Ukrainian security service the SBU has accused the Kremlin of masterminding the recent ‘Petya’ outbreak to cripple its infrastructure.
In a statement issued on Saturday, the SBU said the ransomware itself was simply cover for a destructive cyber-attack aimed at “destabilization of social and political situation in the country”.
It took place last week on 27 June, the day before Ukraine’s Constitution Day, and was focused on “destroying … important data and disorder in state and private institutions of Ukraine for distribution of panic feelings among population”.
The SBU claimed the attackers were Russian special services, the same group it says was behind a sophisticated December 2016 blitz which used TeleBots and BlackEnergy malware to take out key financial system, transport and power-generating facilities.
The Ukrainian security service said it had been liaising with law enforcement, international AV companies, software and telecoms providers to get to the bottom of the global attack last week.
Its findings chime with new analysis from ESET, which links the attack to a group known to use Telebots, KillDisk and BlackEnergy.
They modified Petya code to replace a victim machine’s Master Boot Record in a way that was completely unrecoverable, according to senior malware researcher, Anton Cherepanov.
“Specifically, the attacker cannot provide a decryption key and the decryption key cannot be typed in the ransom screen, because the generated key contains non-acceptable characters,” he said.
Although the firm fell short of attributing the attack to Russia, it echoed the SBU’s analysis that the ‘Petya’ outbreak last week was aimed primarily at Ukrainian organizations.
It claimed that it was able to spread out of the country and infect organizations globally because some multi-nationals had VPN links into branch offices or partner organizations inside the Eastern European country.
“The Telebots group continues to evolve in order to conduct disruptive attacks against Ukraine. Instead of spearphishing emails with documents containing malicious macros, they used a more sophisticated scheme known as a supply-chain attack,” concluded Cherepanov.
“Prior to the outbreak, the Telebots group targeted mainly the financial sector. The latest outbreak was directed against businesses in Ukraine, but they apparently underestimated the malware’s spreading capabilities. That’s why the malware went out of control.”