But this from a rather good security blogsite tends to confirm what I am saying as well....
Quote:
Security firm Symantec confirmed that Petya uses the “Eternal Blue” exploit, a digital weapon that was believed to have been developed by the U.S. National Security Agency and in April 2017 leaked online by a hacker group calling itself the Shadow Brokers.
Microsoft released a patch for the Eternal Blue exploit in March (MS17-010), but many businesses put off installing the fix. Many of those that procrastinated were hit with the WannaCry ransomware attacks in May. U.S. intelligence agencies assess with medium confidence that WannaCry was the work of North Korean hackers.
Russian security firm Group-IB reports that Petya bundles a tool called “LSADump,” which can gather passwords and credential data from Windows computers and domain controllers on the network.
Quote:
Nicholas Weaver, a security researcher at the International Computer Science Institute and a lecturer at UC Berkeley, said Petya appears to have been well engineered to be destructive while masquerading as a ransomware strain.
Weaver noted that Petya’s ransom note includes the same Bitcoin address for every victim, whereas most ransomware strains create a custom Bitcoin payment address for each victim.
Also, he said, Petya urges victims to communicate with the extortionists via an email address, while the majority of ransomware strains require victims who wish to pay or communicate with the attackers to use Tor, a global anonymity network that can be used to host Web sites which can be very difficult to take down.
“I’m willing to say with at least moderate confidence that this was a deliberate, malicious, destructive attack or perhaps a test disguised as ransomware,” Weaver said. “The best way to put it is that Petya’s payment infrastructure is a fecal theater.”
Here is the problem....Wannacry was declared by US IC probably NSA with a degree of confidence that it was released by NK.....
Our active ongoing research in assistance to two Ukrainian IT companies indicated control servers sitting deep inside Russia which we took offline to their surprise....but wait NSA stated the previous attack was by NK....
What is the connection now between NK state sponsored military hacking and individuals sitting deep inside Russia....??? Criminals working for RIS and or on their own OR outright RIS......
This my assumption as well....so any of the above combination of who was using it in Russia....
“I’m willing to say with at least moderate confidence that this was a deliberate, malicious, destructive attack or perhaps a test disguised as ransomware”
Quote:
If we accept that Ukraine has been the test bed by Russian state sponsored hacking of critical infrastructure since 2015 with three attacks and if we accept there have been other such attacks by Russian hackers in Baltic power grids and if we accept that Ukraine is in fact the Russian cyber attack testbed.....then this comment cements the concept of a deliberate cyber attack using ransomware as a disguise...
The attack if one looks at the Ukrainian networks hit....reads like a military air strike target list except just on an economics level.....banks, telecos, major fuel companies causing a shortage of fuel, food markets, airports, government agencies, news media, power grids and power generation, etc...ALL designed to create a certain level of civilian panic
The connection between a COL in the Ukrainian SOF Military Intelligence who had just returned from the Minsk front line and who was responsible for the collection of evidence of Russian military involvement for The Hague ICC is killed by a car bomb in Kyiv in the early morning timeframe and the "so called phishing attack" started almost immediately after that attack is not just a single lonely coincidence....
This was a deliberate and well thought out cyber attack using a new strain of NK released previous ransomware being used by Russians in Russia to sent a Russian warning to the West.....
REMEMBER NK military is also in the business of making money for the government and if the price is right software always changes hands in the middle of the night these days....either to criminal gangs or to state sponsored groups...
BTW...this is exactly what we saw yesterday...this type of data being exfiltrated out of attacked networks...thus making it not so easy but doable..tracking it to their control and command servers....which in this case ended in Russia.....
Russian security firm Group-IB reports that Petya bundles a tool called “LSADump,” which can gather passwords and credential data from Windows computers and domain controllers on the network.
This type of gathered data is important for future attacks on the compromised networks...