What happened in 2017
In June 2017, a new variant of the malware, “Petya,” was used for a global cyberattack, primarily targeting Ukraine. Kaspersky Lab referred to this new version as “NotPetya” to distinguish it from previous variants and due to differences in its behavior. It was believed that the software update mechanism of M.E.Doc – a Ukrainian tax preparation program that, according to F-Secure analyst Mikko Hyppönen, “appears to be de facto” among companies doing business in the country – had been compromised to spread the malware.
The code that the hackers pushed out was designed to spread automatically, rapidly, and indiscriminately. Within hours of its first appearance, NotPetya extended beyond Ukraine and out to numerous servers around the world, from hospitals in Pennsylvania to a chocolate factory in Tasmania. It crippled multinational companies including Maersk, pharmaceutical giant Merck, FedEx’s European subsidiary TNT Express, French construction company Saint-Gobain, food producer Mondelēz, and manufacturer Reckitt Benckiser, among others.
The result was more than $10 billion in total damages, according to a White House assessment, confirmed to WIRED, by former Homeland Security adviser Tom Bossert, who at the time of the attack was President Trump’s most senior cybersecurity-focused official. Bossert and US intelligence agencies also confirmed in February that Russia’s military—the prime suspect in any cyberwar attack targeting Ukraine—was responsible for launching the malicious code. “It was the equivalent of using a nuclear bomb to achieve a small tactical victory,” Bossert said. At the time, the White House called the NotPetya attack the “most destructive and costly cyber-attack in history”.
What’s happening in 2022
The current escalation of tensions between Russia and Ukraine – and potential involvement from other NATO countries, including the US – has increased the potential of more damaging and costly cyber attacks against Ukraine as well as the US. We’ve already seen a cyber attack on about 70 Ukrainian government websites in January, which Ukraine officials blamed on Russian hackers.
Given the tensions, and the US involvement in those tensions, various agencies are warning US companies about potential new cyber attacks launched directly at the US.
“We assess that Russia would consider initiating a cyber attack against the Homeland if it perceived a US or NATO response to a possible Russian invasion of Ukraine threatened its long-term national security,” according to a Department of Homeland Security (DHS) Intelligence and Analysis bulletin sent to law enforcement agencies around the country. Russia, DHS said, has a “range of offensive cyber tools that it could employ against US networks,” and the attacks could range from a low-level denial of service attack to “destructive” attacks targeting critical infrastructure.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued two recent alerts to all US companies addressing risks from Russian sponsored cyber threats, highlighting that the recent cyber incidents in Ukraine contain similar destructive malware deployed previously. CISA is encouraging senior leaders to “take urgent, near-term steps to reduce the likelihood and impact of a potentially damaging compromise.”
The FBI is also asking US businesses to report any uptick in Russian hacking threats and told US firms to email the bureau if they had found “any increased [cyber] activity against Ukraine or US critical infrastructure,” including against financial, healthcare, and energy companies.
Why is this important?
Given the potential for the Russia Ukraine situation to continue to escalate and the potential for Russian hacking efforts to be focused directly on US interests for involvement in the Russia-Ukraine conflict, the potential exists for an even more destructive and costly cyber attack on US companies than the NotPetya attack of 2017.
What does this mean to me?
Your systems and data may be under attack like never before. Your organization needs key controls to protect against attacks, to identify and protect key sensitive data within the organization, to identify attempted attacks quickly, and to be ready to respond should an incident occur.
Apply patches to the 16 most common vulnerabilities used by APT threat actors (click here for Joint CyberSecurity Advisory Technical Details)
Multi-Factor Authentication (MFA)
- Incident Response Plan
- Tabletop exercises
- Technology review for monitoring, alerting, and logging effectively SIEM, EDR, MDR, IPS, Log aggregation, Threat monitoring
- Segregation of backups
- Up to date DR/BCP (Data Recovery/Business Continuity) plan