Deja Vu: What Do NotPetya and SolarWinds Have in Common?

As I was waking up in Boston on the morning of June 27, 2017, reports were being shared on social media that an electric power supplier in Ukraine was hit by a cyber attack. Within about an hour, a Danish power supplier was also knocked offline and Maersk shipping announced that it was affected as well. By the time I arrived at my desk, companies around the world were shut down by the same attack--which Symantec declared as Petya ransomware. It was going to be a busy and interesting day. 

We quickly discovered that the attack was not actually Petya ransomware. It was instead a completely different attack that was engineered to look like Petya to create confusion--which is why it was dubbed NotPetya. Within a few hours, researchers at Cybereason discovered a flaw that could be used to shut down NotPetya--a kill switch--and we quickly shared that information with the world to mitigate and stop the threat before more damage could be done. 

Recently, I experienced a little bit of deja vu because there was another attack with many of the same tactics and markers as NotPetya. The SolarWinds attack bears many similarities to NotPetya--including evidence that it is actually the very same group within Russia that executed both attacks. 

Connecting the Dots

For starters, both NotPetya and SolarWinds were supply chain attacks—sophisticated and complex campaigns that compromised software known to be used by the intended target, and surreptitiously inserted malicious code. With NotPetya, Russian threat actors planted a backdoor in accounting software they knew was being used by the intended target in Ukraine.

With SolarWinds, the company itself was not the ultimate goal—it was a means to an end. The point of attacking SolarWinds and compromising the code was to enable the attackers to gain access to all of the government agencies and companies that rely on, and—more importantly—implicitly trust that software. 

The other thing the two attacks have in common is that both SolarWinds and NotPetya originate from Russia. NotPetya and SolarWinds were state-sponsored or state-sanctioned attacks directed against a foreign adversary. NotPetya was aimed at Ukraine, while SolarWinds targeted the United States. 

It is more than that, though. We believe that the SolarWinds and NotPetya attacks are not just both from Russia--they come from the same group in the Russian government and were executed by the same people. After we discovered and shared the NotPetya kill switch, we sent a team to Ukraine to investigate and understand what really happened.

That is where we were able to verify that this was not a ransomware attack at all, but a targeted operation from the Russian government designed to look like ransomware to disguise their objective. It also enabled us to gather intelligence that helps us connect the dots between SolarWinds and NotPetya.

The Next SolarWinds

The next SolarWinds is already out there. Russia and other cyber adversaries are already inside a network somewhere putting the pieces in place. In fact, threat actors remained undetected inside SolarWinds for over a year. It’s possible that SolarWinds could be the next SolarWinds, because it is difficult to know what backdoors or zero-day exploits were planted before the threat was detected, or to be sure that all malicious code has been eradicated. 

Cybereason is ready for the next SolarWinds. Our researchers discovered the “vaccine” to shut down NotPetya back in 2017, and we have continued to provide future-ready attack protection beyond the endpoint for our customers. For us, SolarWinds was not a surprise. The attackers behind SolarWinds wanted to avoid being detected and stopped, so they designed the malicious code to shut down and find a different target if Cybereason was detected in the environment. 

The United States government is taking steps to address the escalating cyber war with Russia, but threats will continue—from Russia and from other nations as well. Supply chain attacks will also continue. It is an effective means of widely distributing malicious code. The question is, “What can CISOs and other cybersecurity professionals tasked with protecting against attacks do with that information?”

First, take a look at the security controls SolarWinds had in place when the initial compromise occurred. It is helpful to understand how that protection failed and where it was inadequate in order to learn lessons and improve cyber defenses against future attacks. 

Beyond that, make sure you have tools in place that provide visibility into the entire malicious operation. Too many organizations rely on legacy solutions that are simply not equipped to effectively detect and respond to the complex threats we face today. Organizations need to be able to detect and respond to indicators of behavior in real-time, rather than reacting to indicators of compromise after attacks have already succeeded.

Lior Div
About the Author

Lior Div

Lior Div, CEO and co-founder of Cybereason, began his career and later served as a Commander in the famed Unit 8200. His team conducted nation-state offensive operations with a 100% success rate for penetration of targets. He is a renowned expert in hacking operations, forensics, reverse engineering, malware analysis, cryptography and evasion. Lior has a very unique perspective on the most advanced attack techniques and how to leverage that knowledge to gain an advantage over the adversary. This perspective was key to developing an operation-centric approach to defending against the most advanced attacks and represents the direction security operations must take to ensure a future-ready defense posture.

All Posts by Lior Div