On June 27, 2017, a state-sponsored cyberattack spread across Ukraine before spilling over to 65 other countries, crippling private business operations, cancelling thousands of medical appointments, and disrupting the worldwide supply chain. Considered the most devastating cyberattack in history, the Russian-backed NotPetya attack caused roughly $10 billion in financial damages, impacted the distribution of life-saving medicine, and rattled the global community.
To better understand the NotPetya incident on its fourth anniversary, we spoke with Beau Woods, Senior Advisor at the United States Cybersecurity and Infrastructure Agency (CISA) within the Department of Homeland Security, who found himself on the front lines of this world-shaking cyberattack.
Digital Peace Now: In simple terms, what exactly was NotPetya? How did it disrupt computers, spread, and, ultimately, impact daily lives?
Beau Woods: NotPetya is malicious software designed to spread across organizations’ internal networks and render computers unusable, initially deployed through software used to file Ukrainian taxes. While NotPetya would have obviously affected Ukrainian businesses, it also affected organizations globally due to the interconnected nature of modern markets and computer networks. The attack caused outages for manufacturing and shipping, halting production of vaccines and delivery of medication to hospitals, for instance.
What was the most concerning aspect of the NotPetya incident?
Everyone takes away a different concerning aspect from NotPetya. For me, it was the widescale harm that could be done by dependence on common software platforms in absence of some basic security practices.
Can you describe your and your colleagues’ initial reactions to NotPetya as it unfolded?
The month prior to NotPetya, a similar attack (called WannaCry) unfolded on a similar scale using similar methods. So, my first reaction was, “Here we go again.” I was afraid at the time that those types of attacks would become a regular occurrence. While the same conditions persist that enabled both WannaCry and NotPetya, adversaries have used them for other purposes, such as the proliferation of ransomware.
Can you explain the cybersecurity response used to mitigate NotPetya and how this incident has helped inform future incident response efforts?
NotPetya spread through known but unmitigated software code vulnerabilities, for which patches were available, and through the use of shared credentials across the network. Those practices are still endemic across the industry, like dry leaves on a forest floor waiting for another spark to ignite them. This is why CISA works to proliferate better practices among organizations – to avoid similar issues in the future.
After NotPetya successfully executed and locked up the computer it resides on, the only successful way to recover is to wipe the data and reinstall everything from backups. So we did see an increased focus on backup and restoration capabilities.
In your view, what type of cyber defense and resiliency efforts have surfaced across the public and private sectors in response to NotPetya?
For many organizations, the specter of NotPetya catalyzed corrective action, especially for those directly impacted. At the public policy level, the US and other countries invested heavily in efforts to deter adversaries, such as through offensive cyber operations. The adversaries easily shifted to less attributable means to achieving their same objectives. In cybersecurity, offense is no substitute for defense. Fortunately, we also saw organizations like CISA come into being, which can help bolster defensive practices and capabilities in governments and private sector.
Why should everyday people care about an attack like NotPetya?
Destructive attacks shift cybersecurity impacts toward less replaceable assets like human life, public safety, and economic security. For instance, rigorous scientific research has shown that medical devices and clinical systems save lives. Cyberattacks that delay, degrade, or deny our ability to use those systems, therefore, interfere with our ability to save lives. During a global pandemic, these effects are especially pronounced.
Regarding cybersecurity, what’s something that keeps you up at night?
While we don’t always know what will work to prevent attacks, we know what reliably fails. When we lack the political and organizational will to avoid what we know will cause disruptive failures from accidents and adversaries, we ensure that they will persist. Fortunately, CISA has resources that can help organizations learn and improve, such as our ransomware resources, our security alerts, and regional cybersecurity advisors.
Thank you so much for your time!