The Most Destructive Hack Ever Used: NotPetya

1.3M views5159 WordsCopy TextShare
Cybernews
On June 27, 2017, almost all of Ukraine was paralyzed by NotPetya: a piece of malware designed with ...
Video Transcript:
in the middle of the night in a huge office somewhere in Ukraine a lone computer wakes up after booting it stays silent for a while then a new file pops up on the desktop perf C an empty extensionless file a Windows folder opens and the file gets moved there several seconds later the computer shuts down not a soul was around to notice this small event the next day as the employees start their morning routine of coffee and gossip something weird happens computers all over the company suddenly begin rebooting but instead of the windows splash screen
they display this a ransom message a demand for $300 worth of bitcoin for every infected machine the company's executives are dumbfounded they argue and bicker before reaching a conclusion the bottom line hangs in the balance the company just can't afford to stop everything and wait for a fix they transfer one payment just to see where that will get them several hours pass nothing changes all the machines are still encrypted as the IT staff tries to understand what's happening the rest of the employees get a day's leave and on their way home they understand that their
little company wasn't alone they became the perfect witness of the Countrywide catastrophe that unfolds some of them visit a gas station but can't purchase fuel Payment Systems don't work others choose public transport and can't get their tickets paying in cash might seem like an option but all the ATMs in the vicinity are down too hospitals can't access their records utility companies can't send their bills the Postal Service can't deliver packages it's nothing short of a digital Apocalypse in a matter of hours much of the economy of the entire country grinds to a halt nearly every
company institution and service is down and then it spills over the borders international shipping medicine fuel companies anything that had an office in Ukraine the same red on black plague oops your important files are encrypted all across their networks on thousands upon thousands upon thousands of computers across the world but not the one the computer that woke up in the middle of the office a night before the attack for some reason it's fine it continues working as if nothing happened for years nobody would suspect how it and several more random computers all across the world
were involved in the latest and most devastating Cyber attack that ever happened it's them that held the key to answering the questions about not Peta a weapon that showed the world what a full-scale cyber War looks like it happened on June 27th 2017 and the world was never the same the Carefree air of the mid-2010s evaporated and got replaced with a new reality there was no roll back by 2017 devastating cyber attacks on Ukrainian in structure were nothing new 2 years earlier the country saw the first documented attack on the power grid leaving nearly a
quarter of a million people without electricity in the middle of a freezing winter in 2016 the attack repeated cutting off electricity for the capital KF both attacks were different from your typical cyber criminal activity they were done by people who knew the infrastructure and the inner workings of the Ukrainian electricity grid as well they exploited some top tier vulnerabilities and used incredibly powerful software that caused physical damage to the critical infrastructure anyone who got a glimpse at the code had no doubts those were operations only state sponsored hacking groups were capable of on the surface
the culprit seemed obvious since 2014 Ukraine was at war with Russia it all started with a revolution in k or a coup as Russia calls it the Ukrainian presidential Administration notorious for its corruption was overthrown by pro-western citizens and politicians at the time the Russian military invaded and seized several regions of Ukraine in a land grab that will only be surpassed by the second invasion in 2022 as ceasefire agreements were being signed and the hot war in eastern Ukraine simmered down the conflict moved away from the front lines sabotage operations assassinations every kind of Gilla
activity you can imagine became a daily occurrence but now for the first time in history the Waring sides had a new domain at their disposal people in Ukraine and Russia lived a significant portion of their lives online the infrastructure of both both countries was heavily interconnected too both sides were more than eager to leverage that by that point Russia had ample experience in conducting offensive cyber operations in 2007 it attacked Estonia in the world's first attempt to Dos an entire country into chaos in 2008 it repeated the same Playbook during an invasion of Georgia assisting
its troops with digital shelling cybernetic attacks became an unspoken but major part of Russia's military Doctrine each intelligence agency in the country saw it as a new tool at their disposal but none of them were as enthusiastic as the main directorate of the general staff of the Armed Forces of the Russian Federation an agency popularly known as the gru following the dissolution of the Soviet Union the gru was a relatively unknown but immensely powerful organization its roots go back almost a century and its reputation was one of unrivaled ruthlessness but by the early 2010s almost
none of that remained the D rorate was underfunded and understaffed many saw it as a failure an agency completely overshadowed by the better known freshly renamed and facelifted FSB but something weird happened after the outbreak of the first war in eastern Ukraine the gru suddenly found a way to reinvent itself one part of that was a focus on cyber attacks Ukraine then the rest of Eastern Europe then the entire world the growth was spurred by an influx of new Personnel the gru began attracting the most talented hackers in Russia from distinguished University graduates to Notorious
cyber criminals these cyber Cowboys brought their own approach to the agency's operations they were not afraid to take initiative improvise and even inject some personal flare into their work within Gru there was even a group that kept leaving references to Dune Frank Herbert's seminal work of Science Fiction in each piece of their custombuilt malware these references were found after the attacks on the Ukrainian electricity Grid in 2015 and 2016 capitalizing on their Discovery the researchers were quick to give this hacker group an appropriate name sandworm as the first reports on sandworms activities were published complete
with a list of nods to the book Dune references ceased immediately the attacks did not their attribution became more difficult but by this point the sandworm performed enough attacks to become recognizable the tools they used the hours they operated the barely perceptible calligraphy of their code but above all it was the targets few actors in the world were so focused on breaking specialized software like industrial Control Systems even fewer were so proficient at it and nobody else was as persistent at aligning their targets with political goals at the Russian Federation the attack that defined sandworm
began on June 27 2017 on one hand the choice of this particular date seemed straightforward it was the eve of a national holiday in Ukraine attacking on this day would carry a symbolic message and be more difficult to mitigate due to staff shortages on the other hand some researchers suggest there might have been another motive for launching not Peta on that day a motive hidden behind the perf C file the nature of the internet makes attacking one country extremely difficult countries are interconnected many institutions and companies don't even host their own websites relying on cloud
infrastructure and keeping the data in server Farms elsewhere in the world however sandworm found a clever way to bypass that it infiltrated midok a Ukrainian tax software tied to the whole Ukrainian economy each company that paid taxes in Ukraine had to run Mok and at least one of their computers hence there was at least one computer that could lead to each and every company in the entire Ukraine midok was infiltrated several years prior to 2017 through a simple fishing message with attached malware after tricking an unwitting Company employee into clicking it the hacker snuck in
and created a robust back door inside Meo systems by doing this they ensured access to every update midok pushed out and every computer where its software was installed on June 27 it was time for another update as people across Ukraine piled into their offices chitchatting about their holiday plans the update was downloaded in the background and something was hidden inside it that something was a small piece of malware with an enormous virulent potential not Peta it was a computer worm and like with any worm it's goal was to replicate it tried doing that by hopping
onto every computer connected to the initial infection Point through the local area network or land however most systems are engineered to prevent such hopping and to bypass that the malware used a tool known as Mimi cats it was a proof of concept exploit created several years prior by Benjamin delpi a famous engineer who wanted to show that Windows had a huge problem all windows machines stored their passwords in an insecure Manner and Microsoft did nothing to change that nothing changed even after delpi published his proof of concept for all to see Microsoft simply ignored it
but cyber criminals did not by using mimic cats not Peta could jump into any computer on the network and gain administrator access to it when that didn't work it apply two other exploits Eternal blue and eternal romance both of them were developed by the US National Security Agency as incredibly Advanced cyber weapons they used an obscure feature in Windows one that allowed for direct sharing of information between computers Eternal blue and eternal romance exploited this feature to share malicious code and eventually take over any computer on the same network both of them were snatched from
the hands of the NSA by an enigmatic hacker group known as Shadow Brokers and posted online in one of the greatest leaks in the history of cyber crime they immediately got integrated into some of the most destructive malicious programs ever developed not petya being one of them Eternal blue and eternal romance allowed the malware to reach further than Mimi cats alone and thanks to this combination a single device with Mok was enough to spread not Peta to an entire network once inside the worm would wait for 1 hour probing around and trying to find more
ways to spread at the same time it would run another task encryption each file on the computer would get subjected to a simple algorithm turning it into gibberish unreadable and unusable losing all the data inside 1 hour to do that plenty of time even for the most cluttered hard drives after encryption was complete the device would reboot the worm would display a message saying that a corrupted file system was being fixed in reality it was doing the opposite of that the worm would spend this time encrypting the master boot record the foundational piece of code
that starts the computer and runs its operating system without it Windows can't launch after rebooting the worm displayed a message a set of instructions to transfer a small sum of money to a Bitcoin wallet this this was another layer of ausc there was no mechanism to decrypt the gibberish all of the computer's data was turned into no matter how much money you paid it was a wiper masquerading as ransomware the ausc worked initial attempts to battle the attack were thrown off track the pattern coincided with Peta a popular piece of ransomware cyber Security Professionals knew
how to deal with only a while later after countless unsuccessful attempts to stop it did the researchers understand that this was not PETA not Peta the name stuck just like this ominous red message on the screens of countless devices computers all across Ukraine displayed it on June 27th devices that managed retail utility finances Transportation even the ones that monitored radiation levels in the ruins of Chernobyl nuclear power plant most industrial devices were spared because they did not run Windows most regular citizens were spared as well because their local networks had nothing to do with Mok
the spread of the in ction was still massive by some estimates 10% of Ukraine's computers were hit one in 10 machines in the whole country and the entire economy that depended on them but it wasn't just Ukraine the internet does not stop at the borders an immense number of international companies operated in the country many of them paying taxes there and thus they used computers running Mok FedEx subsidiary TNT Express food producer mandes International consumer goods manufacturer reckit bankier far pharmaceutics giant MC cfco St gobain Nuance Communications and hundreds of other huge International companies naeta
found a way into all of them the largest of the infected companies was MEK a Danish company responsible for nearly 133% of all Goods shipped worldwide out of 76 terminals marisk operated at the world's largest ports 17 were paralyzed ships could not unload their cargo trucks could not be loaded with it Supply chains across the world went down down the digital apocalypse spread and grew Beyond anybody's expectations but amidst all this chaos a curious odity stood out inside the companies that were devastated by not Peta some computers miraculously survived the attack not Peta spared them
destroying every single other machine on the same network except for the ones that had a file named perf C in their Windows folders all right this is the Cliffhanger moment and now that we have your full attention can we ask for a like and a subscribe we don't have sponsors and making content like this purely on YouTube revenue is difficult so if you like what you see let the algorithm know thanks and back to perf C this was a kill switch here's how it worked the malware itself despite the popular name is a small file
called perf C.D call it whatever you want upon infection not Peto will get extracted into this file and then it will look for file with this name on the victim's computer as a way to check if it was already there because well there's no point in encrypting a computer twice however simply creating an empty file named perf C and placing it in the windows folder would lead to the same result the only requirement being that the file must be read only so not Peta gets onto a computer extracts itself and looks for perf C is
it there if yes the worm stops in its tracks if not it proceeds to destroy everything it sees this curiosity was first discovered by Amit serper a researcher who worked for an Israeli cyber security company cyber reason and was among the first to analyze not Peta so I started going over the the the sample and I I said okay so you know in in Windows when you want the process to quit or exit there's an API call function that's called exit process so I was like hm I wonder if exit process is implemented in this
and what calls it so I found a call to exit process and I saw that it was looking for a name of a file in a specific path and if that file existed then the malware would quit I called a few of my co-workers some of some in the US some in Israel and I was like hey do me a favor take the sample put it in a virtual machine call it like I don't know sample. exe and put a file called sample. that in Windows system 32 or whatever tell me what happened and they
tell me nothing's happening it's like you know we we double click the file and it just dies and it's like oh sweet now we only have to find the original name of the file so I posted on Twitter back then it was Twitter and basically two really cool things happened pretty much like 5 seconds from each other one is someone from Ukraine from a university responded with the name of the file that he saw on his system and another person from that WhatsApp group I was on an Israel researcher called idon o wrote on the
group I think that the file the original file name was perf C that was also what the Ukrainian person told me the kill switch worked and now there was a way to stop the attack but for most it was already too late Ukraine was paralyzed Napo was quickly leaking Beyond its borders one of the people who had to deal with that was ardam mikyo a researcher at issp a Ukrainian cyber security company that found itself in the of the attack lots of people they were just um they didn't know what to do because this was
really the first time we experienced the attack of s scale and as we know afterwards this Buzzy word uh like the unprecedented the most devastating attack in history um and well you could imagine when you you know go along the street you go to the coffee shop it doesn't work because you know they can't process your payment you go to the groceries they can't process your payment you want to log into your or whatever site your I know carrier site or you want to pay your bill for energy and it simply doesn't work only a
full day later was the spread stopped in part thanks to mass shutdowns of all devices across the country in part thanks to the discovery of the kill switch but mostly because naeta ran out of potential victims having infected almost every Network it could feasibly infect for most victims the only way to recover was to wipe all systems clean and rebu build a new for researchers who wanted to understand how the attack happened the real work was just beginning so yeah it was a traditional investigation we grabbed all the logs all the Telemetry everything which remained
because thanks God uh not Peta didn't encrypt entirely everything it encrypted only 10% of computers in Ukraine which sounds uh kind of amazing but still it's not 100% right so we had this opportunity to work around with what we're able ble to get from the from those machines and eventually we build up kind of the sequence of actions the patient zero then the second patient and how it started to spread and you know usual suspects social engineering uh existing vulnerabilities and the NSA exploits from which nobody had cure at that time this is when the
route na Peta took was discovered Eternal blue MIM cats the infected update and the midok server the Ukrainian police immediately raided the company behind this small piece of software and seized its servers giving the researchers access to the starting point of the attack so we actually got access to um I don't even think that this hard drives were imaged I think it was like the actual hard drives uh because what my what what we found out was that the Ukrainian authorities uh like they have like the Cyber police or something they came into this company's
office got the servers yanked out the hard drives put them in black plastic garbage bags and you know took them to the police headquarters and I'm pretty sure that the hard drives that I got access to were the original once I don't think they even imaged them um but again I don't know and at one point I was basically taking a bath with my laptop and that was like reverse engineering stuff in my bathtub a short analysis was enough to understand how not Peto worked and also how it exploited Mok an innocent company that found
itself in the wrong place at the very very wrong time we need to understand that midok at that time it was relatively it wasn't small company but I would say it falls under the category of smmes small medium Enterprises and again it was 2017 the maturity of cyber security within such companies they you know it used to be uh something which you desire to be better you know very few companies at that time globally of their size and of their uh let's say industry they had you know very detailed specific monitoring of what is happening
in within the infrastructure because at that time if you recall everybody thought okay why I am interesting for hackers right I'm not a big Bank the monetization uh of any attack against me would be kind of very low in returns so why anybody would think of hacking us right because this pattern of thinking about supply chain attacks wasn't so spread at that time so they simply missed you know AP is being missed even today in large corporations so this is how the attack originated on midok servers the usual Fingerprints of sandworm were found without any
references to Frank Herbert's book but with every other trick the Gru's hackers favored their motivation was easy to figure out Russia and Ukraine were at War when it came to material damage not Peta was not much different from a bombing raid on an industrial Heartland so while it's difficult to 100% proof cyber Security Experts including ISP we quickly linked not P to sandw war again a Russian military hacking unit inside the gru Russia's Military Intelligence Agency basically uh the choice of midok as the infection Point suggested that attack was targeting Ukraine specifically despite it had
the influence outside the Ukraine uh but I guess J also didn't expect that it would be so successful Nota wasn't designed for profit it right it's obvious it was designed for Maximum Destruction for bringing maximum damage and everything in this attack was so beautifully architectured like the covert Communications uh through the cookie field in in in the am doit so everything was well thought out so when I when I look at all of these evidence and I'm applying you know some critical thinking according to my experience and you know my past experience as an nation
state actor and then my back then current experience as a malware RSE engineer this definitely checks out but at least initially not everything checked out there was one part of this mystery that seemed quite puzzling perf C some computers in the midst of the attack were inoculated against napaa as if an invisible hand granted them immunity from an impending epidemic the computer at the unnamed Ukrainian office we mentioned in the beginning was one of them but dozens more were found AC across all of Ukraine in all kinds of companies and institutions and for that several
hypotheses exist on one hand if you're crafting a secret weapon it makes sense to give it a kill switch just in case it gets out of your control what if na Peta breached its containment and began wreaking havoc in Russia the government could just distribute simple instructions to its subjects and stop the attack but on the other hand na Peta did breach its containment and wreak havoc in Russia gazprom the best known Russian oil giant was infected with it and suffered tremendous losses we may never know if it was given a kill switch to spare
at least some of its networks but what we do know is that some computers in Ukraine had that file and this raises another hypothesis that na Peto was not only an attempt to digitally carpet bomb Ukraine but to cover the tracks of a much more Insidious operation so now in 2025 when we're talking we know according to Andy's book that the reason reason why this mechanism with the file with the vaccine was there was to keep key machines from being encrypted because when you're a threat actor and you're you know buring your way into someone
else's Network you want to leave access because in these kind of attacks the the destructive phase such as not Peta is not necessarily if you just want to cause damage it's also if you want to cover Your Tracks so let's say you did something and you don't want people to know what you did right or you did something and something went wrong and you weren't able to complete whatever it is that you want to do where you just wanted to like cause chaos and and and remove all of the evidence you would do something like
that but you would still as a threat actor you would still want to leave access to the network you know for a rainy day or for the next phase of the attack or whatever this hypothesis was put forward by a journalist Andy Greenberg in his book on the history of sandworms attacks it's supported by the vast majority of researchers that investigated naeta and brings a lot of clarity into how and why the attack was performed if we believe this hypothesis naeta was not just a wiper designed to cause as much damage as possible it was
designed to cover the tracks of previous cyber Espionage operations and prepare the soil for more such operations in the future Russia not only carpet bombed Ukrainian infrastructure but also erased the footprints that may have compromised its spies and also carefully avoided excessive damage leaving the doors open for future infiltration from my past experience as someone who used to um used to be a nation state actor it makes sense I mean it it it makes sense to to to because again this was this was an operation that was very successful maybe even too successful right and
a lot of thought was put into it a lot of thought was also put into learning lessons from this attack after all it was the largest one the world ever experienced its damage was measured in at least $ 10 billion this sum being the lowest possible estimate rather than an actual cost to repair the systems and compensate for the damage countless International companies were infected and many of them kept the breaches secret still for most people it was a wake-up call and one everybody preferred not to miss so after the not Pia uh we had
a boost of tabletop exercises across different Industries right we had a boost for services which we came up with after not p and we called them compromise assessments so from this perspective obviously when you feel when you're very near to that when you simply can't pay for your groceries you know when you on the road before the holiday day obviously it influences right the mindset and you understand okay it it's it looks like important and either we should refuse from using digital systems or we should invest into cyber security and change something and even during
last 3 years we had attacks even bigger than not p in a sense but because of Russians has prepared us again in a sense to to fighting back with with those cyber attacks the impact was kind of lower so yeah we we had lots of interest from Professionals in the industry uh they all came to to Ukraine to speak not not just you know to have a phone call but they wanted to have uh handson on you know you know to feel it how it's like to be a nation which was so heavily fed not
all lessons were learned though it took the United States and other countries several years to call out Russia for doing it even despite the researchers pointing to Gru's fingerprints from day one and even after the White House published its own insights into the events and confirmed Russia's involvement the impact of that has been minimal at best and I think that what we should have what we should have asked as not necessarily as as security professional and security researchers and reverse Engineers but as you know people as citizens of the world we should have demanded our
governments and international organizations such as the UN or I don't know like to maybe actually do something useful with all of their resources and have stronger um mechanisms to hold countries threat actors whatever people who do these malicious operations to hold them accountable and what happened with W to cry with with not Peta with with myself and and other people was that it was the researchers the individual researchers not as companies but as you know as I said I was sitting in my parents living room in in Israel with like nothing to do in 4
hours to kill Marcus Hutchins malware Tech back with uh uh uh W to cry was also like he was looking at it you know for shits and giggles and and we were very lucky as a collective that you know it was just like a bunch of bored people like myself trying to like mess with things and and and press buttons and see what happens but I think that it showed us that we are not as resilient as we think we are and while the the the products that we sell may do a good job the
vast majority of the time it only takes you know one incident like not pet you like want to cry to like really show us how fragile everything is there was one more lesson the world could have learned not Peta was launched by the Russian military but the tools that enabled it the tools that made it what it was weren't Russian the exploits were stolen from the NSA and distributed to cyber criminals worldwide spurring some of the most devastating attacks ever conducted perhaps we will tell the story of The Shadow brokers leag in another episode of
no rollback or we could make it about wan to cry another Massive Attack enabled by the stolen NSA tools is there another story you'd like us to cover leave your suggestions in the comments and to support our content please like this video And subscribe to our Channel thank you and we'll see you in the next video
Copyright © 2025. Made with ♥ in London by YTScribe.com