Darknet Diaries - 54: NotPetya
Episode Date: December 24, 2019The story of NotPetya, seems to be the first time, we see what a cyber war looks like. In the summer of 2017 Ukraine suffered a serious and catastrophic cyber attack on their whole country. H...ear how it went down, what got hit, and who was responsible.GuestThanks to Andy Greenberg for his research and sharing this story. I urge you to get his book Sandworm because it’s a great story.SponsorsThis episode was sponsored by Linode. Linode supplies you with virtual servers. Visit linode.com/darknet and when signing up with a new account use code darknet2019 to get a $20 credit on your next project.Support for this episode comes from Honeybook. HoneyBook is an online business management tool that organizes your client communications, bookings, contracts, and invoices – all in one place. Visit honeybook.com/darknet to get 50% off your subscription.This episode was sponsored by CMD. Securing Linux systems is hard, let CMD help you with that. Visit cmd.com/dark to get a free demo.For more show notes visit darknetdiaries.com/episode/54.
Transcript
Discussion (0)
Hey, before we get started, check out the episode right before this one.
It's called Shadow Brokers.
It kind of sets you up for this one.
This is the story of NotPetya, and it took place in the spring of 2017.
There was some weird tension between the U.S. and Russia during that time.
Donald Trump was president of the U.S., and it's widely known that the Russians used the
internet to meddle with the election.
I mean, the FBI has indicted 12 hackers who are working with the Russian government that have allegedly hacked
the DNC and Clinton's email servers, which had a critical role in the 2016 election.
The relationship between Trump and Putin is weird and mysterious. A ton of allegations are
floating around that a lot of back-channel support is given to Trump from Russia. But what is clear
is that Russia likes
to quarrel with Ukraine. They've been fighting over things for a long time, but in the last
eight years, things have really heated up. Russia decided to take a territory of land from Ukraine
called Crimea. And besides that, Russia has been deploying troops into Ukraine, pretty much
occupying the area. Like, the stuff going on in the Donbass region is just crazy. This made
tensions between Russia and Ukraine even more elevated. And now, for like the last six years,
Russian troops are still occupying places of Ukraine. This was the most blatant land grab
in Europe since World War II, and it all happened in the last half decade. But taking over a large
region of Ukraine and occupying them with troops was not the extent of what Russia did to
Ukraine. There's so much more terrifying and scary stuff that Russia has done to Ukraine over the
internet. In fact, in this rare case, I'll even go so far as to say this is a cyber war.
These are true stories from the dark side of the internet.
I'm Jack Recider.
This is Dark by Delete Me.
I know a bit too much about how scam callers work. They'll use anything they can find about you online to try to get at your money.
And our personal information is all over the place online.
Phone numbers, addresses, family members, where you work, what kind of car you drive.
It's endless.
And it's not a fair fight.
But I realize I don't need to be fighting this alone anymore.
Now I use the help of Delete.me.
Delete.me is a subscription service that finds and removes personal information from hundreds of data brokers' websites.
And continuously works to keep it off.
Data brokers hate them.
Because Delete.me makes sure your personal profile is no longer theirs to sell. I tried it and they immediately got busy scouring the internet for
my name and gave me reports on what they found. And then they got busy deleting things. It was
great to have someone on my team when it comes to my privacy. Take control of your data and keep
your private life private by signing up for Delete.me. Now at a special discount for Darknet
Diaries listeners. Today, get 20% off your Delete.me plan when you go to join deleteme.com Thank you. That's join, delete me, dot com, slash, Darknet Di of this book, Sandworm. A few years back, Wired asked Andy to investigate
whether or not there's been a hack so devastating that it would be considered a cyber war. And Andy
found some very interesting stuff going on in Ukraine at that time and decided to look there.
He got to work researching this and was finding the story was just getting deeper and bigger than
he expected. He found so much stuff that he decided to not just write a magazine article
about it, but instead a whole book.
I've been working on this book, Sandworm, since about late 2016.
And it tells the kind of unfolding story of the cyber war in Ukraine.
And in the midst of that, NotPetya happens, this biggest cyber attack in history.
So I was kind of primed to investigate that. And then I spent probably nine months of
the book research time digging into NatPetya specifically, trying to find really everyone
who was willing to talk about the experience of witnessing NatPetya unfold, being a victim of this global cyber attack, experts who pulled apart
the code, forensic analysts who tied it back to known hacker crews. This is really the story at
the heart of the book that I've been working on for about three years. So let's get into what
Andy found in his years of research, which led him to NatPetya, the biggest cyber attack in history.
Now, I'm pretty
sure the goal of this was to create a devastating worm. And a worm is a virus that will self-replicate
and spread among many other computers in the network, infecting them too. And then after it
spread, they wanted to take that computer offline permanently, basically destroying it and everything
on it. So to accomplish this, they needed a few hacker tools. Now,
these hackers had a plan for how to get their worm onto computers initially, and we'll get into that later. But now let's think, once you get your worm onto just one computer in a network, how can you
get it to spread to many others? And whatever method you use, you want it to work very well,
meaning you don't want it to be stopped by someone who's just patched their computer or has antivirus on. No, this worm has to cut through all of that. So the hackers use a tool called
Mimikatz. Mimikatz is crazy and amazing and one of the most frustrating things I've ever seen.
I could talk about Mimikatz for hours. It's nuts. But the skinny of it is this. On Windows computers
is a program called lsas.exe, and this process is the one that's
responsible for enforcing security on Windows computers. Yeah, well, get this. When someone
logs into a Windows computer, lsas stores your username and password in clear text in the memory.
Now, this is so lsas can authenticate that person to other things like shared drives, email,
SharePoint, etc., without having to ask the user for their password again and again.
This is all fine and good until a French researcher named Benjamin Delpy,
or the gentle Kiwi, took a look in the memory,
used a tool to examine what LSAS put into memory,
and was amazed to see it storing usernames and passwords in clear text, not encrypted at all.
So he built a tool to extract this username and password
to display it to anyone who wants to see it.
And that tool he made is called Mimikatz.
And he made it open source for anyone to use it.
And he kept building on it, teaching it how to trick Windows
into authenticating in so many other ways, like passing hashes and tokens.
It's incredibly powerful and insanely successful.
Because get this,
suppose you break into a computer or sit down at someone else's computer. If you download and run
Mimikatz, you can suddenly see every single user who's logged into that computer since it was
rebooted. And not just their username, but you can see their full password too. On a shared computer
like a central jump server, you can potentially get the passwords to a huge number
of employees, and possibly an admin account too. And the thing that frustrates me the most about
Mimikatz is that for years, Microsoft refused to fix this problem. They just didn't acknowledge it
or understand it. And in recent versions of Windows, they have fixed some of it. But Mimikatz
continues to evolve, getting around whatever fix Microsoft comes up with. So even today, on a brand new Windows computer, it's not secure against Mimikatz by default.
This is why it's such a powerful exploit.
Now, once the worm infects a computer and spreads, the last thing it needs to do is destroy that
computer. The goal of this attack was to permanently destroy as many computers as possible.
The best way to do that remotely is to encrypt everything on it,
make it useless unless you have the decryption key.
This is typically known as ransomware.
But I don't think these hackers had any intention on making money off this.
Their goal was to destroy computers.
And ransomware was just the perfect tool to do that.
The name of the ransomware they decided to use was a modified version of Petya.
It'll infect the system
at the master boot record, instruct the machine to reboot, and upon rebooting, it'll encrypt that
file system, preventing it from working at all anymore. It'll then show this screen saying your
files have been encrypted and you need to pay to get it unencrypted. Now you combine these two tools
into a worm and instruct it to spread through the network, it's very effective just this by itself. Computers that are fully patched and updated can get their
passwords taken from memory and use that to spread to other computers quite easily. And the more
systems it gets into, the more usernames and passwords it collects, and it just becomes
unstoppable at some point. And it could potentially encrypt all hard drives in a network.
But even though that's a powerful one-two combo,
it might not be a knockout blow.
What if those computers it initially infects
didn't have any extra passwords to steal or something?
Hmm.
So another tool was added to this worm.
Something called Eternal Blue.
Eternal Blue was probably the most powerful
of all of the hacking tools dumped onto
the internet by this very mysterious group called the Shadow Brokers. The Shadow Brokers appeared in
the summer of 2016 and just started periodically leaking NSA hacking tools onto the internet. These
are full working zero-day exploits in some cases. Yeah, in the previous episode, we heard all about what the shadow brokers did,
but it was their last dump where they handed the world a devastating hacker tool.
And it included this hacking tool called EternalBlue,
which exploited a vulnerability in a Windows function called server message block
that allows machines to essentially share information between themselves.
By exploiting that SMB vulnerability, EternalBlue could basically run code remotely on any Windows
machine that was vulnerable anywhere in the world. It turned out that the NSA had actually
worked with Microsoft to try to warn everyone about the zero-day when the shadow brokers first appeared.
And there was a patch for this SMB vulnerability.
But, of course, as with all patches, it was kind of an epidemiological problem trying to get people all around the world to implement this patch.
When EternalBlue went public, there were still countless thousands or hundreds of thousands of machines, really, that were still vulnerable.
With EternalBlue in the hands of every hacker, the world was about to be sucker-punched in ways it never imagined.
EternalBlue is an exploit to get into Windows computers.
It just bypasses the username and password altogether and lets the hacker write in.
And from there, they can look at files, upload things, issue commands, do whatever they want.
And yeah, while Windows had a patch for this,
not everyone was applying their patches.
So the chances of this working,
they're still high, probably 20 to 50%.
And that just might be enough to get that worm
through some difficult places
that Mimikatz couldn't get into.
So here's the combo for this hack.
First, if the worm could get onto a system somehow and then run Mimikatz to get all the
usernames and passwords that have logged into that computer, then it could take those usernames and
passwords and try to log into all its neighbor's computers to see maybe it can get into those too,
and collect more usernames and passwords along the way. And by golly, with a
list of usernames and passwords to try, it would be able to successfully get into a lot of computers
to infect them too. But if it couldn't log in like that, it would then try to use Eternal Blue
to see if that system was unpatched and exploit it that way. So the worm would try two very powerful
and dangerous ways to get into every computer on the network.
And once the virus tried to spread as far as it could, it would then infect it with ransomware,
encrypting the whole thing, making it useless, and then rebooting the machine so it's unusable.
This would be an extremely powerful combo that certainly could be a knockout blow.
Now the target of this attack was Ukraine,
and the goal was to take out as many computers as possible in Ukraine. Businesses, government
agencies, doesn't matter, everything. Take down all of Ukraine's network. But how can you target
an entire country? This is both a wide-scale attack, but it's also limited in size, and it
wanted to spread through the whole world,
just Ukraine. This is a very interesting question and something I bet the hackers thought a long time about. They ultimately chose to target a small company called Linkos Group.
Linkos Group is a pretty small family-run software business based in a building in
western Kiev, the capital of ukraine uh in this
kind of nondescript building in a kind of dingy neighborhood on the edges of podil a kind of like
hipster neighborhood in kiev in the third floor of that building is a server room full of these
like pizza box size servers stacked up one of them was responsible for sending updates to MEDOC,
this accounting software that Linko's group sold,
their kind of flagship product.
It's really like the kind of QuickBooks or TurboTax of Ukraine.
Anyone who files taxes in Ukraine
or really who wants to do business in Ukraine
use this software, MEDOC.
Hmm, you see where this is going?
MEDOC is like TurboTax, but for Ukraine.
People who need to file their taxes in Ukraine use this software.
So if the hackers could infect MEDOC with this worm,
a spreading, replicating virus,
then the attack would only hit people who have to do taxes in Ukraine.
In June of 2017, a group of hackers took over that update server,
and they hijacked Medoc's update mechanism to push out their own malware.
So everyone everywhere in the world who had Medoc installed
suddenly had NotPetya, this worm, installed as well.
We don't know how, but they got into that Medoc update server,
maybe a phishing email or something. But it didn't matter. The stage was set,
and the biggest cyber attack in history was about to be launched. On Tuesday, June 27, 2017,
the virus was placed on the Medoc update server, and an update was sent to thousands of computers in
Ukraine. Each and every one of those computers were infected by this virus. The seed was planted
and was instantly spreading. As soon as someone got the update, they were infected, and immediately
the worm spread to another machine, and another machine, and another, grabbing usernames and trying
to log into its neighbor, and then, grabbing usernames and trying to
log into its neighbor and then using those passwords it would get along the way to spread
to as many computers as it could in the network, as well as using Eternal Blue to get into
computers it didn't have the password for.
As soon as it was infecting a computer, it was rebooting it and encrypting it, rendering
it useless.
In a matter of minutes, entire organizations were seeing their networks just go down,
like a shadow being cast on all the computers.
Now, all this happened on the day before Ukraine's Constitution Day,
which is the day Ukraine celebrates their independence from Russia.
What was typically supposed to be a slow day leading up to a holiday
was a day that some people will never forget.
Alexei Yatsensky, this forensic analyst and incident responder for a company in Ukraine
called Information Systems Security Partners, described the experience of going to one of
their clients early that morning, one of the very first victims of Napetya, Oshad Bank,
this former national bank of Ukraine. And as he went in,
he described entering a building where everyone seemed to be in a kind of state of shock,
because all of their systems had been shut down simultaneously. Around 90% of all of the computers
in Oshadbank had been hit with this mysterious ransomware worm. It looked at first like a normal
piece of ransomware, which encrypts
all of your files. In fact, in this case, encrypts the entire operating system of the computer.
And there was a message on the screens of Oshadbank's PCs demanding $300 in Bitcoin
as a ransom before the attackers would unlock the computers. But Alexei Osinski says that he
pretty quickly, as he was doing incident response
for Oshadbank, could tell that this was something unusual, at least in the sense that it was
extremely virulent. The worm had essentially rampaged through Oshadbank's network until it got
access to an administrator's credentials. And then it had used those credentials to jump out to
every machine that that administrator had access to, kind of very quickly just saturating the entire network and shutting it down.
That day, the bank could not do business.
The people came to work, but their terminals were all encrypted and frozen.
Customers and employees were both very upset that systems were down. Every one of these computers that had been hit was completely locked
and showing this ransomware screen
demanding $300 in Bitcoin before the
hackers would decrypt it and give
Oshadbank's staff
back access to that machine.
But Alexei Osinsky
and ISSP over
the next hours would very quickly
come to the conclusion that this was not really
ransomware. It was a destructive worm posing as ransomware. Even if you paid that $300 in Bitcoin,
you were not going to get your files back. That was just a kind of thin
ruse hiding an act of cyber war. As incident responders investigated this,
they found that the ransomware was similar to the Petya ransomware.
It was originally thought to be Petya,
but some additional research went into it and found this is a new strain,
and it was not Petya.
Since there were so many people saying that it was not Petya,
that's the name that stuck for this virus.
This would become known as the Not NotPetya attack on Ukraine.
And after the break, we'll hear just how destructive NotPetya became.
Support for this show comes from Black Hills Information Security.
This is a company that does penetration testing,
incident response, and active monitoring to help keep businesses secure.
I know a few people who work over there, and I can vouch they do very good work.
If you want to improve the security of your organization,
give them a call.
I'm sure they can help.
But the founder of the company, John Strand, is a teacher,
and he's made it a mission
to make Black Hills Information Security
world-class in security training.
You can learn things like penetration testing,
securing the cloud, breaching the cloud,
digital forensics, and so much more.
But get this, the whole thing is pay what you can.
Black Hills believes that great intro security classes do not need to be expensive,
and they are trying to break down barriers to get more people into the security field.
And if you decide to pay over $195, you get six months access to the MetaCTF Cyber Range,
which is great for practicing your
skills and showing them off to potential employers. Head on over to BlackHillsInfosec.com
to learn more about what services they offer and find links to their webcasts to get some
world-class training. That's BlackHillsInfosec.com. BlackHillsInfosec.com.
NotPetya was not just hitting this one bank.
It was initially infecting networks through the MEDOC software update and then spreading into hundreds of networks, hitting thousands of computers through the whole country of Ukraine.
At the same time as Oshadbank was being taken down by NotPetya, it in fact was spreading across the entire country of Ukraine. In just a short time, in a matter of hours, a massive amount of networks and computers
were permanently down, infected by NotPetya. One researcher claimed that over 300 companies were
brought down in Ukraine over this attack. Pretty much the whole country was infected by this in
some way. Either you personally were down, or your supplier was down, or your neighbor was down, or your client was down.
It was a catastrophe.
But NotPetya didn't stop spreading at the borders of Ukraine.
I mean, no cyber attack cares about borders, obviously.
And so really any multinational company that had MEDOC installed was also instantly infected with not Petya.
And that included FedEx, Maersk, the world's larger shipping firm, Merck, the New Jersey-based pharmaceutical company,
Saint-Gobain, the French construction firm, Renkent Benckisler, this UK manufacturing firm,
Mondelez, the food company that owns Nabisco and Cadbury, and really
countless others. We just know that initial list that I just named because they were the ones who
were public companies that had to declare their damages to shareholders. But we may never know
the full extent of all of the companies that were hit by NatPetya. Of course, if these companies
either had MEDOC or were connected to networks of companies in Ukraine or were sharing computers with infected companies, they were also getting infected with NotPetya too.
Counterintuitively, NotPetya also spread into Russia and did really serious damage there to the state oil company Rosneft, to the steelmaker Evraz, to the medical technology firm Invitro. Really like everyone who touched
Ukraine in any way, which of course includes Russia, suffered damages from this.
Companies all over were scrambling to figure out what happened. How do we fix this? Is there a way
to recover or undo this? How do we get stuff working again? All across Ukraine, essentially, people
were figuring out that it was better just to shut down your entire network, turn everything off,
than watch it be devoured by NotPetya. So really every government agency, the Postal Service,
all of these companies, they were in many cases shutting down their own networks,
but usually it was too late. NotPetya had often infected the majority of their systems before they could even pull the plug.
With so many computers down all over the city and country, the feeling must have been surreal.
The kind of like personal experience of being in the middle of this, I heard it best from
this guy, Pavlo Bondarenko, who was an IT administrator at the Ukrainian Health Ministry.
And he had very early in the day figured out that they needed to pull the ministry's network
offline. And that probably spared the health ministry from some terrible damage. But nonetheless,
he spent the whole day fighting off NatPetya. And then at the end of the day,
he left the office to go home. Tried to get on the subway.
Found that NatPetya had actually destroyed the contactless payment system that he usually used to swipe in to get onto the Kiev metro.
So he had to go out to find an ATM where he could get cash to buy a token.
All of the ATMs that he tried were also paralyzed by NatPetya one after another.
Until he found one ATM that was still working but had a very small cash limit and this long
line of people trying to get cash. He waited in line, got the cash, bought the token,
got on the subway, went to his neighborhood, got out and tried to go grocery shopping.
Found that the payment system at the grocery store was down.
He had to get more cash because he had run out.
So he had to find another ATM among all of the paralyzed ATMs
where he could take cash out again.
And Pablo described that experience as not just being kind of annoying,
but being disorienting.
Like he had found himself in a world where
everything was suddenly broken he described it as a kind of like a natural disaster except that it
was entirely man-made and that things had gone very quickly from just seeing what was new on
facebook to asking questions like did he have enough money to buy food for the next week?
People were asking, you know, did they have the medicines that they needed?
Would they be able to get to work and back?
It was a kind of fundamental cyber attack against the basic infrastructure of people's lives that we had really never seen before.
This really scares me.
This is a major disaster.
Unlike anything any country has ever seen.
For so much of the country's infrastructure to be down like this, it's chaos.
I am not prepared for something like this to happen where I live.
To suddenly and without notice, to not be able to get gas, food, or money,
to have hospitals turning away people
because their network is down.
In disasters, there isn't enough emergency crews
to help everyone.
You're on your own,
or you're at the whim of someone else willing to help you.
And I just think of how connected our whole world is now.
And to see it so fragile like this,
where one well-crafted, well-timed,
well-executed virus can do such
an enormous amount of destruction,
I'm shaken.
I would say that the cyber war
began in Ukraine much earlier.
As soon as Ukraine came under
repeated, sustained, disruptive cyber attacks, starting in the fall of 2015, culminating in two blackouts in late 2015 and then late 2016, that was cyber war.
But this was kind of a new stage of the cyber war, a kind of carpet bombing of the whole country's digital systems. In terms of like, what is cyber war?
I would say that Richard Clarke got it right in his book in 2009, I think it was.
His book, Cyber War, where he basically defined it as an act by a nation, states, hackers,
designed to disrupt an adversary's systems.
I think that that's like, at least the most basic definition for cyber war i
think other things that make something a cyber war are that it affects critical infrastructure
that it uh is massive in scale that it takes place in the midst of a physical war and all
of those things are true of, in fact,
the entire campaign of cyber attacks carried out against Ukraine,
but especially not Petya,
this kind of climax of that whole series of attacks.
Okay. Okay. All right. I'm back now.
I had to pause there for a second and go build my 72-hour kit
because this is freaking me out. I don't know what to think of this. I guess I'm just lucky this didn't
hit the US. Yeah, I mean, I think a lot of people see what happened to Ukraine and they think like,
whew, that could have been us. That's scary. But in fact, what I keep trying to emphasize
is that NotPetya did hit us too. It didn't hit us at the same national scale as Ukraine,
but it hit American companies. It hit Western companies. FedEx, I'm talking about FedEx and
Merck in New Jersey and Maersk's terminal also in New Jersey. Somehow New Jersey got a lot of
damage here. But this was not a Ukrainian attack. This was an attack that spilled out from Ukraine
to the entire world and immediately included us too.
Okay, so let's talk about Maersk.
Maersk is not a Ukrainian company.
It's a Danish company.
They've been the largest shipping company in the world for the last three decades.
Picture those huge container ships at sea carrying tons of those big metal container boxes full of goods.
And they're headquartered in Copenhagen in Denmark.
But they were impacted by this too. Maersk had one office in Odessa on the Black Sea coast in
the south of Ukraine. And in that office, they had one computer that I know about, at least,
that had MEDOC installed. And that was all that it took for Maersk's entire global network to
be infected. At Maersk's global headquarters in Copenhagen, this kind of beautiful
blue windowed building on the Copenhagen harbors promenade, staff just noticed all of a sudden
on the afternoon of June 27th that screens around the whole building were just turning black.
One staffer described seeing a wave of screens turning black all around him,
black, black, black, black, black. Some staffers started to crowd around the help desk in the
basement of the building, but very soon it was clear that this was much larger than that, that
every computer in the building was being infected. And IT administrators were soon running down
hallways, unplugging computers, running into meeting rooms to unplug computers in the middle of
meetings, jumping over turnstiles, because even the turnstiles that control the physical security
of the building had been paralyzed by this attack. And they were rushing to really turn off all of
the systems because they knew that every second meant hundreds or even thousands of more machines
that would be compromised. But that was really just the kind of digital part of the attack on Maersk.
Maersk runs this massive global shipping machine with these container ships the size of the Empire State Building,
with another Empire State Building's worth of cargo on top of them.
And all around the world, those ships were starting to arrive at Maersk-owned terminals
everywhere in the world.
And their systems had been shut down so that nobody even knew what was on these gargantuan
ships.
They couldn't even figure out how to unload them.
And meanwhile, the real choke points at 17 terminals that were shut down by the 17 ports,
essentially, all around the world,
were the gates outside where the trucks lined up
at the Elizabeth, New Jersey, 8 p.m. terminal owned by Maersk.
It's a full square mile-size patch of land in the harbor.
And these massive ships pull up,
but so do thousands of trucks every day.
And they come to this checkpoint outside the terminal
where they're told over this voiceover IP system
where to go, kind of what to pick up or drop off.
And all of that on June 27th instantly shut down.
So trucks were arriving at that gate outside the terminal and nobody was talking to
them. They were locked out. They had no idea what was going on. Mayors couldn't even send them an
email to explain. The trucking companies were entirely in the dark. People were getting furious.
The port police started to tell them that you need to turn your truck around and leave. But they had
stuff that they had to ship somehow for just-in-time manufacturing processes
and perishable goods that had to be refrigerated.
It was just a fiasco.
And soon tens of thousands of trucks were lining up at 17 of Maersk's terminals all around the world,
from Los Angeles to New Jersey.
Tens of thousands of trucks in total. Yes, certainly.
And each one of these terminals had lines of trucks that were miles long from Los Angeles to
New Jersey to Alta Siris in Spain, to the Rotterdam in the Netherlands, to Mumbai in India.
This was a significant chunk of the entire physical operation of the world's larger shipping conglomerate just shut down in an instant.
It's so frightening.
Yeah, it's hard to get your head around the scale of this in physical terms.
I mean, it's interesting in part because we've always been scared or I've always been scared of these attacks that directly interact with physical infrastructure like Stuxnet.
Some of the Ukraine attacks were like that, too.
The ones that turned off the power and utilities causing the first ever, just the computers around the world, you can
maybe do more physical disruption just by taking out all of that digital equipment.
That alone, just paralyzing the brains of a corporation like Maersk can do more physical
disruption than directly attacking the physical equipment.
I don't know if that's an idea you really care about, but it's like something.
Yeah.
It puts me in deep thought, this whole thing.
Like everything is on those shipping things,
everywhere from diapers to food to medical supplies.
Yeah, yeah.
Like what did their ships contain?
It was just absolutely everything
that the modern economy runs on
from manufacturing components to food,
consumer goods that are part of a just-in-time supply chain.
I mean, Maersk is really just at the heart of the global economy,
and its operations just kind of instantaneously winked out of existence.
Hearing this just reminds me about where we were in 2008.
Certain banks were facing financial crisis in the U.S.,
and they were deemed too big to fail because they were so integrated into our lives.
So the U.S. government bailed them out, giving them billions of dollars to restabilize the nation.
I'm starting to think that Maersk is also so interconnected into the U.S. that they might also be too big to fail.
Each ship has one million items on it, crucial items that we need in order to live.
But as far as I know, the U.S.
government or any government did not help Maersk. Yeah, the FBI called them to investigate the case,
but that's about it. Maersk could not solve this problem by themselves, and the citizens of the U.S.
would suffer until Maersk could get back on their feet. Because not just the U.S., the whole world
relies on deliveries from Maersk.
They have shipping yards all over the planet.
Not Petia had a clear global impact.
Maersk absolutely needed help.
Something like 49,000 of their computers were down worldwide,
which was 100% of the Windows computers they had in their network.
100% of them.
The only computers that weren't encrypted were either Linux or Unix systems, or the ones that were down before this attack, or were offline for this
attack. And because their network would periodically sync to backups, all their backups and disaster
recovery centers were wiped too. Their emails were down, phones were down. You couldn't even see your
contact list in your mobile phone because that relied on exchange being up. Maersk was in trouble. It wasn't clear to them at first who was threatening
them or what or why. There was so much chaos everywhere, you just didn't know who all the
victims were yet. But they called up Microsoft right away and spoke to someone very high up there
to discuss options. Microsoft got busy trying to find solutions to this, and they heard lots of
complaints from other people too.
A few days later, they had some news.
Microsoft called back Maersk and told them they cracked a decryption key to decrypt the ransomware.
But the bad news was they only cracked the decryption key for one computer.
And the other problem is that it took them 22,000 compute hours to crack that single key for one computer.
Maersk had 49,000 computers,
so this wouldn't work. There was no choice. Maersk had lost everything with no help in sight.
They didn't seem to have any way to recover. Everything was gone, all backups too. Ransomware
was holding it all hostage. Now, I heard from a few places that Maersk got in contact with the
hackers who made this ransomware.
And there was discussion about prices on it and how much it would cost to unlock all of Maersk's computers.
And this conversation went back and forth between the hackers and Maersk for a little while.
The story goes is that the hackers said themselves that they didn't expect this to spread so far so quickly.
So it sounds like even the hacker was impressed by how effective it
was. But ultimately Maersk decided not to pay for a number of reasons. For one, it paints a target
on Maersk's back as someone who pays ransoms. But also security researchers were suggesting that
this isn't a ransomware, it's a wiper. And that even if you had the decryption keys, you're not
going to get your data back. So there was doubt that this could even be recovered this way. But more importantly, Maersk knew they needed to rebuild
their network anyway. Even with decryption keys, they still needed to go through every computer,
unlock it, reconfigure it, secure it, check it for any tampering or misconfigurations,
and get it back to working again. So they opted just to ignore the ransom and start from scratch. But still, this meant a lot
of work to do. Where do you even start to recover a network this big? Well, stay with us, because
after the break, we'll hear how they got their cargo moving again.
This episode is sponsored by Shopify. The new year is a great time to ask yourself, what if?
When I was thinking, what if I start a podcast?
My focus was on finding a catchy name, some cool stories, and working out the best way to record.
But oh, so much more goes into making a podcast than that.
If you're thinking, what if I start my own business?
Don't be scared off, because with Shopify, you can make it a reality.
Shopify makes it simple to create your brand, open for business, and get your first sale.
Get your store online easily with thousands of customizable drag-and-drop templates.
And Shopify helps you manage your growing business.
Shipping, taxes, and payments are all visible from one dashboard, allowing you to focus on the important stuff.
So what happens if you don't act now and someone beats you to the idea?
The best time to start your new business is now with Shopify. Your first sale is closer than you think. Established in 2025. That has a nice ring to it, doesn't it? Sign up for
your $1 per month trial period at shopify.com slash darknet. Go to shopify.com slash darknet
and start selling with Shopify today. Shopify.com slash darknet and start selling with Shopify today.
Shopify.com slash darknet.
Maersk was screwed without a functioning network.
So the only option they had was to rebuild everything from scratch,
their entire network infrastructure.
They hired Deloitte, a consulting company, to come and help them do incident response.
But they also set up their own emergency recovery center in this building outside of London in this
town called Maidenhead. And that building just was swarming with everyone who vaguely worked
in IT for Maersk anywhere in the world, who were all kind of shipped in within days to work 24-7, more or less, to rebuild Maersk's global network.
Because everyone's computers weren't working and they wanted to get people stood up again
quickly, they came up with a few different plans to get everyone back online.
They decided to deploy USB sticks to employees with operating systems installed.
So with this, the IT team could stick a bootable operating system on a USB drive,
then hand it to an employee, and they could just boot to the USB drive and have a working computer.
Of course, it doesn't have all their stuff, but at least it's something.
And if that computer went down, they could just grab a new USB stick and boot up, and they're online again.
It's a quick band-aid to get some systems back up, and it's a good idea.
So Maersk tried to buy 3,000 USB drives.
But this was a problem, because even big box stores like Staples or Best Buy,
they only have like a couple dozen in stock.
And they needed thousands.
So they quickly wiped the USB supply of anyone who was willing to sell it to them,
and then they began buying directly from the manufacturer to get them in bulk. And how long is that going to take, right? Days, weeks?
This was slowly getting individual users back online, but they still needed to rebuild the
entire IT infrastructure, all the servers and stuff. As Maersk started that recovery process,
really throwing everything they had into that maidenhead building where people were trying to rebuild their network from scratch. The very first hurdle that they encountered was that they
didn't have a backup copy of their domain controllers, which are a kind of core backbone
of their network. Maersk has more than 100 domain controllers, and each of them is designed to kind
of back up to each other.
So if one goes down, it's no big deal because it's backed up to all the other ones.
It's this kind of massive redundancy system.
But what they hadn't planned for is a situation where every single domain controller is wiped at the same time.
And that is exactly what NotPetya did.
All of their domain controllers were ruined, wiped, destroyed.
It was catastrophic.
This is the heart of the network, the thing that knows everyone's profile and logins and passwords and permissions and so, so much more.
And it was totally gone.
Now, typically, you're going to have backups for this, and they did have backups and redundancy.
But this worm infected their backups and redundant domain controllers too, so they were
gone. And maybe in a company this big, you might want to do some sort of weekly snapshot and then
take that snapshot to some off-site location. So in case something like this does happen,
you can at least go back a week and get something from there. But it didn't seem like they had any
of this, and they were stuck with pretty much no network.
So these kind of frantic IT administrators are calling around to every Maersk facility
everywhere in the world looking for any backup of the domain controllers.
And they finally found it in one place.
It was in a data center in Ghana that had experienced electrical blackouts,
just a normal kind of loss of electricity. But the result was that that one
domain controller had had its data preserved. It hadn't been infected by NotPetya because it wasn't
online. One domain controller in Ghana is still working. This could be the domain controller that
could help stand up all of Maersk's network, it became a critical mission to get this
domain controller to the disaster recovery center. So they had to get that data from Ghana to
Maidenhead. They first tried to set up a kind of secure remote connection, but the bandwidth of
the Ghanaian data center wasn't fast enough. So they tried to fly someone from Ghana to London,
but the Ghanaians didn't have the right visas. So they had to do this kind of crazy relay race thing where people flew from
London to Nigeria. The Ghanaians flew to Nigeria too, and they handed off the data on some sort of
physical medium and then carried it back to London, drove to Maidenhead. And that was the beginning of
this weeks and ultimately months long process of of rebuilding Maersk's network. With this one domain controller,
they were able to start restoring the network. Maersk needed even more help, though. They didn't
have a functioning network, so they asked partners and clients if they could use their network.
But of course, nobody wanted Maersk on their network since Maersk had a horrible virus.
So Maersk tried hiring more IT people, but they couldn't find anyone qualified or available.
So they called up whatever companies that were partners and clients and friends of theirs
and asked, could they just hire their IT staff?
These companies are like, no, but they did loan out a few of the IT staff to Maersk.
40 engineers, analysts, and IT experts were loaned to Maersk and flown in to help recover the network.
And after about nine days of working on it 24-7, they were able to have a functioning network again.
This ultimately cost Maersk $350 million. Now, that's just the story of how Maersk $350 million.
Now, that's just the story of how Maersk handled this problem.
There were over 300 other organizations that were also hit.
It would hit pretty much every Ukrainian government agency. The Minister of Infrastructure, Volodymyr Omelyan, told me that the government was dead.
And it spread to the postal service, the entire
postal service of Ukraine shut down, which includes all of their payment systems for
sending money, their functions for handing out pensions to people in the country, newspaper
delivery. But there's also 74,000 employees at the post office. How are those checks going to
be issued when all the computers are down? Ukraine's Ministry
of Health thought they were going to be infected, so they just unplugged their entire network,
forcing themselves to go down, which is unthinkable. To unplug yourself on purpose?
22 banks were shut down by Nadpetya, six power companies, two airports, four hospitals in Kiev alone, the card payment systems in the metro in Kiev and other cities,
all the ATMs across the country. This was the kind of, I don't know what you would call it,
a kind of full spectrum cyber war that had really never been seen anywhere else before.
And it hit Ukraine at a national scale. This was a national disaster,
an epidemic that caused panic and chaos everywhere. And yeah, this is an intentional,
man-made disaster, an attack that someone wanted to inflict on the country of Ukraine.
So yeah, I think this is a cyber war, which is the first time I've ever admitted to saying that myself.
About a week after Napetia hit, vans full of these kind of militarized Ukrainian police pulled up to the Linkos group headquarters and poured out into the building, up the stairs, as if they were
kind of like reading the bin lot and compound, pointing semi-automatic rifles at staff, kicking
down a door.
And it was all to grab this one server on the third floor of the building that had been
in some ways the genesis of the NotPetya attack.
But of course, what's very ironic about that is that it was not the genesis of the attack.
It was just an instrument of it.
The real source of that attack was somewhere far away across the Internet.
Ultimately, almost certainly in Moscow, hundreds of miles from Kiev.
Ah, yes. Now we get into the who would do such a thing part of our story.
Andy here thinks it's Moscow, but that's no easy conclusion to get to. Just because Russia and
Ukraine are enemies isn't enough. You need more evidence than just that. I mean, it might have
just been a criminal group of hackers. So an investigation began on trying to find out what
the evidence was behind who did this. Of course, that Linko's group server and
their network was analyzed to see what the intrusion there looked like. Were there any
clues left behind with that? How did they get in? The virus was also analyzed to see if any notes
were left on there. Maybe some comments or variable names or documentation might give us a clue.
The virus was analyzed over and over. And you can also look at compile times. At what time of day was the virus made?
Like, 1 p.m. in Moscow is 5 a.m. in the U.S.
And all these things are worth investigating and writing down.
Within days of NatPetya hitting,
the Slovakian cybersecurity firm ESET
had started to pull together forensic evidence
that tied NatPetya to the earlier waves of attacks
against Ukraine that included the data destructive attacks against Ukrainian companies and
government agencies and the blackout attacks that had hit in late 2015 and late 2016.
Those attacks in turn had been tied to this group Sandworm. The security company ESET got a hold of
a copy of NotPetyedia and studied it extensively.
And they published a report showing all of the evidence that ties this to Sandworm.
Sandworm, this little company iSight Partners had found in 2014,
had a Russian language how-to manual for using their Trojan
on an open directory of their command and control server.
So if you follow that forensic line all the way back to 2014, it's pretty clear, first
of all, that who else is going to be attacking Ukraine for years on end other than the country
that has also launched a physical invasion into the east of the country and seized Crimea.
So that's just common sense.
But also, we know that this group was Russian speaking because of that file found on the open directory. So within days of NotPetya, it was pretty clear to me that this was part of the larger Russian cyber war against Ukraine, that this was not a criminal act, that it was, in fact, the climax of a nation state sponsored escalating series of cyber attacks against a military target. For almost nine months,
I was kind of going crazy trying to understand why none of these victims were naming Russia.
No government had actually named Russia. NATO had not said anything. It was weird enough that we had
watched this Russian cyber war unfold in Ukraine for years, but now it had even hit these multinational
companies, many of which were based in the West. And still nobody was calling out Russia for this
worst ever in history cyber attack. Until finally, nine months after NotPetya hit,
the White House put out a statement, very, very short statement that just said, yes,
NotPetya was the worst cyber attack
in history, and it was deployed by the Russian military against Ukraine, and that there will be
consequences. That statement was in turn backed up with similar statements from all the four other
five eyes, English speaking nations, intelligence agencies, the US, Canada, New Zealand, Australia, and the UK all simultaneously
called out Russia as the perpetrator of NatPetya. There are still people, and in particular Russians,
who question whether NatPetya was really a Russian state act. But I don't think we've ever had all
five Five Eyes agree publicly to call out someone like this before. I don't think there's really much room for doubt. The FBI also did their own investigation, working with some of these
international companies and Ukrainian companies to learn more. But still today, we have no idea
what the FBI found in their investigation. But for Andy, he wanted to learn more about what
happened there. So he packed his bags and flew to Ukraine to investigate.
When I was in Ukraine, I talked to the SBU, the kind of Ukrainian equivalent of the NSA,
and they had told me flat out that Sandworm was Fancy Bear, EBT-28 28 this other russian hacker group that had been named for years as uh linked to the
gru russia's military intelligence agency so i had suspected for a long time and i'd heard this from
american sources too but it was kind of unsubstantiated that uh sandworm was likely the
gru and they were the most likely candidate
because they're part of Russia's military.
Russia's military was invading Ukraine.
The GRU had been very active in that invasion.
But when the Five Eyes said that the Russian military
had carried out Natapetya,
that for me was ultimately the confirmation.
I should say, I should give some credit here
also to the Washington Post,
who in a story before that announcement said simply that not patio was carried out by the GRU.
The GRU is Russia's military intelligence agency.
Within the GRU are hackers.
In fact, the FBI has indicted 12 GRU hackers for meddling with the 2016 U.S. election for hacking into the DNC.
Robert Mueller is who brought this indictment forward,
and I read through it.
It's 26 pages, and it explains a lot of details
about the GRU and how they hacked the 2016 election.
It even lists the street address
of where these hackers work out of.
It's a fascinating read,
but so far nobody has been indicted for not pet yet,
and there's been no FBI report for that either.
The GRU hackers behind the 2016 election hacking?
That hacking group has been called Fancy Bear.
But this group that did NotPetya, something was a little different here.
It didn't have the same M.O. as Fancy Bear, so a different name was given to them.
Sandworm.
It might be the same group as Fancy Bear. We don't know. My guess is
that it's another hacker team just down the hall from Fancy Bear or on another floor working in
the same building as Fancy Bear. But what we believe is that both Sandworm and Fancy Bear
are hacking groups both working for Russia's GRU in Moscow. So with the address in hand from the
earlier indictment, Andy decided to take a trip
to Moscow to learn more. He went right up to the tower that GRU works out of and looked at it.
When I went to Moscow and stood there in the shadow of the tower, this glass building on
the Moscow Canal in northern Moscow, that maybe I believed housed Sandworm, the hackers responsible
for all of this destruction, I had a feeling of futility that I was so close physically
to the perpetrators of these attacks, and yet I wasn't going to get any closer.
Just as distance had not been a kind of defense against NatPetya, proximity wasn't
really enough to bring me any closer to these attackers. They were behind a locked gate with
armed security guards. I knew that I couldn't just ask for an interview. And as close as I was to
these hackers, that was kind of the end of the story for me. And I don't know if I will ever get any closer.
The estimated damages from this attack totaled $10 billion. This is why this is the largest
cyber attack in history. No attack has come close to this amount of damage ever.
Ten billion dollars.
This was catastrophic.
Enormous.
It set new records.
It was very scary.
It's scary that all this was done with hacking tools that anyone had access to.
There was no super secret hacking tool used here.
Mimikatz is open source for anyone to use
and Eternal Blue was dumped by the Shadowbrokers
just six months before.
And you could slap any good ransomware
on top of it and there you go.
But wait a minute.
This makes me think. If Russia were
the ones behind Shadowbrokers
and Russia's the one that did not pet ya
then why wouldn't they
just keep Eternal Blue to themselves?
I wondered this and asked Jake Williams from the last episode.
Why would they give away Eternal Blue and then use it to hack Ukraine, right?
It's just, you would keep that.
Ooh, see, I disagree with that, right?
So I've thought a lot about this as well.
I, you know, if you look at the notetya attack, I'm not sure that when...
A couple of things.
First off, I'm positive that they got better return on investment if it wasn't information
operation releasing it and then using it, then they would have just using it as an Oday.
I think as an Oday, it would have caused absolute panic.
And honestly, the damage from it would have been so much more outside of Ukraine.
I personally don't believe that the Russians anticipated the level of damage outside of
Ukraine that actually occurred. And honestly, I don't think the InfoSec community did either.
I think that the why did they use it down the road, it was out there. Why give it up in the
first place? I think a couple of things. First
off, I have no doubt that they have a similar capability, or at least at the time had a similar
capability, remotely exploited YSMB vulnerability. I think that's one. Oh, that's an interesting,
I got your theory right away on that. Because if they publicly post it, then they don't have
to expose their zero day, but they can expose NSA zero day.
Exactly. Exactly. Right. And separately from that, like they take out, suppose,
suppose that in April, when, when they go to release this, they don't know that they're
going to do not Petya. Right. And I think that's actually, I have to tell you, I think that that's
a reasonable assertion at that point. I think they know they're going to do something. I don't
think they've, I don't think anybody's got, I know that at that point, I think it's clear they know they're doing
a destructive cyber attack around MEDOC in Ukraine, but I don't think it's clear they're
going to worm anything. I don't, I don't think that was ever part of the decision calculus for
release, but, but taking NotPetya completely out of it for a minute, if you are a nation state
operation, right? So, so roll back to kind of the blog post, you know, that I was pushing where I was like, hey, you know, the it is likely, you know, basically whoever this is, is operating in the interest of Russia, where they are effectively shutting down or I say shutting down.
They're effectively taking control of the infosec slash technology news cycle with these releases, right? And besides that, it throws NSA into chaos, right?
As soon as shadow brokers dumps their stuff, there has to be a mad scramble at NSA to try
to look around at what got dumped and who did it and why and what.
And at the same time, it makes NSA look bad, which gives the GRU some top cover to move
into position and stage a massive attack while the world was dealing with
Eternal Blue. Gosh, what a future we have set for ourselves. Because I don't think the world has
learned from this lesson. There are still hundreds of thousands of Windows computers still vulnerable
to Eternal Blue out there right now. And you can just update this any moment and protect yourself.
But Microsoft, oh, Microsoft still hasn't patched Mimikatz. I mean, they have,
okay? They've fixed it, but more people just find more flaws in the authentication of Windows,
and Mimikatz works again. And from what I've been told, this will never be fixed. Not that
Microsoft isn't working hard on it, they are, and they release fixes all the time. Like,
they've created this tool called the Microsoft Windows Credential Guard, which protects against
this.
But if that's the case, then why isn't that enabled by default?
Or why can't the defaults just be secure and then a system admin is the one who has to click the button to make it insecure?
Insecure by default is never a solution.
And the reason why Mimikatz isn't just fixed once and for all is because there's something inherently flawed with the way Windows authentication works just as a whole. It's like every door or window in your house. These are the weak points
by design because they're literally holes in your house that things can go in and out of.
And Mimikatz just makes me really mad because it's still a problem and it was used in this
attack that brought down Ukraine and cost the world 1010 billion. I mean, is there a scenario that's so devastating to the world
that somebody finally does something about Windows authentication to make it secure?
I don't know.
And this is what really makes me mad.
I will not fear.
Fear is the mind killer.
I will let this pass over me.
Okay, so while this is the story of Notpedia,
it's just a small part of the story. Andy Greenberg, our guest in this episode, just published this
book called Sandworm, which goes into great detail about it. I mean, the guy flew to Ukraine and
Moscow to get to the bottom of all this. And this is not the only cyber attack Russia has done to
Ukraine. The book outlines so
many more attacks that are equally as serious and scary that you should be aware of. In fact,
I want to say that this episode only covered like a fifth of the book. So go get Sandworm in any
bookstore right now, or get the audiobook and dive in and enjoy because it's fantastic. A big thank you to Andy Greenberg. Your book is amazing. The
story is amazing. And I appreciate all the research you've done in coming on the show to tell us the
story. To learn more about Andy, visit andygreenberg.net or find him on Twitter as
a underscore Greenberg. I'll also have affiliate links to the Sandworm book in the show notes.
And thanks to Jake Williams once again.
This show is made by me, Harkonnen, Jack Recider.
Sound design was done by the dual-eared Andrew Merriweather.
Editing helped this episode by the clip-happy Damien.
And our theme music is by the bouncing Breakmaster Cylinder.
And even though people turn off their phone, yank the battery out,
and go sit in that corner of their house
that gets no Wi-Fi,
every time I say it,
this is Darknet Diaries. you