Firms around the globe are reporting that they have been hit by a major cyber-attack.
Ukraine’s government, National Bank and biggest power companies all warned of cyberattacks Tuesday. Airports and metro services in the country were also reportedly affected, though it appears they’re victims of another massive ransomware outbreak that’s spreading across the world fast and hitting a significant number of critical infrastructure providers.
Ukrainian firms, including the state power distributor and Kiev’s main airport were among the first to report issues.
Whispers of WannaCry abound, though security experts said a different breed, named Petya, is to blame. “[We’re seeing] several thousands of infection attempts at the moment, comparable in size to WannaCry’s first hours,” said Kaspersky Lab’s Costin Raiu. “We are seeing infections from many different countries.” One firm, BitDefender, said it believed a similar strain called GoldenEye was actually responsible.
This morning saw major Danish shipping and energy company Maersk report a cyber attack, noting on its website: “We can confirm that Maersk IT systems are down across multiple sites and business units due to a cyber attack.” And Russian oil industry giant Rosnoft said it was facing a “powerful hacker attack.” Major British advertiser WPP said on Facebook it was also hit by an attack, while law firm DLA Piper was also reportedly affected. None had responded to requests for comment or stated what kind of attack they were under.
The impact initially appeared to be most severe in Ukraine. The organization managing the zone of the Chernobyl disaster fallout said it had to switch radiation monitoring services on industrial sites to manual as they had to shut all Windows computers down, though automated systems for the rest of the zone operated normally. Other victims included major energy companies such as the state-owned Ukrenergo and Kiev’s main supplier Kyivenergo.
From the looks of images being posted across social media, the ransomware note is in English and demanding $300 in Bitcoin, similar to the WannaCry ransom.
Though ransomware is typically used by cybercriminals, with WannaCry it was alleged a nation state was likely responsible for spreading the malware: North Korea.
Cyber intelligence companies and the NSA believe with medium confidence that the nation used leaked NSA cyber weapons to carry out the attacks that took out hospitals in the U.K and infected hundreds of thousands of others.
How the ransomware spreads
Security researchers fear the latest outbreak is hitting systems via the same leaked NSA vulnerabilities as WannaCry. Early analysis of some Petya samples confirmed the so-called EternalBlue exploits, which targeted a now-patched vulnerability in Microsoft Windows, were used by the malware creators.
But CERT.be, the federal cyber emergency team for Belgium, pointed to a different flaw in Windows. As noted by security firm FireEye in April, attacks exploiting the bug allow a hacker to run commands on a user’s PC when they opened a malicious document. FireEye saw Office documents that contained the hack and downloaded popular malware types onto target computers.
CEO of Hacker House, Matthew Hickey, said the initial attacks appeared to have been delivered by that latter attack, using phishing emails containing Excel files. The Petya malware may have spread so quickly by subsequently using the worm features of the NSA attack, he added, confirming that the ransomware’s code certainly used EternalBlue.
“This time it’ll breach people who weren’t impacted by WannaCry because it’ll get to the internal networks via email,” Hickey warned.