2017-10-02 17:32

The recent PetyaA virus attack has shown not only the level of Ukrainian information systems protection but also the level of cybersecurity issues awareness. Emotions went away, work restored, conclusions made ...

...But what conclusions are made by the competent authorities responsible for cyber security and protection of the Ukrainian information space? We are talking about this and a lot more with Igor Kozachenko, the CEO of the "ROMAD" company and the former head of the State Centre for Cyber Defense and Counteraction to Cybersecurity, the State Service of Special Communication.

- The Head of the Cyber police mentioned in a recent interview that the attack by the PetyaA virus would have been impossible without the involvement of special services - most likely, Russian ...

- During a cyberattack well-prepared special services usually use mimicry methods. Therefore, it is difficult to determine the country of attack with the technical methods only. I also believe that cyberattacks can be compared to terrorist attacks and, accordingly, the country of attack should be determined with the same methods. One of them is defining who benefits and who can potentially stand behind it. And here, I definitely agree with the Head of the Cyber police. There is also a misconception that when an attack occurs, it is immediately shown who is attacking as if it is flagged in there. In fact, one cannot immediately determine who is behind it - an in-depth analysis is required to do that. Responding to a similar question on one of the conferences on information security I presented screenshots showing that one of the first attacking countries was Ukraine. 70% of the attacks come from within the country because it's easier and more efficient. Typically, users especially of home network, neglect the most basic computer protection. Hence, tens of thousands of computers get infected with bots with the ability to further attack the country's information resources. This is an outsider and this is the most important thing - readiness of our compatriots. Tell me, do you have an AV on your PC?

- Yes.

- That means you have at least some kind of protection. Many would answer that they don’t have an AV. Thus, a computer and home network as well are prone to infection. A bot-network is created based on such computers, a control computer gets an access to such a network and makes, for instance, DDoS-attack i.e. an attack of service denial or an attack on the country's information systems. Therefore, in order to find out who is behind this attack, you need to find the managing server and the computer that manages it. Here is the computer and it belongs to the attackers and through them it is possible to get to the person calling the tune.

-Was the PetyaA attack paid for?

- 90% that yes. Why? Because the aim of the attack was not to encrypt the data and get the buyout but to completely destroy the data on computers affected by the cyberattack. It is also prominent that the attack itself occurred on the eve of the Constitution Day of Ukraine celebration.

First of all, the ransomware has encrypted the data but nobody offered "give us money and we will give you a unique decryption key." That is, it was a pre-planned action aimed at discrediting information systems and their protection. Second of all, it is absurd that after encrypting the data on the victim’s computer, the second stage was the destruction of all information on this computer! We have seen the result and the consequences of this.

- The virus did not attack all vulnerable computers but only selected EDRPOU codes. What do you think, what was the main purpose of the intruders and why was it chosen to attack the program “M.E.Doc”?

- It's not about the entry point chosen. It could be any establishment, any provider with a large client database, Ministry of Justice’s registries, which have access to many information resources. By the way, earlier, some attacks took place on the Register of the Ministry of Justice in particular, and notaries suffered primarily in this attack.

The second attack took place in the spring of 2017, an attack by the XData encoder that went almost imperceptibly but it was merely a test case. Any system that has access to any users’ information resources is interesting to the attacker, and the greater the access the more interest it evokes.

That’s why “M.E.Doc” was chosen for the attack – it is obvious, there were many reasons for it. Firstly, a large network of users both public and commercial;

secondly, it happened on 27-28th, the end of the month, a lot of reporting was being done with the “M.E.Doc” software;

thirdly, users start updating their software at this time meaning a possibility to conduct (with a high chance) a full-scale attack;

fourthly, selectivity –only those resources were attacked that were of crucial importance for the attacker with the help of the scenario (EDRPOU codes). 

Analyzing the full script of this attack, it's most likely been a run-in test of, I would go so far to say, cyber weapons. With such a reconnaissance in force there were three main points to find out: the first one is the speed of infection, the second one is the penetration speed and the last and the most important one is the users’ reaction speed and this of the security administrators on blocking this kind of vulnerability.  And we all know that no one took the responsibility for the attack – this only proves the case to be ordered by apparently the intelligent services.  

- This isn’t the first attack in Ukraine, right?

- This is one of a few. The CVK (the Central Electoral Committee – editor’s note) was attacked in 2014. Before that, power supply systems of Ukraine such as Transcarpathian Oblenergo were affected. Why Transcarpathia? It was important for the client to try the attack on the power sector of the region. And earlier, an attack on the financial establishments was conducted: the Ministry of Finance and Treasury because they needed to try the tools for the attack on the financial sector of Ukraine. Previously, attacks on the public governmental offices such as Presidential Administration, the Cabinet of Ministers, Ministry of External Relations, Ministry of Defense, National Security Agency, Ministry of Home Affairs, State Service of Special Communication were made and still are being made. Also mass media of Ukraine is not left out of the focus as they are interesting from the point of propaganda and possibility to become a field for spreading “useful” info to the public. All the attacks were specific and targeted specific aims which ones - you can conclude yourself especially by putting all the pieces of info together in a common strategy. 

- Is “M.E.Doc” more protected now?

- I believe yes!

They have got strong protection. One of the security features is the Romad EDR – a unique solution to protect end users provided by our company. This is the Next Generation Endpoint Protection and Response (NGEP) software that allows you to protect your automated work place from a malware with the help of the latest level of cyber protection. Our solution also provides real protection against the so-called "zero day" threats. This software is used and fully protects PCs and servers of the company’s network as it is called there. In addition, the security policy for the company's entire infrastructure has been revised and supplemented.

And the most important is experience. They have been tried by fire, and, therefore, they have become stronger! 

And I would like to set the right accents in this situation.

M.E.Doc is the party wronged.

Guilty, not guilty or what is the blame of M.E.Doc for letting its networks hacked are the secondary issues. The company will make a very qualitative analysis of the situation, and will put efforts to protect itself from future attacks.

Indeed, it's important that M.E.Doc is a very vivid and resonant example for all other companies.

The conclusion is obvious - it is much cheaper to pre-analyze the level of protection of their information resources, to choose and implement effective tools rather than to cover the consequences of a successful attack.

- Coming back to the attack. Comparing with what you experienced for the last 3 years, was the PetyaA attack the most powerful?

If to analyze all the details and aspects of state info systems’ cyber protection starting from the 2004 elections, attacks of the kind were getting modified and complicated.  When in 2004 the first DDoS attack on the information resources of the Central Electoral Commitee took place, the attack level occupied 2 Mbit. Back then we thought it was a collapse. We were protecting the state information resources with special equipment, it was new and very expensive at that time, and we thought it could not be worse. Today, the latest attacks, as for DDoS attacks, have already risen to 14-28 GB per channel, and this was already noticeable for many providers, in some instances 80 GB per channel was reached in Ukraine. As for virus attacks, they have become more sophisticated. Why? Because the virus writers began to apply several technologies in one package. Often, the attack is a symbiosis of DDoS-attacks, as a distracting maneuver; virus attack, as obtaining the intended result of the script (obtaining passwords, data encryption, data deletion, tracking, retrieving data, etc.); and gaining control and access to information resources.

- Did the PetyaA virus achieve aimed results?

De facto, we can certainly say that the results have been achieved, assaulters have accomplished the goals: they assembled static information, taking into account that after 27th there was G-20 summit and it had been previously claimed that Russia could be removed from SWIFT, we may summarize that they try to show us: ‘Look what we did. Please imagine that we can do the same worldwide.' It means that all of the sudden all government, administrating, energy, transport, and medical institutions will be benumbed within two hours. There will be no register, finance, energy or information system working. Everything will be paralyzed up to the phone: no light, no hot water, and no signal. At the same time, a reputable person will appear on the scene and say: ‘I have a key that will help you in deciphering the system, but you must fulfil obligations. Also, there is a timer with the final countdown.'

However, let's witness the benefits of the attack - responsible executives of big companies and government of Ukraine started to take a positive view of the cyber security as far as consequences of such attacks make them move in the right direction. This can be proved by the latest laws and regulations of cyber security, and, also, by decisive actions of government and responsible executives of big companies. Thus, allocating funds to ensure information protection is a big breakthrough to build a common information protection of a country and cyber security in general. It is good that we can learn from past mistakes. God help us for it to be our last mistake, and, also, that we actually could be one step ahead of possible threats.

- Anyway, let's talk a bit about M.E.Doc. Please tell us is M.E.Doc to blame for being attacked? There has been a lot of information that M.E.Doc bears guilt for everything because there was almost no security and everyone willing could crack and enter the system.

- The main postulates of the Internet security, and, cyber security, in particular, are:

(A) protection is a continuous process and

(B) there are no systems that cannot be hacked. All efforts on cyber security are restricted to maximizing the cost of successful hacking and to some extend make it higher than the "profit" from the result in the event of a successful attack.

If we assume these were intelligent services that made the attack the M.E.Doc or any other enterprise that might be interesting for such a client, have no chances against them.  That is, M.E.Doc is just one of possible scenarios of the attack on information assets of a country or business sector. Everyone could and can be in its shoes – any big government office or private enterprise that might serve as a so-called entry point.

I don't understand why everyone came down on M.E.Doc. Let's turn to PetyaA one more time. Exploits used in PetyaA were stolen from one of the most protected agencies in the world - NSA (USA). A hacking group ‘Shadow brokers' is reasonably blamed for the theft. According to the investigations of many antivirus companies, Russian secret service is behind this.

Also, what kind of blame we're talking about? The expertise level of professionals standing behind the NonPetya attack allowed cracking almost any enterprise, company or organization.

That's why we always tell our clients that recent AV solutions can't fully protect their information systems. We explain that they need new security tools of so-called next generation.

Developers of the next-generation solutions as one claim that static pattern used by traditional AVs is out of date. It's a solution that has been used for 20 years but it can't be used any longer. As PetyaA showed, and from what we have seen from our potential clients, there was a big mess. Machines, including those with the latest versions of operating systems with all possible patches, ‘fell'. They ‘fell' just like the others – fell together with Eset, Symantec, McAfee and the rest of world-class AV names.

– Could M.E.Doc do something to prevent the situation?

My opinion is that the level of the attack was so high that almost no one could resist it. Today M.E.Doc, tomorrow the Treasury, the day after tomorrow the National Bank, then goes the largest providers of Ukraine. The mechanism could and can be different. If it happened a few years earlier, the victim could have become Ukrtelecom. Why so? As far as at that time, Ukrtelecom was a monopolist of Ukrainian information environment, and it would be logical to infect the information structure of the country. Nevertheless, now M.E.Doc was much favourable for attackers, as it has a large client database. And as I said, this attack was the trial of one of the potentially possible scenarios. Tomorrow it can be a complex entry point. For example, it may be the registry database, the second - the largest provider, and the third - the information reporting system.

- Does it mean that they can go through a tax agency and attack it in the same way as M.E.Doc?

This is just one example of how one can test the effectiveness of one's cyber-weapon... There is no doubt that this is a prototype as surely as that in fact there is a wider action spectrum.

– Does it mean that it was a try?

Yes, it was a trial and a demonstration of power capacity. If you add here a couple of segments that I mentioned earlier, these include attacks in 2014-2016 on our information assets - they would take everything under control. What would be the result? - the energy market would "fall", the financial system would "fall", the information structure would "fall", the entire Ukrainian information infrastructure would "fall". You can make a conclusion about the consequences by yourself.

– What are the conclusions?

Many people think that a cyber war is something distant and ephemeral but I can certainly tell you that a cyber war has already been going on in Ukraine. Every second. And, accordingly, there are people who really fight at the keyboard. We are some of them and we try to place our shield in time for a deleterious sword.

In general, Ukraine has become logically better prepared for such attacks. However, technologically we have seen the results of traditional means of protection including AVs and other solutions of the end point protection.

The West has already largely acknowledged that we are living in “post AV society” and protection has to be built proactively, based on absolutely new principles. We still have to understand, acknowledge and accept this new cyber protection paradigm.

Unfortunately, in most cases cyber protection End Users come to realize it largely only after similar accidents and successful attacks.

ROMAD, as a cyber-protection means developer, has come up with an innovative solution which has proved its efficiency under Petya attack.

It’s time for users to choose.