On June 27, 2017, a new malware variant named “Petya” (also known as “NotPetya” or “Nyetya”) began affecting Microsoft Windows personal computers (PCs) around the world. The malware hit many businesses around the world —including Rosneft, Maersk, and the Chernobyl nuclear power plant, and government, power grid, and healthcare systems around the world.
The recent wave of Petya was initially reported as ransomware. However, it turned out to be much worse: the malware is not intended to make money from people wanting to decrypt their files. According to researchers, the way Petya encrypts the victim’s files won’t allow the attackers to decrypt the files even if the ransom is paid. Since the attackers can’t provide users with keys to regain access to their data, if the data wasn’t backed up, it's lost. So Petya appears to be a “wiper” rather than true ransomware.
Petya’s Impact to Industrial Organizations and Control Systems
Although Petya does not directly target industrial organizations or control systems, like the recently exposed CRASHOVERRIDE threat, it is still very dangerous and spreading like wildfire.
The malware spreads in a manner similar to the “WannaCry” ransomware that surfaced in May 2017. The self-propagating "worm" infects any vulnerable PC that does not have the “MS17-010” patch deployed. Microsoft issued this patch in March 2017.
The biggest concern for industrial organizations is that operator and engineering workstations often run on Microsoft Windows platforms containing the underlying vulnerability that enables this attack, will become infected. If these workstations are compromised, important files will be encrypted and lost. Without the engineering and HMI workstations organizations will loose visibility into the process. ICS-CERT released an alert to enhance the awareness of critical infrastructure asset owners/operators about the Petya variant and to identify product vendors that have issued recommendations to mitigate the risk associated with this malware. Rockwell Automation, for example, released a notice titled "Rockwell Automation Recommended Mitigations For "Petya" Malware", recommending that customers deploy the patch to prevent system compromise.
However, while patching windows-based machines is a standard best practice, that isn't always the case when it comes to industrial control systems (ICS). Workstations maybe involved continuous processes that can't be stopped. Take for example Oil and Gas companies - you can't stop a pipeline or turbines that easily in order to patch supporting systems. System stability and safety are also big concerns.
Another Hacking Campaign?
The U.S government also warned industrial firms last week about a hacking campaign targeting the nuclear and energy sectors. According to a report from the DHS and FBI, hackers used "phishing" emails to grab credentials that would enable them to gain access to target networks. Officials for the nuclear and electricity industries said there has been no apparent impact from a hacking campaign that has drawn the attention of federal officials.
Can Indegy Detect Petya?
While Indegy is an agentless solution, it can identify the propagation of the malware in the network by detecting the network activity between compromised systems.
Indegy recommends its customers to consult with their OT vendors whether it is possible to deploy the Microsoft patch on their ICS workstations. It is important to note that most OT vendors do not recommend patches to be applied automatically due to stability and availability concerns.
In any case, we strongly advise our customers to keep a secure backup of all critical systems and files.