Ride the Lightning

GoldenEye a/k/a NotPetya Took Down DLA Piper

July 27, 2017

June 27^th was not a good day for DLA Piper, FedEx, Merck, Cadbury and a host of others. As CNET reported, the apparent ransomware attack that swept across the world wasn't about the money. GoldenEye, also known as NotPetya, swarmed computers on June 27^th, asking for the paltry sum of $300 to decrypt data.

But now experts believe nation-state attackers are using ransomware as a screen, with the real goal of destroying data. The revelation is a surprising new aspect of an escalating cyberwar between countries that has already compromised infrastructure, elections and businesses.

The biggest tipoff that something was wrong came from how the hackers planned to collect the ransom. The Posteo server shut down the e-mail address that victims were supposed to use to contact the hackers, suggesting that aspect of the operation wasn't well thought out. Two days after GoldenEye hit, it had made only about $10,000.

Researchers from both Comae Technologies and Kaspersky Lab found that GoldenEye was a wiper, designed to destroy data. It used as its base a form of ransomware called Petya (hence the NotPetya name) to encrypt crucial files, steal login credentials and seize your hard drive.

GoldenEye started as an attack on a single organization, with the ransomware attaching itself to a software update for MeDoc, Ukraine's most popular tax-filing software. From that one victim, it spread to multibillion-dollar companies that were using it. The companies all have branches in Ukraine. About 60 percent of the attacks happened in Ukraine, according to Kaspersky Lab. GoldenEye, like WannaCry, used a technique from the National Security Agency to get into one PC and took advantage of Windows sharing tools to spread to every other computer on the same network.

Ukraine has been plagued with alleged cyberattacks from Russian state-sponsored hackers, as a testing ground for global hacks on major infrastructure. Beyond Ukraine, the collateral damage continued after more than 200,000 computers around the world were infected. The attack showed hackers don't even have to target countries directly to have the intended effect.

The legal world was rocked by the news that DLA Piper was down – it appears to have contracted the malware via a DLA office in Spain. Phone and computers were knocked out across the firm (and some shut down as a precaution) with reporters unable to reach anyone at DLA Piper via e-mail (they got a "not deliverable" message).

With offices in more than 40 counties and several thousand lawyers, DLA Piper is one of the largest law firms in the world.

On June 28^th, DLA released the following statement which was updated (I am not sure which part was updated):

Following reports of a malware attack, a DLA Piper spokesperson said: "On June 27, 2017, our advanced-warning system detected suspicious activity on our network, which, based on our investigation to date, appears to be related to the global cyber event known as "Petya". Our IT team acted quickly to prevent the spread of the suspected malware and to protect our systems.

We immediately began our investigation and remediation efforts, working closely with leading external forensic experts and relevant authorities, including the FBI and UK National Crime Agency. We are working to bring our systems safely back online."

On July 3^rd, it posted the following update:

"Following the widely reported malware incident that occurred on Tuesday 27 June, we have brought our email safely back online, and continue to bring other systems online in a secure manner.

The firm took immediate steps to contain the threat, and we have seen no evidence that client data was taken or that there was a breach of confidentiality of that data.

Our investigation is ongoing and, as always, protecting client information remains a critical priority for the firm."

Short and sweet, with no word of the vulnerability or vulnerabilities that allowed the malware into the firm. Hard to be critical without knowing what went on. It was a hell of a plunge into crisis management and I'm guessing that the firm's Incident Response Plan (since no plan survives first contact with the enemy) is being revised. The School of Hard Knocks imparts valuable lessons. I have no doubt other large firms held emergency meetings to reassure themselves they were not vulnerable to the attack.

You can find a good guide explaining NotPetya (and the defenses against it) here. Hat tip to Dave Ries for the link.

E-mail: Phone: 703-359-0700
Digital Forensics/Information Security/Information Technology
https://www.senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson