Posts

[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

Companies Victimized by Repurposed NSA Tools Don’t Share Those Details with Government

Reporting on an appearance by acting DHS undersecretary for the National Protection and Programs Directorate Christopher Krebs, CyberScoop explains that the government only heard from six victims of the WannaCry and NotPetya ransomware outbreaks (two known major victims are Maersk shipping, which had to shut down multiple terminals in the US, and the US law firm DLA Piper).

Christopher Krebs, acting undersecretary for the National Protection and Programs Directorate, told an audience of cybersecurity professionals Wednesday that the biggest issue with both incidents came from an absence of reports from businesses who were affected. While experts say that WannaCry and NotPetya disrupted business operations at American companies, it’s not clear how many enterprises were damaged or to what degree.

The government wanted to collect more information from affected companies in order to better assess the initial infection vector, track the spread of the virus and develop ways to deter similar future attacks.

Collecting data from victim organizations was important, a senior U.S. official who spoke on condition of anonymity told CyberScoop, because the information could have been used to inform policymakers about the perpetrator of the attack and potential responses

The rest of the story explains that private companies are generally reluctant to share details of being a ransomware victim (particularly if a company pays the ransom, there are even legal reasons for that).

But it doesn’t consider another factor. If a cop left his gun lying around and some nutjob stole the gun and killed a kid with it, how likely is that family going to trust the cop in question, who indirectly enabled the murder?

The same problem exists here. Having proven unable to protect its own powerful tools (this is more a factor in WannaCry than NotPetya, though it took some time before people understood that the latter didn’t rely primarily on the NSA’s exploit), the government as a whole may be deemed less trustworthy on efforts to respond to the attack.

Whether that was the intent or just a handy side benefit for the perpetrators of WannaCry (and of Shadow Brokers, who released the exploit) remains unclear. But the effect is clear: attacking people with NSA tools may undermine the credibility of the government, and in the process, its ability to respond to attacks.

Does Maersk Count as US Critical Infrastructure?

I Back when Sony Pictures got hacked after Sony Everything Else had been hacked serially over the course of 15 years, the US government declared that multinational studio owned by a Japanese parent US critical infrastructure entitled to heightened cybersecurity protection. That’s one of the bases for which the US imposed sanctions on North Korea. The designation also ramped up the ways in which FBI could help Sony.

The listing of a multinational movie studio as critical infrastructure led many people to understand just how broad the definition of CI is in the US, including (in the same Commercial Facilities Sector) a bunch of things that might better be called soft targets.

  • Entertainment and Media (e.g., motion picture studios, broadcast media).
  • Gaming (e.g., casinos).
  • Lodging (e.g., hotels, motels, conference centers).
  • Outdoor Events (e.g., theme and amusement parks, fairs, campgrounds, parades).
  • Public Assembly (e.g., arenas, stadiums, aquariums, zoos, museums, convention centers).
  • Real Estate (e.g., office and apartment buildings, condominiums, mixed use facilities, self-storage).
  • Retail (e.g., retail centers and districts, shopping malls).
  • Sports Leagues (e.g., professional sports leagues and federations).

That’s when I learned that DHS was on the hook for protecting Yogi Bear Jellystone and KOA campground facilities around the country from cyberattack.

Since 2014, DHS belatedly added one thing to its critical infrastructure designation: elections. Though DHS doesn’t appear to have updated the website to reflect that designation yet (though maybe I’m missing it; I’ll call tomorrow to ask them where it is).

Anyway, the global impact of the NotPetya (which I’ll henceforth call Nyetna, because that’s my favorite name for it) attack, particularly its impact on Danish shipping giant Maersk, has me wondering whether anything Nyetna affected counts as would count as critical infrastructure. The impact on Maersk has had significant effect at several ports in the US.

Danish shipping giant A.P. Moller-Maersk, one of the global companies hardest hit by the malware, said Thursday that most of its terminals are now operational, though some terminals are “operating slower than usual or with limited functionality.”

Problems have been reported across the shippers’ global business, from Mobile, Alabama, to Mumbai in India. When The Associated Press visited the latter city’s Jawaharlal Nehru Port Trust on Thursday, for example, it witnessed several hundred containers piled up at just two yards, out of more than a dozen yards surrounding the port.

“The vessels are coming, the ships are coming, but they are not able to take the container because all the systems are down,” trading and clearing agent Rajeshree Verma told the AP. “The port authorities, they are not able to reply (to) us. The shipping companies they also don’t know what to do. … We are actually in a fix because of all this.”

Probably the most important impact was on Maersk’s terminal in LA.

A cyberattack that infected computers across Europe and then spread into the United States halted operations at the Port of Los Angeles’ largest terminal Tuesday — and raised worries that destructive software could ricochet around the world and disrupt the critical supply chain.

APM Terminals — where Danish shipping carrier A.P. Moller-Maersk operates — turned truckers away all day, as did their terminals in Rotterdam, New York and New Jersey.

So does Maersk, and the 18% of global container shipping business it carries, count as US critical infrastructure?

Given that Maersk, not the several ports affected, is the victim, it’s not clear. Here’s how DHS defines the CI aspect of maritime shipping.

  • Maritime Transportation System consists of about 95,000 miles of coastline, 361 ports, more than 25,000 miles of waterways, and intermodal landside connections that allow the various modes of transportation to move people and goods to, from, and on the water.

But if Sony can count as US CI, it seems Maersk (or any comparable shipping giant) should as well.

It may not matter, as the Executive Branch seems to be hiding even further under their bed than they were after the WannaCry attack, with this being the one mention of the hack from the White House.

SECRETARY PERRY:  So let’s get over on the grid.  Obviously, the Department of Energy has a both scientific, they have a historic reason to be involved with that.  One is that, at one of our national labs, we have a test grid of which we are able to go out — one of the reasons that the Department of Homeland Security and DOE is involved with grid security is that DOE operates a substantial grid — a test grid, if you will — where we can go out and actually break things.  We can infest it with different viruses and what have you to be able to analyze how we’re going to harden our grid so that Americans can know that our country is doing everything that it can to protect, defend this country against either cyberattacks that would affect our electrical security or otherwise.

So the ability for us to be able to continue to lead the world — I think we all know the challenges.  We saw the reports as late as today of what’s going on in Ukraine.  And so protecting this country, its grid against not just cyber, but also against physical attacks, against attacks that may come from Mother Nature, weather-related events — all of that is a very important part of what DOE, DHS is doing together.

DHS is preoccupied rolling out Muslim Ban 3.0 and other flight restrictions.

By all appearances, Nyetna primarily targeted Ukraine. But in hitting Ukraine, it significantly disabled one of the key cogs to the global economy, the world’s biggest container shipping company. Does that count as an attack on the US, or at least its critical infrastructure?

Update: I’ve confirmed that “shipping lines” are included in Maritime Transportation. So Maersk would seem to count as critical infrastructure.

 

Minority Report: An Alternative Look at NotPetya

NB: Before reading:

1) Check the byline — this is NotMarcy;

2) Some of this content is speculative;

3) This is a minority report; I’m not on the same paragraph and perhaps not the same page with Marcy.

Tuesday’s ‘Petya/Petna/NotPetya’ malware attacks generated a lot of misleading information and rapid assumptions. Some of the fog can be rightfully blamed on the speed and breadth of infection. Some of it can also be blamed on the combined effect of information security professionals discussing in-flight attacks in full view of the public who make too many assumptions.

There’s also the possibility that some of the confusing information may have been deliberately generated to thwart too-early intervention. If this isn’t criminal hacking but cyber warfare, propaganda should be expected as in all other forms of warfare. Flawed assumptions, too, can be weaponized.

A key assumption worth re-examining is that Ukraine was NotPetya’s primary target rather than collateral damage.

After the malware completed its installation and rebooted an infected machine, a message indicated files had been encrypted and payment could be offered for decryption.

Thousands of dollars were paid $300 at a time in cryptocurrency but a decryption key wouldn’t be forthcoming. Users who tried to pay the ransom found the contact email address hosted by Posteo.net had been terminated. The email service company was unhelpful bordering on outright hostile in its refusal to assist users contacting the email account holder. It looked like a ransom scam gone very wrong.

As Marcy noted in her earlier post on NotPetyna, information security expert Matt Suiche posted that NotPetya was a wiper and not ransomware. The inability of affected users to obtain decryption code suddenly made perfect sense. ‘Encrypted’ files are never going to be opened again.

It’s important to think about the affected persons and organizations and how they likely responded to the infection. If they didn’t already have a policy in place for dealing with ransomware, they may have had impromptu meetings about their approach; they had to buy cryptocurrency, which may have required a crash DIY course in how to acquire it and how to make a payment — scrambling under the assumption they were dealing with ransomware.

It all began sometime after 10:30 UTC/GMT — 11:30 a.m. London (BDT), 1:30 p.m. Kyiv and Moscow local time, even later in points across Russia farther east.

(And 4:30 a.m. EDT — well ahead of the U.S. stock market, early enough for certain morning Twitter users to tweet about the attack before America’s work day began.)

The world’s largest shipping line, Maersk, and Russia’s largest taxpayer and oil producer Rosneft tweeted about the attack less than two hours after it began.

By the end of the normal work day in Ukraine time, staff would only have just begun to deal with the ugly truth that the ransom may have been handed off and no decryption key was coming.

As Marcy noted, June 28th is a public holiday in Ukraine — Constitution Day. I hope IT folks there didn’t have a full backup scheduled to run going into the holiday evening — one that might overwrite a previous full backup.

The infection’s spread rate suggested early on that email was not the only means of transmission, if it had been spread at all by spearfishing. But many information security folks advocated not opening any links in email. A false sense of security may have aided the malware’s dispersion; users may have thought, “I’m not clicking on anything, I can’t get it!” while their local area network was being compromised.

And then it hit them. While affected users sat at their machines reading fake messages displayed by the malware, scrambling to get cryptocurrency for the ransom, NotPetya continued to encrypt files under their noses and spread across business’s local area networks. Here’s where Microsoft’s postmortem is particularly interesting; it not only gives a tick-tock of the malware’s attack on a system, but it lists the file formats encrypted.

Virtually everything a business would use day to day was encrypted, from Office files to maps, website files to emails, zip archives and backups.

Oh, and Oracle files. Remember Oracle pushed a 299 vulnerability mega-patch on April 19, days after ShadowBrokers dumped some NSA tools? Convenient, that; these vulnerabilities were no longer a line of attack except through file encryption.

While information security experts have done a fine job tackling a many-headed hydra ravaging businesses, they made some rather broad assumptions about the reason for the attack. Kaspersky concluded the target was Ukraine since ~60% of infected devices were located there though 30% were located in Russia. But the malware’s aim may not have been the machines or even the businesses affected in Ukraine.

What did those businesses do? What they did required tax application software MEDoc. If the taxes to be calculated were based on business’s profits — (how much did they make) X (tax rate) — they hardly needed tax software. A simple spreadsheet would suffice, or the calculation would be built into accounting software.

No, the businesses affected by the malware pushed at 10:30 GMT via MEDoc update would be those which sold goods or services frequently, on which sales tax would have been required for each transaction.

What happens when a business’s sales can’t be documented? What happens when their purchases can’t be documented, either?

Which brings me to the affected Russian businesses, specifically Rosneft. There’s not much news published in English detailing the impact on Rosneft; we’ve only got Kaspersky’s word that 30% of infections affected Russian machines.

But if Rosneft is the largest public oil company in the world, Russia’s largest taxpayer as Rosneft says on their Twitter profile, it may not take very many infections to wreak considerable damage on the Russian economy. Consider the ratio of one machine invoicing the shipment of entire ocean tanker of oil versus many machines billing heating oil in household-sized quantities.

And if Rosneft oil was bought by Ukraine and resold to the EU, Ukraine’s infected machines would cause a delay of settlements to Russia especially when Rosneft must restore its own machines to make claims on Ukrainian customers.

The other interesting detail in this malware story is that the largest container line in the world, Maersk, was also affected. You may have seen shipping containers on trucks, trains, in shipyards and on ships marked in bold block letters, MAERSK. What you probably haven’t seen is Maersk’s energy transport business.

This includes shipping oil.

It’s not Ukraine’s oil Maersk ships; most of what Ukraine sells is through pipelines running from Russia in the east and mostly toward EU nations in the west.

It’s Russian oil, probably Rosneft’s, shipping overseas. If it’s not in Maersk container vessels, it may be moving through Maersk-run terminal facilities. And if Maersk has no idea what is shipping, where it’s located, when it will arrive, it will have a difficult time settling up with Rosneft.

Maersk also does oil drilling — it’s probably not Ukraine to whom Maersk may lease equipment or contract its services.

Give the potential damage to Russia’s financial interests, it seems odd that Ukraine is perceived as the primary target.

 

NotPetya’s attack didn’t happen in a vacuum, either.

A report in Germany’s Die Welt reported the assassination of Ukraine’s chief of intelligence by car bomb. The explosion happened about the same time that Ukraine’s central bank reported it had been affected by NotPetya — probably a couple hours after 10:30 a.m. GMT.

On Monday, privately-owned Russian conglomerate Sistema had a sizable chunk of assets “arrested” — not seized, but halted from sale or trading — due to a dispute with Rosneft over $2.8 billion dollars. Rosneft claims Sistema owes it money from the acquisition of oil producer Bashneft, owned by Sistema until 2014. Some of the assets seized included part of mobile communications company MTS. It’s likely this court case Rosneft referred to in its first tweet related to NotPetya.

The assassination’s timing makes the cyber attack look more like NotPetya was a Russian offensive, but why would Russia damage its largest sources of income and mess with its cash flow? The lawsuit against Sistema makes Rosneft appear itchy for income — Bashneft had been sold to the state in 2014, then Rosneft bought it from the state last year. Does Rosneft need this cash after the sale (or transfer) of a 19.5% stake worth $10.2 billion last year?

Worth noting here that Qatar’s sovereign wealth fund financed the bulk of the deal; commodities trader Glencore only financed 300 million euros of this transaction. How does the rift between other Middle Eastern oil states and Qatar affect the value of its sovereign wealth fund?

In her previous post, Marcy spitballed about digital sanctions — would they look like NotPetya? I think so. I can’t help recall this bit at the end of the Washington Post’s opus on Russian election interference published last week on June 23:

But Obama also signed the secret finding, officials said, authorizing a new covert program involving the NSA, CIA and U.S. Cyber Command.

[…]

The cyber operation is still in its early stages and involves deploying “implants” in Russian networks deemed “important to the adversary and that would cause them pain and discomfort if they were disrupted,” a former U.S. official said.

The implants were developed by the NSA and designed so that they could be triggered remotely as part of retaliatory cyber-strike in the face of Russian aggression, whether an attack on a power grid or interference in a future presidential race.

I’m sure it’s just a coincidence that NotPetya launched Tuesday this week. This bit reported in Fortune is surely a coincidence, too:

The timing and initial target of the attack, MeDoc, is sure to provoke speculation that an adversary of Ukraine might be to blame. The ransomware hid undetected for five days before being triggered a day before a public Ukrainian holiday that celebrates the nation’s ratification of a new constitution in 1996.

“Last night in Ukraine, the night before Constitution Day, someone pushed the detonate button,” said Craig Williams, head of Cisco’s (CSCO, +1.07%) Talos threat intelligence unit. “That makes this more of a political statement than just a piece of ransomware.” [boldface mine]

Indeed.

Two more things before this post wraps: did anybody notice there has been little discussion about attribution due to characters, keyboards, language construction in NotPetya’s code? Are hackers getting better at producing code without tell-tale hints?

Did the previous attacks based on tools released by the Shadow Brokers have secondary — possibly even primary — purposes apart from disruption and extortion? Were they intended to inoculate enterprise and individual users before a destructive weapon like NotPetya was released? Were there other purposes not obvious to information security professionals?