Notpetya: the incredible story of an escaped US cyberweapon, Russian state hackers, and Ukraine's cyberwar

Andy Greenberg (previously) is Wired's senior security reporter; he did amazing work covering Russian cyberwarfare in Ukraine, which he has expanded into a forthcoming book: Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers (I read it for a blurb and a review; it's excellent).


Last month while I was offline, Wired ran a long excerpt from the book, and it's a great introduction to the tenor of the work (which, again, I can't recommend highly enough — it's a superb introduction to the equities, technicalities, personalities and ethics of cyberwarfare, that most problematic of metaphors).


For the past four and a half years, Ukraine has been locked in a grinding, undeclared war with Russia that has killed more than 10,000 Ukrainians and displaced millions more. The conflict has also seen Ukraine become a scorched-earth testing ground for Russian cyberwar tactics. In 2015 and 2016, while the Kremlin-linked hackers known as Fancy Bear were busy breaking into the US Democratic National Committee's servers, another group of agents known as Sandworm was hacking into dozens of Ukrainian governmental organizations and companies. They penetrated the networks of victims ranging from media outlets to railway firms, detonating logic bombs that destroyed terabytes of data. The attacks followed a sadistic seasonal cadence. In the winters of both years, the saboteurs capped off their destructive sprees by causing widespread power outages—the first confirmed blackouts induced by hackers.

But those attacks still weren't Sandworm's grand finale. In the spring of 2017, unbeknownst to anyone at Linkos Group, Russian military hackers hijacked the company's update servers to allow them a hidden back door into the thousands of PCs around the country and the world that have M.E.Doc installed. Then, in June 2017, the saboteurs used that back door to release a piece of malware called ­NotPetya, their most vicious cyberweapon yet.

The code that the hackers pushed out was honed to spread automatically, rapidly, and indiscriminately. "To date, it was simply the fastest-propagating piece of malware we've ever seen," says Craig Williams, director of outreach at Cisco's Talos division, one of the first security companies to reverse engineer and analyze Not­Petya. "By the second you saw it, your data center was already gone."

NotPetya was propelled by two powerful hacker exploits working in tandem: One was a penetration tool known as EternalBlue, created by the US National Security Agency but leaked in a disastrous breach of the agency's ultrasecret files earlier in 2017. EternalBlue takes advantage of a vulnerability in a particular Windows protocol, allowing hackers free rein to remotely run their own code on any unpatched machine.

The Untold Story of NotPetya, the Most Devastating Cyberattack in History [Andy Greenberg/Wired]


(Image: Mike McQuade/Wired)

(via Schneier)