Read the original text at 112.ua.
June 27, Ukraine has become a victim of a large-scale cyber attack. Virus-extortionist Petya has disabled the sites and internal systems of dozens of Ukrainian companies and even of Ukraine’s Cabinet. And although the virus hit another six dozen other countries, Ukraine has suffered the biggest damage. According to Microsoft, more than 12,500 computers were affected in our country.
What was it?
About 11:30 on Tuesday, June 27, an attack began. Virus has struck dozens of companies: from banks and gas stations, to Ukrposhta, Ukrzaliznytsia and Boryspil airport. Even computers of the Cabinet were under attack. At the same time, PCs of private users were practically not affected. The matter is that the virus was distributed with the help of accounting software M.E.Doc of Ukrainian production, which is used for accounting reporting.
Cyberpolicy in the wake of a large-scale attack has published an analysis of events. "This software has a built-in update function that periodically accesses the server upd.me-doc.com.ua (18.104.22.168) using the User Agent" medoc1001189 ". The update has a hash dba9b41462c835a4c52f705e88ea0671f4c72761893ffad79b8348f57e84ba54. Most legitimate pings are about 300 bytes. In the morning, on June 27, at 10:30 the program was updated, the update was approximately 333 KB," as said in the report.
Later, the virus spread through a vulnerability in the Samba protocol (it was also used during WannaCry attacks). Cyberpolicy representatives noted that this was not a charge towards the M.E.doc developer, but only a statement of the facts. Infection through M.E.doc. is one of the vectors of attack, it was also phishing. Microsoft specialists also confirmed the fault of the M.E.Doc software.
The peculiarity of the Petya virus is that it blocks access to data on the hard disk of the computer. Paying 300 dollars did not help to get the files back - several companies hastened to do it, but did not receive the access keys. Similarly, it was with the WannaCry virus - the attackers received more than 100 thousand dollars, but did not send the keys.
Hacker attack on June 27 was the largest in the history of Ukraine. By the number of infected computers, it even bypassed the December attacks in 2016, when the damage was inflicted on the country's power system. Although it should be noted that this virus still did not destroy the data of hard disks, perhaps it was not its purpose. Also, its creators did not set a goal to earn money, according to the UN (about 10 thousand dollars were received on their account, and therefore it was blocked). Although the virus has truly revealed the state of affairs in the field of cybersecurity in Ukraine.
Why did this become possible?
Viruses, like WannaCry and Petya, exploit vulnerabilities in the Windows operating system. Developers of this OS have already recognized this. Although international experts acknowledge that Petya was modified specifically for Ukraine, so the channel for penetration was chosen through a program used by many companies in our country.
The founder of one of the American anti-virus companies, Mykola Belogorsky has l admitted that such an elegant and purposeful attack could be carried out only with the support of another state (Ukrainian cyber experts Zoryan Shkiryak and Anton Herashchenko even named this country).
"The virus is very different from the previous ones, and it seems that it was written specifically for Ukraine. The previous attacks were financial, it was a virus-extortionist WannaCry, which spread around the world, encrypted files and demanded a ransom. Petya virus erases data, it is not possible to return data to people, even if they pay a ransom. It was distributed through the M.E.Doc. accounting system, which is used only in Ukraine and is mandatory for use in tax reporting," he said.
Russia is the first thing that comes to mind experts when it comes to talking about hackers. However, the state "Rosneft" company has also claimed that it suffered from a global attack. And the UN expert Neil Walsh has admitted that it could be anyone - from the guy from the cellar to the government of the country. According to the head of the Internet Association of Ukraine, Olexander Fedienko, it is a untime conclusion to write off all virtual misfortunes to neighbors. "There is a virtual society of hackers, which every time shows the white society, the white society, that it's not worth forgetting about them," Fedienko said in a commentary.
Instead of accusations, he advises to assess the situation in the field of cybersecurity in Ukraine, where there is a frank mess. "Many state enterprises have neglected their virtual security: in many enterprises you basically never find a computer security engineer, especially with the level of salaries that are established at state enterprises," the expert says.
Most companies, including large ones, including state ones, work on Windows OS. Many companies use pirated software. This choice of OS is easy to explain - it is convenient. However, viruses of this kind are written for Windows systems, because they are most common. In addition, Windows often have some "holes" through which hackers send the viruses. "But in Ukraine these systems are practically not updated, in short, the system administrator is risky to make updates, because if the update fails, the system, for example, of the bank may be disabled. The lack of an update means a vulnerability, and through these vulnerabilities viruses spread in the network," says expert in the field of information and psychological security Serhiy Nesterenko.
Another way is to use other operating systems. For example, during the attack, the PrivatBank systems were not affected, while Oschadbank and about 30 other banks were hit. Experts note that Privat uses Linux, not Windows. In Ukrtelecom, the call center and customer service centers were damaged (because of Windows), but the services systems remained intact - because they are running on the Unix platform.
Attack of Petya showed another omission - companies that use Windows, do not bother to update patches from developers in time. We are not even speaking about antivirus programs. Microsoft experts noted that their free antivirus Windows Defender was able to recognize the threat. Experts also note that latest version of Symantec also "caught" the extortionist.
French cyber security specialist Jerome Bilois believes that the virus spread around the world so quickly, because computers in companies, even after the attack of WannaCry, were not updated, and the systems remained vulnerable.
"This will be a serious lesson for system administrators," says president of Internet Invest holding Olexander Olshansky.
What to do in order not to get virus in the future?
"Given the scale of the infection, we should make an obvious conclusion - IT systems in Ukraine are extremely vulnerable, and information security professionals have low motivation. For example, it is obvious that the experience gained during the recent attack of WannaCry and other similar viruses was not taken into account. The updated antiviruses were helpless, and traditional corporate systems for countering attacks, such as firewalls, anti-spam filters, and other solutions, that annually consumed millions of budgets for renewal," says IT-developer Mykhailo Yakhymovych.
In order not to become the victim of the virus, experts advise to update the operating system of your computer to the latest version, backup data, not to forget about antiviruses, and, of course, do not open suspicious letters, for example, from an unknown sender or with "exe", "scr" files in attachment. Use mail programs to open files on the territory of the mail server. In other words, do not upload the file to your computer and then read the mail on the remote server. Such software products have existed for a long time.
Not all companies make copies of data. And this is a very effective way to restore them, even if the virus still hit your system. Despite the fact that hackers began actively attacking Ukraine in 2015, Ukrainian state bodies were absolutely not ready for new cyber threats. Experts assure that in connection with the development of technology, hacker attacks will only increase, and under the current situation with outdated equipment in government agencies it is not difficult to carry out attacks.
"Until recently, state bodies paid little attention to cybersecurity issues, and now they are beginning to raise this issue at the state level," says Hennady Chepurda, director of the company "Kryptosoft," adding that one of the reasons for the vulnerability of state bodies is the lack of qualified specialists in cyber security issues.
Two hours after the attack, 112.ua tried to find out details of the attack from CERT-UA, a specialized structural unit of the State Center for Cyber Defense and countering cyber threats of the State Communications Committee, but in response we were told that they did not know the information. And the site of Cyberpolicy in the midst of cyber attack did not work.
After December attacks on the system of the Ministry of Finance, the Cabinet of Ministers allocated 80 million UAH to the Ministry and the State Treasury for protection from hackers. It is not known how these funds were spent, but now, logically, the Cabinet should allocate a few hundred million for such protection, because the government system was also damaged on June 27.