ON THE DIGITAL FRONT LINE: A CYBERSECURITY EXPERT ON NOTPETYA

June 25, 2021

"The month prior to NotPetya, a similar attack (called WannCry) unfolded on a similar scale using similar methods. So my first reaction was, "Here we go again." I was afraid at the time that those types of attacks would become a regular occurrence." Beau Wood, Senior Advisor, US Cybersecurity and Infrastructure Agency (CISA) The NotPetya Cyberattack Attributed to: Russia, Start date: June 27, 2017, Type: Trojan

On June 27, 2017, a state-sponsored cyberattack spread across Ukraine before spilling over to 65 other countries, crippling private business operations, cancelling thousands of medical appointments, and disrupting the worldwide supply chain. Considered the most devastating cyberattack in history, the Russian-backed NotPetya attack caused roughly $10 billion in financial damages, impacted the distribution of life-saving medicine, and rattled the global community.

To better understand the NotPetya incident on its fourth anniversary, we spoke with Beau Woods, Senior Advisor at the United States Cybersecurity and Infrastructure Agency (CISA) within the Department of Homeland Security, who found himself on the front lines of this world-shaking cyberattack. 

Digital Peace Now: In  simple  terms, what exactly  was NotPetya? How did it  disrupt  computers, spread, and, ultimately, impact  daily lives?  
 
Beau Woods: NotPetya is malicious software designed to spread across organizations’ internal networks and render computers unusable, initially deployed through software used to file Ukrainian taxes. While NotPetya would have obviously affected Ukrainian businesses, it also affected organizations globally due to the interconnected nature of modern markets and computer networks. The attack caused outages for manufacturing and shipping, halting production of vaccines and delivery of medication to hospitals, for instance. 

What was the most concerning  aspect  of the  NotPetya  incident?  

Everyone takes away a different concerning aspect from NotPetya. For me, it was the widescale harm that could be done by dependence on common software platforms in absence of some basic security practices. 

Can you describe  your and your  colleagues’  initial  reactions  to  NotPetya  as it unfolded?  

The month prior to NotPetya, a similar attack (called WannaCry) unfolded on a similar scale using similar methods. So, my first reaction was, “Here we go again.” I was afraid at the time that those types of attacks would become a regular occurrence. While the same conditions persist that enabled both WannaCry and NotPetya, adversaries have used them for other purposes, such as the proliferation of ransomware. 

Can you explain  the  cybersecurity response  used to mitigate  NotPetya  and how this incident has helped inform future incident response efforts? 

NotPetya spread through known but unmitigated software code vulnerabilities, for which patches were available, and through the use of shared credentials across the network. Those practices are still endemic across the industry, like dry leaves on a forest floor waiting for another spark to ignite them. This is why CISA works to proliferate better practices among organizations – to avoid similar issues in the future.  

After NotPetya successfully executed and locked up the computer it resides on, the only successful way to recover is to wipe the data and reinstall everything from backups. So we did see an increased focus on backup and restoration capabilities. 

In your view, what type of cyber defense and resiliency efforts have surfaced across the public and private sectors in response to  NotPetya?   

For many organizations, the specter of NotPetya catalyzed corrective action, especially for those directly impacted. At the public policy level, the US and other countries invested heavily in efforts to deter adversaries, such as through offensive cyber operations. The adversaries easily shifted to less attributable means to achieving their same objectives. In cybersecurity, offense is no substitute for defense. Fortunately, we also saw organizations like CISA come into being, which can help bolster defensive practices and capabilities in governments and private sector. 

Why should everyday people care about an attack like  NotPetya?   

Destructive attacks shift cybersecurity impacts toward less replaceable assets like human life, public safety, and economic security. For instance, rigorous scientific research has shown that medical devices and clinical systems save lives. Cyberattacks that delay, degrade, or deny our ability to use those systems, therefore, interfere with our ability to save lives. During a global pandemic, these effects are especially pronounced. 

Regarding cybersecurity, what’s something that keeps you up at night?  

While we don’t always know what will work to prevent attacks, we know what reliably fails. When we lack the political and organizational will to avoid what we know will cause disruptive failures from accidents and adversaries, we ensure that they will persist. Fortunately, CISA has resources that can help organizations learn and improve, such as our ransomware resources, our security alerts, and regional cybersecurity advisors

Thank you so much for your time! 

Were you directly impacted by the NotPetya cyberattack? If so, we want to hear from you! Email us at [email protected] or let us know on Twitter using the hashtag #DigitalPeaceNow.