Ukraine has placed the blame for last week’s ransomware outbreak on Russia. The allegations came as multiple cybersecurity companies claimed there were links between the so-called NotPetya ransomware and hackers who previously targeted power providers and shut down electricity across the country, most infamously in December 2015 and then again on a smaller scale a year later.
The state security service, the SBU, said Saturday that Russian security services were to blame for the attacks, which infected multiple Ukrainian government agencies, energy companies, transport infrastructure and banks. Though Ukraine was by far the worst affected, major international companies such as drug giant Merck, legal firm DLA Piper and global shipping business Maersk were badly affected, amongst many others.
“The available data, including those obtained in cooperation with international antivirus companies, give us reason to believe that the same hacking groups are involved in the attacks, which in December 2016 attacked the financial system, transport and energy facilities of Ukraine using TeleBots and BlackEnergy,” the SBU said. “This testifies to the involvement of the special services of Russian Federation in this attack.”
Ukraine has not been shy of blaming Russia for past attacks on its infrastructure. But the SBU’s claims were supported by multiple security companies, as researchers claimed the main aim of the malware was to cause disruption, not make financial gain from the ransoms of $300 in Bitcoin per infection as in typical ransomware attacks.
ESET said Friday there were connections between a destructive hacker crew called Telebots, the BlackEnergy malware used in the 2015 power grid attacks and subsequent ransomware outbreaks, including last week’s. But the links were largely based on similarities in tools and techniques used by the Telebots crew, rather than any obvious, direct correlation. For instance, both NotPetya and a Telebots ransomware called Xdata, which spread in May, initially infected PCs via rogue updates for a Ukrainian accounting software called MeDoc (the company has denied it was hacked and used to spread malware, though researchers believe that claim to be false). Going further back ESET said there were similarities in malicious code in BlackEnergy and destructive TeleBots’ malware.
Anton Cherapanov, ESET security researcher, told Forbes the TeleBots group had conducted similar attacks to NotPetya before — malware that looked like ransomware, but did not let victims recover their files, even if they paid up. And he believes TeleBots deployed other malware than XData and NotPetya through a malicious MeDoc update. “We are confident that this group is behind [the NotPetya] outbreak in Ukraine,” Cherapanov added.
Caution over attribution
Kaspersky’s Costin Raiu said he believed ESET’s research was sound and that his researchers had found a similarity between NotPetya and the KillDisk wiper malware used in BlackEnergy attacks, namely their targeting of a particular range of file types with certain extensions, such as .doc and .ppt. “However, I think more research is needed to find connections with older BlackEnergy outside the link with MeDoc,” Raiu added.
Kaspersky’s own report on NotPetya Friday found a slice of code used for checking filenames was similar across BlackEnergy and NotPetya, indicating “certain code design similarities between these malware families.” But the researchers also noted that was “a low confidence indicator.”
Yet sources told Forbes that American companies, such as FireEye, agreed with ESET’s assessment the BlackEnergy power company hackers were the same as those who created NotPetya. FireEye has done extensive research on Telebots, a group it calls Sandworm, tying the hackers to Russian government. According to previous analysis, there’s forensic evidence that also connects Sandworm to Electrum, a group that created another malware, called CrashOverride, aimed at energy providers. It shut down power supplies in Kiev in December 2016.
Russia, for its part, has denied Ukraine’s accusations, a Kremlin spokesperson complaining to Reuters of “unfounded blanket accusations.”