Ukrainian Spooks Call in FBI, NCA and Europol

Written by

Ukrainian security service SBU has reached out to the FBI, the UK’s National Crime Agency (NCA), Europol and others in a bid to establish who was behind this week’s ‘Petya’ ransomware outbreak.

In a brief statement, the SBU claimed it is also working with “special services of foreign countries and international organizations” in a joint effort to get to the bottom of the hugely damaging attack campaign.

Interestingly, the security service branded the attack an “act of cyber-terrorism”.

It explained:

“The SBU specialists in cooperation with the experts of FBI USA, NCA of Great Britain, Europol and also leading cyber security institutions, conduct coordinated joint events on localization of damaging software PetyaA distribution, final definition of methods of this act of cyberterrorism, establishing of the attack sources, its executors, organizers and paymaster.”

The means of propagation, “activation” and operation have already been identified, which means that teams are currently focused on “the search of possibilities for data decoding and groundwork of guidelines for prevention of virus distribution, neutralization of other negative consequences of this emergency.”

The Ukraine was particularly badly hit by the outbreak, with Eset claiming three-quarters (75%) of victims are within the country.

This threat appears to use various propagation methods, including the EternalBlue exploit utilized by WannaCry. It also uses legitimate tools PsExec and Windows Management Instrumentation Command-line (WMIC), plus Windows security tool Mimikatz to extract log-ins, to help spread laterally.

However, some analysts have claimed that in Ukraine, a compromised update to popular local accounting software MeDoc was used as an initial infection vector, with the country branded “patient zero” by Bitdefender.

In addition, Kaspersky Lab had this:

“The most significant discovery to date is that the Ukrainian website for the Bakhmut region was hacked and used to distribute the ransomware to visitors via a drive-by-download of the malicious file. To our knowledge no specific exploits were used in order to infect victims. Instead, visitors were served with a malicious file that was disguised as a Windows update.”

Despite the best intentions of the SBU and its global law enforcement allies, it would be highly unusual if they were able to definitively attribute the initial threat to a specific source.

What’s hot on Infosecurity Magazine?