The latest cyberattacks were carried out by people wanting to destroy information, not hold it ransom. Quite sinister, eh?
A growing number of cybersecurity experts are reaching a consensus about the latest cyberassault that’s hit companies worldwide: It’s not a ransomware attack designed for financial gain. Rather, it’s a “wiper” – a deliberate attempt to inflict sabotage through malware.
This is cyberwar, not cybercrime.
“Wiper” is shorthand for an attack that is aimed to sabotage IT networks.
At IBM’s X-Force security operation, the experts have “concluded that the Petya variant attacks that started on Tuesday, June 27, were intended as destructive attacks against Ukraine, rather than a means for cybercriminals to make money from ransom payouts. In other words, this attack was not focused on financial gain like the ransomware attack it was veiled to be.”
Kapersky Lab, another acknowledged leader in cyber security, agrees.
“We actually consider this a sabotage attack or wiper attack. Whether it is intentional or not, I’ll leave that to others to speculate,” said Juan Andres Guerrero-Saade, a senior security researcher at Kaspersky. “You can’t call an attack, with no possible way of decrypting files, a ransomware attack,” he said.
And so does Cisco:
“Given the circumstances of this attack, [the Cisco] Talos assesses with high confidence that the intent of the actor behind Nyetya was destructive in nature and not economically motivated,”
- VIDEO: To help the world understand the latest attack, watch a presentation at https://www.youtube.com/watch?v=b4RXy7Qja3I
Mike Oppenheim, the Global Research Lead on the IBM X-Force Incident Response and Intelligence Services (IRIS) team, wrote in a blog that the so-called Petya attacks earlier this week “were intended as destructive attacks against Ukraine, rather than a means for cybercriminals to make money from ransom payouts.”
Rather than seek payment, the IBMers says their evidence suggest that the attacks were designed to permanently disable as many machines as possible and that the malware was, in fact, more characteristic of a ‘wiper’ attack (intended to destroy data).”
Not trying to get too technical, the IBMers pointed out “the main factor leading to this conclusion is that the Personal Installation Key provided on the lock screen instructions is randomly generated and incapable of relaying the information the attacker would need to provide the correct Advanced Encryption Standard (AES) decryption key.
“Put simply, the information provided in the ‘ransomware’ is not accurate or relevant to unlocking any affected machine. Additionally, the design of the attack suggests that it was carried out by a technically skilled group of cybercriminals, yet the execution of the ransomware and payment methodology showed little to no expertise or intent to produce financial gains.”
And businesses with operations in the Ukraine were definitely the network footprints targeted for the attack.
“[F]or all active cases that IBM Security is working, the impacted organization suffered due to a footprint in Ukraine,” the IBM team concludes. “While this event was global in scale, IBM’s experience shows a global impact was produced due to the global nature of companies with assets in Ukraine versus genuine global targeting. In fact, ‘patient zero,’ or the initial host for all impacted clients we investigated, were machines based in Ukraine. It is unlikely that financially motivated actors would limit their targeting — especially for a wormlike tool — to one region or country.”
So who is behind the attack?
Got a guess?