Cybersecurity News

DOJ Indicts Russian Hackers Behind 2017 NotPetya Malware Attack

DOJ indicted the Russian hackers behind the 2017 NotPetya malware attack, which began on a Ukrainian company and spread across the globe, crippling several US firms, including Nuance.

DOJ indictment Russian hackers nation-state hacking group risk management vulnerability patch management incident detection and response global cyberattack

By Jessica Davis

- The Department of Justice announced the indictment of six Russian-backed hackers behind the global 2017 NotPetya malware attack. Though the cyberattack began on a Ukrainian company, it quickly rippled across the global and crippled several US firms, including Nuance and a major health system.

A federal grand jury in Pittsburgh returned the indictment against six hackers, all of whom were Russian nationals and Russian military intelligence agency officers. 

The indictment shows the hackers and subsequent cybercrimes used the labels Sandworm, Telebots, Iron Viking, and Voodoo Bear. The charges were announced by Assistant Attorney General John Demers, FBI Deputy Director David Bowdich, U.S. Attorney for the Western District of Pennsylvania Scott Brady, and three special agents in charge of the FBI’s Atlanta, Oklahoma City, and Pittsburgh Field Offices. 

The charges include attacks leveraging some of the most destructive malware, including the June 2017 NotPetya malware attack, launched via Ukrainian tax accounting software -- just one month after the global WannaCry attack. 

The hackers exploited vulnerabilities in the Server Message Block (SMBv1), rendering infected devices unusable. Microsoft had addressed the flaw months before the attack, but organizations that failed to update the software remained vulnerable to attack. 

READ MORE: The Risk of Nation-State Hackers, Government-Controlled Health Data

Hundreds of companies were impacted during the attack, including Nuance, which drove many of its client applications offline for several weeks. The impact of the malware was devastating, so much so that a month after the attack, Nuance had brought just 75 percent of its clients back online.  

The attack likely spread through Nuance to its clients, including Heritage Valley Health System in Pennsylvania. The malware proliferated across its network, including its satellite and community locations and drove the provider into EHR downtime procedures for a week. 

“The NotPetya malware...  spread worldwide, damaged computers used in critical infrastructure, and caused enormous financial losses,” according to the indictment. “Those losses were only part of the harm...  For example, the NotPetya malware impaired Heritage Valley’s provision of critical medical services to citizens of the Western District of Pennsylvania through its two hospitals, 60 offices, and 18 community satellite facilities.”  

“The attack caused the unavailability of patient lists, patient history, physical examination files, and laboratory records,” it continued. “Heritage Valley lost access to its mission-critical computer systems (such as those relating to cardiology, nuclear medicine, radiology, and surgery) for approximately one week and administrative computer systems for almost one month, thereby causing a threat to public health and safety.” 

Pharmaceutical company Merck also fell victim to the attack, which compromised its computer network. 

READ MORE: Moderna COVID-19 Vaccine Data Targeted by Nation-State Hackers

At the time, the Department of Homeland Security explained the severe impact of the malware was due to its self-propagating worm properties that allowed it to freely move through laterally across connected devices by harvesting credentials and active sessions, exploiting previous SMBv1 vulnerabilities, and leveraging legitimate Windows Instrumentation Command-line (WMIC) and PsExec network management tools. 

NotPetya cost its victims a total of $1 billion to restore networks and replace computers unable to be wiped clean of the malware.  

Its hackers were not only behind NotPetya, the DOJ indictment reveals they launched a yearlong cyberattack on the Ukrainian government and critical infrastructure, including its electrical grid from December 2015 to December 2016. 

They also attacked the PyeongChang Winter Olympics IT systems, along with its hosts, participants, partners, and attendees. DOJ officials said the attackers also launched spear-phishing campaigns that targeted the Novichok poisoning investigations and Georgian government entities and companies. 

“No country has weaponized its cyber capabilities as maliciously or irresponsibly as Russia, wantonly causing unprecedented damage to pursue small tactical advantages and to satisfy fits of spite,” Demers said in a statement. “The department has charged these Russian officers with conducting the most disruptive and destructive series of computer attacks ever attributed to a single group, including by unleashing the NotPetya malware.  No nation will recapture greatness while behaving in this way.” 

“The FBI has repeatedly warned that Russia is a highly capable cyber adversary, and the information revealed in this indictment illustrates how pervasive and destructive Russia’s cyber activities truly are,” explained Bowdich.  “But this indictment also highlights the FBI’s capabilities.  We have the tools to investigate these malicious malware attacks, identify the perpetrators, and then impose risks and consequences on them.” 

For healthcare, the charges should serve as a reminder of the impact nation-state actors can have on the sector – even if a provider is not the main target of an attack. Amid the COVID-19 pandemic, a host of hackers with ties to IranChina, and Russia have all targeted the sector, including its research data. 

In particular, the National Security Agency warned in May that the Russian hacking group known as Fancy Bear were actively exploiting a vulnerability found in the Exim Mail Transfer Agent (MTA) email software to gain remote control of enterprise accounts. 

Patch management must be a critical priority for all providers, especially in light of two recently disclosed remote code execution flaws found in Microsoft products. Administrators should monitor the infrastructure for any suspicious behavior to quickly respond to an attack.