail­ers, and govern­ment bod­ies.

Among those were state-owned sav­ings bank Oschad­bank, pri­vate bank Ukrgazbank, en­ergy com­pa­nies Kyiven­ergo and Ukren­ergo, na­tional telecom­mu­ni­ca­tions op­er­a­tor Ukrt­ele­com, mo­bile car­rier Life­cell, postal com­pa­nies Ukr­poshta and Nova Poshta, Kyiv Bo­ryspil In­ter­na­tional Air­port, DIY chain Epi­cen­ter, petrol re­tail­ers, and sev­eral me­dia com­pa­nies, in­clud­ing Chan­nel 24 and the Kor­re­spon­dent news web­site.

The virus took over the com­put­ers, en­crypted data and de­manded a ran­som of $300 in bit­coins, a dig­i­tal cur­rency used to carry out un­trace­able transactions. Some peo­ple even paid to get their data back — the bit­coin wal­let used in the at­tacks in Ukraine re­ceived 45 transactions.

On June 27, U.S. soft­ware com­pany Mi­crosoft re­leased a state­ment say­ing that it now has ev­i­dence that the ran­somware was ini­tially spread via Ukrainian-pro­duced tax ac­count­ing soft­ware called Me­doc. The soft­ware is widely used by the Ukrainian govern­ment. Hack­ers are thought to have hid the NotPetya virus in a soft­ware up­date the com­pany pro­vided to its many cus­tomers at around 10:30 a.m. lo­cal time.

Ini­tially thought to be ran­somware, NotPetya in fact wipes com­put­ers out­right, de­stroy­ing all records from tar­geted sys­tems.

Ac­cord­ing to Kasper­sky, a Rus­sian an­tivirus de­vel­oper, there’s cur­rently no so­lu­tion to help de­ci­pher files af­ter the lat­est ran­somware at­tacks. Ac­cord­ing to them, the ran­somware uses “a stan­dard, solid en­cryp­tion scheme,” and the data can’t be ac­cessed un­less the hack­ers have made a mis­take in their code.

Rus­sia sus­pected

The cre­ators of the virus are yet to be iden­ti­fied.

Costin Raiu, the di­rec­tor of Global Re­search & Anal­y­sis Team at Kasper­sky Lab, said they don’t see “any strong in­di­ca­tion” that could point to par­tic­u­lar au­thors.

“Our anal­y­sis in­di­cates the main pur­pose of the at­tack was not fi­nan­cial gain, as is usu­ally the case with ran­somware at­tacks, but wide­spread de­struc­tion,” Raiu said in writ­ten com­ments pro­vided to the Kyiv Post.

While Sec­re­tary of the Na­tional Se­cu­rity and De­fense Coun­cil Olek­sandr Turchynov spoke about the “Rus­sian traces” in the at­tack, and Min­is­ter of Trans­port Volodymyr Omelyan said that it was apt that the word “virus” ends in “Rus,” cy­ber ex­perts have been more cau­tious about as­crib­ing blame.

Mi­crosoft said in a state­ment that while the first in­fec­tions started in Ukraine, the virus was also recorded in another 64 coun­tries, in­clud­ing Bel­gium, Brazil, Germany, Rus­sia, and the United States. Mi­crosoft Ukraine would not elab­o­rate on the sit­u­a­tion now, say­ing only that its engi­neers are in­ves­ti­gat­ing the case.

How­ever, the vast ma­jor­ity of the in­fec­tions oc­curred in Ukraine.

Pi­rate soft­ware

Olek­sandr Korneiko, the pres­i­dent of the Ukrainian Academy of Cy­ber Se­cu­rity, said Ukraine suf­fered the most be­cause of neg­li­gence.

“There’s no proof that it won’t hap­pen again,” Korneiko said. “The big­gest prob­lem is that (peo­ple) don’t use li­censed Win­dows soft­ware and don’t up­date their op­er­at­ing sys­tems.”

Li­censed Win­dows soft­ware, which costs about $150 per com­puter, ap­pears to be too ex­pen­sive for many pri­vate and govern­ment of­fices in Ukraine.

Va­len­tyn Na­ly­vaichenko, the for­mer head of Ukraine’s SBU state se­cu­rity ser­vice, said he made sure the se­cu­rity ser­vice had li­censed Win­dows soft­ware back in 2014. “But I’m sure the govern­ment and even the Min­istry of De­fense haven’t cleaned the (pi­rate soft­ware) up,” he told the Kyiv Post.

Na­ly­vaichenko added that up to 90 per­cent of govern­ment of­fi­cials also risk catch­ing such viruses, as they use their of­fice com­put­ers for brows­ing so­cial net­works.

“It would also be good if the SBU and the po­lice, in­stead of raid­ing IT com­pa­nies, at­tracted more Ukrainian devel­op­ers to ur­gent cy­ber­se­cu­rity projects,” Na­ly­vaichenko said.

Rozenko said while he uses li­censed soft­ware on his laptop at home, he doesn’t know whether his of­fice com­puter had li­censed Win­dows soft­ware.

Lat­est at­tack

This isn’t the first time Ukraine has been un­der cyberattack. In De­cem­ber 2015, power com­pany Pry karp a tty a ob len ergo suf­fered a ma­jor at­tack that led to black­outs across western Ukraine.

About 230,000 Ukraini­ans were plunged into dark­ness for six hours af­ter hack­ers in­serted mal­ware into con­trol sys­tems of part of the oblast grid.

Ukraine blamed Rus­sia for the at­tack, and the mal­ware used, Black-En­ergy, has its ori­gins in Rus­sia, ac­cord­ing to ex­perts. How­ever, there is no de­fin­i­tive link be­tween the cyberattack and the Rus­sian govern­ment, ac­cord­ing to U.S. of­fi­cials.

The mal­ware was re­port­edly de­liv­ered via spear phish­ing emails with ma­li­cious Mi­crosoft Of­fice at­tach­ments.

A year af­ter that, another at­tack hit an elec­tric­ity trans­mis­sion fa­cil­ity out­side Kyiv. In a re­port by tech mag­a­zine Wired, cy­ber­se­cu­rity firms that have since an­a­lyzed the at­tack said it was ex­e­cuted by a “highly so­phis­ti­cated, adapt­able piece of mal­ware” now known as “CrashOver­ride,” a pro­gram coded to be “an au­to­mated, grid-killing weapon.”

And while no­body re­ally knows how to deal with the com­puter virus, com­pa­nies in Ukraine and across the world are still grap­pling with the ef­fects of a ma­jor new ran­somware cyberattack that struck their com­puter sys­tems.

Ukrainian de­liv­ery ser­vice Nova Poshta were still af­fected on June 29.

“Our of­fices, the web­site and ap­pli­ca­tion pro­gram­ming in­ter­face works now,” Tetyana Po­tapova, a spokesper­son for Nova Poshta told the Kyiv Post. “But some com­put­ers are not work­ing yet. And we’re also try­ing to en­sure that our clients can use non­cash pay­ments again.”

The client ser­vices of Kyiven­ergo, which pro­vides Ukraine’s cap­i­tal with elec­tric­ity and heat en­ergy, were still limited on June 29 due to the virus at­tack.

Who’s in charge?

On June 29, Ukraine’s SBU se­cu­rity ser­vice is­sued a state­ment that it, to­gether with the U.S. FBI, the UK’s NCA, Europol and other lead­ing cy­ber se­cu­rity com­pa­nies and spe­cial­ists, are cur­rently in­ves­ti­gat­ing the spread of the NotPetya virus, try­ing to iden­tify those be­hind the at­tack.

At the same time, Ukrainian au­thor­i­ties to­gether with global tech com­pany Cisco are work­ing on soft- ware to re­cover blocked com­put­ers.

Cisco spokesper­son Yu­lia Shve­dova told the Kyiv Post that such at­tacks are com­mon, and that they will con­tinue to hap­pen as hack­ers de­velop more and more so­phis­ti­cated tech­niques.

“Even if you were lucky this time, you should take all pos­si­ble pre­cau­tions so as not to be the vic­tim next time,” Shve­dova said.

Neil Walsh, head of the UN Global Pro­gram on Cy­ber­crime, called the cur­rent virus more so­phis­ti­cated than the Wan­naCry ran­somware virus, which wreaked havoc world­wide less than two months ago. Re­port­edly the work of North Korean hack­ers, Wan­naCry af­fected com­put­ers that had failed to in­stall one of the lat­est up­dates to Win­dows.

Among the ma­jor vic­tims of that ran­somware were the Bri­tish Na­tional Health Sys­tem, the Rus­sian Min­istry of In­ter­nal Affairs, and Ja­panese car­maker Nis­san.

Walsh said it still was un­clear whether Ukraine was the main tar­get of the NotPetya virus. Cy­ber se­cu­rity ex­perts were also work­ing to iden­tify the at­tack­ers, he said.

“This could be any­thing from a kid sit­ting in his base­ment… to a na­tion state,” he said.

Pre­ven­tion meth­ods

While the mal­ware is so­phis­ti­cated, pre­ven­tion steps are rather sim­ple.

An­drey Koso­vay, head of IT in­fra­struc­ture at Cik­lum, says users sim­ply have to en­sure their op­er­at­ing sys­tems are kept up-to-date. They should also have an­tivirus soft­ware in­stalled, and also reg­u­larly up­date it.

Koso­vay warns peo­ple should not open soft­ware and links sent or de­vel­oped by sus­pi­cious sources.

Raiu of Kasper­sky also says the com­pa­nies should in­stall the lat­est Win­dows patches, strengthen their se­cu­rity with pack­ages such as Mi­crosoft EMET (En­hanced Mitigation Ex­pe­ri­ence Tool­kit), and up­date all third party soft­ware.

Mean­while, as the world’s au­thor­i­ties and cy­ber se­cu­rity spe­cial­ists look for ways to re­cover the data on af­fected com­put­ers, the com­puter of Deputy Prime Min­is­ter Rozenko re­mains un­us­able. He and the mem­bers of his depart­ment have had no op­tion but to bring their own lap­tops to work.

Of­fi­cers of Ukrainian Cy­berpo­lice Depart­ment, part of the of the In­te­rior Min­istry, work in an of­fice in Kyiv on June 29. (AFP)

Peo­ple try to en­ter a closed branch of Oschad­bank on June 27 in Kyiv. Oschad­bank had to close its op­er­a­tions on that day due to the virus at­tack. (AFP)

Ran­somware no­tices started to ap­pear on com­puter screens in Ukraine af­ter noon on June 27. (Courtesy)

Newspapers in English

Newspapers from Ukraine

© PressReader. All rights reserved.