If two is a coincidence and three is a trend, maybe we’re not quite there yet in officially calling WannaCry and ExPetr a new movement among APT attacks. But for now, it’s close enough.
Researchers are starting to examine the real motivations behind each global outbreak and whether these attacks truly signal a shift of direction in nation-state tactics.
Cisco’s Midyear Cybersecurity Report seems to point in that direction, saying that attackers have destructive campaigns at scale in the works and that weakly protected and vulnerable connected devices are going to be vehicle for these attacks.
Kaspersky Lab, meanwhile, compared WannaCry and ExPetr side-by-side—both of which were spread entirely or in-part by the leaked NSA exploit EternalBlue—and warned that ransomware attacks are a pretty good shield for destructive attacks.
“One APT was rushed, opportunistic, not as technically capable as the other, while the other APT was practical, agile, and focused,” Kaspersky Lab concluded about its WannaCry-ExPetr tale-of-the-tape. “But we are at the start of a trend emerging for this unusual tactic: APT camouflage destructive targeted activity behind ransomware.”
ExPetr took that route, spreading ransomware that really wasn’t profit-motivated malware. Errors in the code prevented recovery of data encrypted by the malware, which in concert with the actions of a German email host that shut down the attacker’s email address left victims up a creek.
It didn’t take long for researchers to conclude that ExPetr was instead a cloaked wiper attack foisted upon organizations in Ukraine primarily. Computers that were compromised by the malware had their Master Boot Record overwritten, rendering those machines lost forever, researchers said, adding that these were acts of sabotage and that collecting a few hundred dollars in Bitcoin from each victim was the furthest thing from the attackers’ minds.
The difference between ExPetr and Shamoon, Destover or Black Energy is that those destructive attacks were much more aggressive and straightforward, Kaspersky Lab said.
“These components were all wiper technology, delivered in a very intentional and destructive manner. It’s interesting that these spectacles all coincided with large political events and interests,” Kaspersky Lab researchers said. “So this new need to cloak their destructive activity or sabotage is an interesting shared change in tactics.”
WannaCry’s well-documented killswitch was an odd choice to include in the ransomware, something that researchers still haven’t completely figured out. Kaspersky Lab said it shared private reports with subscribing customers that indicate the attackers behind WannaCry also used spearphishing emails with links to files hosted at file-sharing services. The alleged resumes and job inquiries were instead executable files that installed droppers and downloaders that were later used to install WannaCry. The attackers, alleged to be North Korea’s Lazarus Group, did not attempt to collect the Bitcoin paid to recover files, nor did they enhance any development in the malware with features intent to turning a profit.
“This sort of inexpensive, two month long activity also may tell us a bit about the actor, their capabilities, and their interests — slow, practical, and somewhat hiding their interests in a very odd way,” Kaspersky Lab said.
Cisco’s report, meanwhile, focused more on the co-opting of IoT devices in large-scale attacks. The Dyn DDoS attacks of last fall showed the way, Cisco postulates, and now empowered by ExPetr, more may be on the way.
“There are signs that new types of attacks—more sinister and destructive than campaigns of the past—are in development. Adversaries are devising high-impact, wellplanned attacks that are designed to prevent any organization, big or small, from operating,” Cisco said. “They know that no business has a contingency plan that outlines how to rebuild all their IT or OT from scratch, and they are determined to use that weakness to their advantage.”