NotPetya: Why Would Russia Target Kaspersky AV?

With the backing of a bunch of security companies, both the US and Ukraine are getting closer to formally blaming Russia for the NotPetya attack last week on the same hackers that brought down the power grid in 2015.

But there are skeptics. Rob Graham suggests this analysis all suffers from survivorship bias. And Jonathan Nichols argues the attack was so easy pretty low level hackers could have pulled it off.

Nichols also raises a point that has been puzzling me. The attack does extra damage if it detects the Kaspersky Antivirus.

Much has been made about the fact that the NotPetya virus appears to have been designed as a wiper, and not as a genuine piece of ransomware. The virus also checks for avp.exe (Kaspersky Antivirus) and then wipes the bootsector of any device with the file present.

[snip]

Further, the specific targeting of Kaspersky Antivirus harkens back to the vindictive nature of low level cyber criminals, such as those which famously write hate messages to Kaspersky and Brian Krebs regularly.

There may be a good reason to do this (such as, if Kaspersky dominates the AV market in Ukraine, it would provide an additional way to target Ukraine specifically, though that would seem to also implicate Russian companies, like Rosneft, that were hit by NotPetya as well). But absent such a reason, why would Russia selectively do more damage to victims running Kaspersky, especially at a moment with the US is so aggressively trying to taint Kaspersky as a Russian front?

As a reminder, back in January when Shadow Brokers claimed to be disappearing forever, they called out Kaspersky specifically in a dump of dated Windows files (SB trolled Kaspersky even more on Twitter, though deleted all those old tweets last week).

Before go, TheShadowBrokers dropped Equation Group Windows Warez onto system with Kaspersky security product. 58 files popped Kaspersky alert for equationdrug.generic and equationdrug.k TheShadowBrokers is giving you popped files and including corresponding LP files.

So not just cybercriminals with a grudge against Kaspersky for cooperating with western law enforcement, but the source of some of the exploits used in this attack, has targeted Kaspersky in the past.

I don’t know the answer. But it’s one counterargument to the rush to blame Russia that, in my opinion, needs some answers.

Marcy Wheeler is an independent journalist writing about national security and civil liberties. She writes as emptywheel at her eponymous blog, publishes at outlets including Vice, Motherboard, the Nation, the Atlantic, Al Jazeera, and appears frequently on television and radio. She is the author of Anatomy of Deceit, a primer on the CIA leak investigation, and liveblogged the Scooter Libby trial.

Marcy has a PhD from the University of Michigan, where she researched the “feuilleton,” a short conversational newspaper form that has proven important in times of heightened censorship. Before and after her time in academics, Marcy provided documentation consulting for corporations in the auto, tech, and energy industries. She lives with her spouse in Grand Rapids, MI.

14 replies
  1. SpaceLifeForm says:

    Jonathan Nichols notes:

    Ukrainian Cyber Police have published that at about 10:30 am GMT Tuesday (27 July 2017) M.E.Doc software on client machines ran a routine automatic update.

    [Curious who got the month wrong. SB June]

    [Also a strange time of workday to do automatic updates]

  2. SpaceLifeForm says:

    Scenario:

    Hacker group wants to deploy some malware using some EQG tools, but some of tools will not deploy on a machine with Kasperky AV running per above SB comments. Imagine the tools they want to deploy are intended for some kind of APT, I.E., they want some kind of persistent rootkit deployed on at least one machine used by some target group.

    A catch-22 type of situation.

    But, the hacking group has another tool at it’s disposal, I.E., NotPetya in this case. The wiper.

    So, if the hacking group can cause enough wipes inside the target group, there will be a fairly large window of time to do that recovery.

    Now, it is not that the target group will not be able to recover, but that unless IT procedures are exceptionally solid, within that window of recovery time, machines may come back up that can be exploited because the antivir is not active yet.

    It depends on the IT procedures. But in a panic, procedures may not be followed properly.

    Nutshell: Cause major IT disruption, while IT staff is jumping thru hoops, deploy APT.

    Was Wannacry just a test run for NotPetya?

    Or was NotPetya a second pass to infect LANs that Wannacry did not infect?

    • SpaceLifeForm says:

      Not SB exploits, really attributed to NSA. Unless you believe SB is really an NSA op (I do not believe that is the case at this time). Very well could be though. If so, SB is doing a very good job of misdirection. Could be CIA, they are good at misdirection too.

      As to the antivir question, initially 3 out of 11 antivir products stopped wannacry. Well, stopped EternalBlue and/or DoublePulsar. Then more antivir vendors fixed their code to catch.

      Kasperky was one of the first three.

      • lefty665 says:

        I understand the origins and agree that it is unlikely NSA has exposed their own tools. They’d be happy to  return to the days when they were “No Such Agency”.  Not so sure about CIA being masters of misdirection, but that is part of their business.

        SB is using or distributing NSA’s tools. In that sense it is their exploits now, sorry if I was not clear before.  If Kaspersky was unique, or early, in gumming up the works it might help explain SB or whoever’s case of the ass targeted at them.  Thanks for letting me know that they were.

  3. SpaceLifeForm says:

    Old news now, few days but pertinent.

    https://eugene.kaspersky.com/2017/06/30/keeping-cybersecurity-separate-from-geopolitics/

    Obviously, as a private company, Kaspersky Lab and I have no ties to any government, and we have never helped, nor will help, any government in the world with their cyber-espionage efforts (cyber-espionage is what we’re fighting!). While I find these ongoing accusations and false allegations extremely frustrating, I’ve noticed that all the attacks possess a few things in common, including:

    A complete lack of evidence;
    Conspiracy theories and pure speculation;
    Assumptions reported as irrefutable facts;
    Anonymous sources;
    Manipulation of widely-known facts.

  4. drouse says:

    I think it was more of a case of killing two birds with on stone. As far a I can tell, there isn’t a lot of difference between cyber-criminal and  government contractor in Russia. Rapping Kaspersky’s knuckles was probably just a bonus. Then there was that treason thing, so it might of been a sign of official but covert disapproval..

    • lefty665 says:

      A twofer makes sense. Sort of “Oh, and while we’re at it your customers get a bonus Kaspersky, a wiped boot sector too. Be a little more careful.” 

      Things aren’t much different the world around, governments pay unpleasant people to do unpleasant things.

  5. Vesselin Bontchev says:

    I am not buying the notion that the Russian government was behind the Petya worm. The ransomware is way too shitty and full of errors and bugs to be the result of a state actor.

    However, I’d like to point out that when Kaspersky AV is present on the system, the ransomware does LESS damage, not more – although I don’t know if this is intentional. Let me explain.

    First, the ransomware encrypts the files. Then it tries to drop the MFT encryptor into the MBR sector. If that fails, or if a process named “avp.exe” (Kaspersky AV) is present, the ransomware overwrites the first 10 sectors on track 0, including the MBR. (There is practically nothing else of value there besides the MBR.) While this may sound bad, it is actually the lesser evil. The MBR can be rebuild using various data recovery tools or even Windows itself (from an installation disk) in recovery mode. Once the partitions are recovered, the user will be able to access the files (just some of them will be encrypted).

    If the ransomware doesn’t do this overwrite, it will instead encrypt the MFT and reboot afterwards. As a result, access to the file system will be lost irrecoverably. Even a file carving tool won’t be able to do much, because the files are encrypted and any tell-tale headers will not be visible.

    • SpaceLifeForm says:

      Then it tries to drop the MFT encryptor into the MBR sector. If that fails, or if a process named “avp.exe” (Kaspersky AV) is present, the ransomware overwrites the first 10 sectors on track 0, including the MBR.

      —-

      Well, it did not matter if some kind of recovery key could be put into the MBR, because the email [email protected] was shut down.

      But I am curious, not having the time to research, but you describe an ‘OR’ condition that is not clear.

      Nor does in make sense.

      Which condition is checied for first?

      Presence of Kaspersky AV?

      Or failure to update MBR?

      It makes no sense that one could not update the MBR with a key, but yet still be able to overwrite the first 10 sectors.

      Makes absolutely no sense.

      Since bootkits can get past Kaspersky Antivir anyway, why would NotPetya even care if Kaspersky Antivir was present or not?

      This is a tell. The purpose of NotPetya was *NOT* to install a bootkit. Which one can recover from with TDSSKiller per Kaspersky website.

      https://support.kaspersky.com/viruses/solutions/2727

      All of the bitcoin from NotPetya already cleared out.

      It is clear, IMNSHO, that Wannacry and NotPetya happened for reasons that are not obvious on first look.

      Distraction from a different attack is most likely.

      Wiping out the first 10 sectors is actually a good way to hide ones tracks from an earlier bootkit infection.

      • SpaceLifeForm says:

        An example would be to hide an earlier Nemesis bootkit. (Marcy, interesting dots at link. Financial, Ransomware)

        https://www.extremetech.com/computing/219027-new-pc-malware-loads-before-windows-is-virtually-impossible-to-detect

        Bootkits offer far more durability for the attacker, but they also destroy any ability to claim innocence — you could maybe claim that a rootkit was installed in good faith, but a bootkit is very specifically designed to fool the user. Any non-criminal enterprise installing a bootkit is running a big financial risk if found out.

        [As I said, Wannacry and NotPetya may have been about covering tracks. I bet there are machines out there that are still are infected. Maybe why M.E.Doc servers siezed. Maybe some panic setting in? Maybe third pass coming this month? Maybe too late to cover all tracks? Maybe I start to sound like SB? :-) ]

  6. SpaceLifeForm says:

    As I expected, if just one machine on your LAN was hit by Wannacry [not proven yet, I admit], and now NotPetya, you can trust none of the machines on your LAN.

    M.E.Doc admits they were backdoored.

    Note: SECOND attack *after* NotPetya

    Note: Signatures on machines that were *NOT* using the M.E.Doc software but on same LAN.

    This is what an APT (Advanced Persistent Threat) looks like. They *KNOW* now that the machines are infected. They *KNOW* that the APT is waiting for a signal.

    DNS is my suspect.

    —-

    Ukraine scrambles to contain new cyber threat after ‘NotPetya’ attack

    http://mobile.reuters.com/article/idUSKBN19Q14P

    M.E. Doc is used by 80 percent of Ukrainian companies and installed on around 1 million computers in the country. Interior Minister Arsen Avakov said police had blocked a second cyber attack from servers hosting the software.

    The company previously denied its servers had been compromised, but when asked on Wednesday whether a backdoor had been inserted, Chief Executive Olesya Bilousova said: “Yes there was. And the fact is that this backdoor needs to be closed.”

    Any computer on the same network as machines using M.E.Doc was now vulnerable to another attack, she said.

    As of today, every computer which is on the same local network as our product is a threat. We need to pay the most attention to those computers which weren’t affected (by last week’s attack),” she told reporters.

    “The virus is on them waiting for a signal. There are fingerprints on computers which didn’t even use our product.”

    Dmytro Shymkiv, deputy head of Ukraine’s presidential administration and a former director of Microsoft in Ukraine, said the latest evidence further pointed to an advanced and well-orchestrated attack.

    “I am looking through the analysis that has been done on the M.E.Doc server, and from what I’m seeing, that’s worrying. Worrying is a very light word for this,” he said. “How many backdoors are still open? We don’t know.”

  7. SpaceLifeForm says:

    M.E.Doc originally apparently hacked via guessed password or stolen SSH keys. Not clear yet. Good clear evidence wiped.

    THCservers based in Romania. Means nada.

    http://blog.talosintelligence.com/2017/07/the-medoc-connection.html?m=1

    The NGINX server had been reconfigured so that any traffic to upd.me-doc.com.ua would be proxied through the update server and to a host in the OVH IP space with an IP of 176.31.182.167. Subsequent investigation found that this server was operated by a reseller, thcservers.com, and that the server had been wiped the same day at 7:46 PM UTC.

Comments are closed.