But the story of NotPetya isn’t truly about Maersk, or even about Ukraine. It’s the story of a nation-state’s weapon of war released in a medium where national borders have no meaning, and where collateral damage travels via a cruel and unexpected logic: Where an attack aimed at Ukraine strikes Maersk, and an attack on Maersk strikes everywhere at once.
Oleksii Yasinsky expected a calm Tuesday at the office. It was the day before Ukraine’s Constitution Day, a national holiday, and most of his coworkers were either planning their vacations or already taking them. But not Yasinsky. For the past year he’d been the head of the cyber lab at Information Systems Security Partners, a company that was quickly becoming the go-to firm for victims of Ukraine’s cyberwar. That job description didn’t lend itself to downtime. Since the first blows of Russia’s cyberattacks hit in late 2015, in fact, he’d allowed himself a grand total of one week off.
So Yasinsky was unperturbed when he received a call that morning from ISSP’s director telling him that Oschadbank, the second-largest bank in Ukraine, was under attack. The bank had told ISSP that it was facing a ransomware infection, an increasingly common crisis for companies around the world targeted by profit-focused cybercriminals. But when Yasinsky walked into Oschadbank’s IT department at its central Kiev office half an hour later, he could tell this was something new. “The staff were lost, confused, in a state of shock,” Yasinsky says. Around 90 percent of the bank’s thousands of computers were locked, showing NotPetya’s “repairing disk” messages and ransom screens.
After a quick examination of the bank’s surviving logs, Yasinsky could see that the attack was an automated worm that had somehow obtained an administrator’s credentials. That had allowed it to rampage through the bank’s network like a prison inmate who has stolen the warden’s keys.
As he analyzed the bank’s breach back in ISSP’s office, Yasinsky started receiving calls and messages from people around Ukraine, telling him of similar instances in other companies and government agencies. One told him that another victim had attempted to pay the ransom. As Yasinsky suspected, the payment had no effect. This was no ordinary ransomware. “There was no silver bullet for this, no antidote,” he says.
A thousand miles to the south, ISSP CEO Roman Sologub was attempting to take a Constitution Day vacation on the southern coast of Turkey, preparing to head to the beach with his family. His phone, too, began to explode with calls from ISSP clients who were either watching NotPetya tear across their networks or reading news of the attack and frantically seeking advice.
Sologub retreated to his hotel, where he’d spend the rest of the day fielding more than 50 calls from customers reporting, one after another after another, that their networks had been infected. ISSP’s security operations center, which monitored the networks of clients in real time, warned Sologub that NotPetya was saturating victims’ systems with terrifying speed: It took 45 seconds to bring down the network of a large Ukrainian bank. A portion of one major Ukrainian transit hub, where ISSP had installed its equipment as a demonstration, was fully infected in 16 seconds. Ukrenergo, the energy company whose network ISSP had been helping to rebuild after the 2016 blackout cyberattack, had also been struck yet again. “Do you remember we were about to implement new security controls?” Sologub recalls a frustrated Ukrenergo IT director asking him on the phone. “Well, too late.”
By noon, ISSP’s founder, a serial entrepreneur named Oleh Derevianko, had sidelined his vacation too. Derevianko was driving north to meet his family at his village house for the holiday when the NotPetya calls began. Soon he had pulled off the highway and was working from a roadside restaurant. By the early afternoon, he was warning every executive who called to unplug their networks without hesitation, even if it meant shutting down their entire company. In many cases, they’d already waited too long. “By the time you reached them, the infrastructure was already lost,” Derevianko says.
On a national scale, NotPetya was eating Ukraine’s computers alive. It would hit at least four hospitals in Kiev alone, six power companies, two airports, more than 22 Ukrainian banks, ATMs and card payment systems in retailers and transport, and practically every federal agency. “The government was dead,” summarizes Ukrainian minister of infrastructure Volodymyr Omelyan. According to ISSP, at least 300 companies were hit, and one senior Ukrainian government official estimated that 10 percent of all computers in the country were wiped. The attack even shut down the computers used by scientists at the Chernobyl cleanup site, 60 miles north of Kiev. “It was a massive bombing of all our systems,” Omelyan says.
Most Popular
- The Best Hearing Aids We’ve Personally Tested and Vetted With an Expert
Gear
By Christopher Null
See AlsoPetya Ransomware | CISA - The Titan Submersible Disaster Shocked the World. The Inside Story Is More Disturbing Than Anyone Imagined
Backchannel
By Mark Harris
- This Is What Would Happen if China Invaded Taiwan
Security
By Dmitri Alperovitch
