Blog / 6 min read
June 27, 2023 marks the sixth anniversary of the NotPetya ransomware attack, still widely regarded as the most costly and destructive cyber attack in history. Occurring just over a month after the similarly infamous WannaCry ransomware attack, the NotPetya attack paralyzed operations at multinational corporations across a wide swath of critical infrastructure sectors including healthcare, energy, and transportation — resulting in an estimated $10 billion in damages. Six years later the U.S. The Department of State is still seeking to bring the threat actors to justice, offering a reward of up to $10 million for information on the officers behind the attack.
Looking back six years later, it’s clear that NotPetya has had a profound influence on the behavior of cyber threat actors and cybersecurity practitioners alike. Highlighting the vulnerabilities of operational technology (OT) systems and raising concerns regarding the potential consequences of cyberattacks on critical infrastructure. It was only a matter of time for cybercriminals to realize that OT networks are critical to operations — including controlling electrical power generation, managing transportation networks, treating and distributing water, ensuring safe production and processing of chemicals, and more — making them extremely valuable in ensuring the safety and security of industrial operations.
Following the NotPetya attack, adversaries have grown increasingly targeted in their ransomware strategies, shifting from opportunistic, spray-and-pray cyber attacks to more deliberate campaigns against specific companies with low tolerance for operation downtime and a greater willingness and ability to meet ransom demands. At the same time, the changes IT and OT security professionals have encountered over the last few years, including the impact of digital transformation and adoption of remote work, have been unprecedented and have had a dramatic impact on critical infrastructure.
Beginning in March of 2020, organizations had to pivot quickly as a remote and hybrid workforce became the new normal. Those who were able to address a new, distributed model faster succeeded in continuing operations and gained competitive advantage. However, the acceleration of digital transformation and remote work also created more opportunities for threat actors, and we’ve seen an unprecedented increase in ransomware attacks on OT networks. In our global survey of 1,100 IT and OT security professionals, 47% of respondents had their OT/ industrial control systems (ICS) environment impacted by a ransomware attack within the past year. Attacks against hospitals, oil pipelines, food supply chains, and other critical infrastructure have brought into sharp focus the vulnerabilities of cyber-physical systems (CPS) and the severe impact disruptions can have on lives and livelihoods. In fact, the FBI’s Internet Crime Compliant Center (IC3) report found that in 2022, they received 2,385 complaints identified as ransomware with adjusted losses of more than $34.3 million.
Furthering the issue is that critical infrastructure networks are now in the bullseye of geopolitical conflict. On April 20, 2022, the security agencies that comprise the Five Eyes intelligence alliance from countries including the U.S., Australia, Canada, New Zealand, and the United Kingdom, released a joint Cybersecurity Advisory (CSA) warning of imminent and serious threats to critical infrastructure in countries that have sanctioned Russia or otherwise supported the Ukraine. Cybercrime groups have aligned with Russia, pledging to support the country’s efforts to wage targeted cyber warfare. While ransomware tactics have shifted away from the likes of NotPetya, WannaCry, and other self-propagating ransomware, security practitioners should stay vigilant when it comes to protecting against another widespread ransomware attack of this variety. In all likelihood, it’s inevitable that we’ll see similar occurrences in the future, but only under the right conditions.
NotPetya’s far-reaching impact would not have been possible if the “wormable,” NSA-developed EternalBlue exploit vulnerability had not leaked two months prior in April 2017. While it’s impossible to predict if and when a similarly ubiquitous vulnerability will be exploited by cybercriminals, security teams can proactively address two major factors that enabled NotPetya to infect such a large number of OT environments:
Poor vulnerability management:
Since the patch for EternalBlue had been issued on April 14, 2017, more than two months prior to NotPetya, the entire ordeal could have been prevented if all organizations had applied the patch. Patching vulnerabilities before adversaries have the chance to exploit them at scale is essential for preventing attacks similar to NotPetya in the future, but administering security patches can be disruptive and costly — especially in OT environments. In order to manage and patch the vulnerabilities that matter most, security teams must have the visibility needed to identify which security flaws are present within OT assets, as well as the ability to accurately assess the level of risk posed by each vulnerability. Then, they can prioritize patching known exploited vulnerabilities, as suggested by the joint CSA. In instances where patching isn’t possible or practical, such as with legacy systems, identifying and implementing compensating controls such as firewall rules and access control lists is key. Understanding the level of exposure will help determine where to focus resources and budget, prioritizing the most important assets for protection.
Poor network segmentation:
A major factor behind the NotPetya attack spreading like wildfire across a plethora of organizations’ IT and OT environments was a lack of segmentation. Applying IT/OT segmentation policies will mitigate the risk of an attack on the IT network spreading to the OT network. In addition, virtual segmentation within the OT environment is a cost-effective and efficient way to establish a baseline for “normal” network behavior and be alerted to any lateral movement as malicious actors try to establish a presence, jump zones, and move throughout the environment. And, if remote operations need direct access to the OT networks, virtual segmentation makes sure this is done through a secure remote access connection with strict controls over users, devices, and sessions.
The NotPetya attack did not target industrial environments specifically. But, due to its self-spreading capabilities, and its use of an SMB vulnerability present in many OT environments, it wrought widespread havoc to critical infrastructure organizations. The attack was a wake-up call for many CISOs and a forewarning of a new paradigm, where the overlap between IT and OT security threats is more broadly recognized and prioritized in today’s hyper-connected world. Increasingly, CPS and the networks they operate on have become attractive targets for nation-state adversaries and criminals. As we’ve established throughout this blog, these networks are critical to operations, and many times, to health and human safety. Fortunately, security leaders can accelerate the rate at which they gain visibility and control over their assets and proactively prepare for the most likely scenarios — and stopping incidents like the NotPetya attack in its tracks.