As life returns to normal after last week’s far-reaching malware attack, researchers and governments are working to determine who was responsible for unleashing the computer virus. Ukraine has blamed Russia, saying the “available data” points to “the same hacking groups” that attacked the country’s power grid in 2015 and 2016 — groups that researchers have linked to Russia.
Researchers at a NATO-affiliated cyber center in Estonia, meanwhile, said the incident called for a collective response. “The number of affected countries shows that attackers are not intimidated by a possible global level investigation in response to their attacks,” the organization declared. “This might be an opportunity for victim nations to demonstrate the contrary by launching a special joint investigation.”
Security firms have not yet joined Ukraine in blaming Russian hacking groups, but they have said that the initial attack — compromising the Ukrainian tax program M.E.Doc’s auto-update server — was sophisticated enough to suggest nation-state involvement. But at least one researcher disagreed. On Monday, Jonathan Nichols, an independent analyst and former director of security research at cyber firm Flashpoint, published a post showing that the attack was not as complex as others have suggested. With relatively simple techniques, he was able to convince the M.E.Doc server to push a corrupted update file. “This is not behavior you would expect to see when the client-server relationship for updates is encrypted or secured in any way,” he told MC in an interview. “This is the kind of behavior where, as long as the client pings for the update, it’s going to get it.” The malware attack, he wrote on his blog, was “not sufficiently complex to have necessarily been conducted by a nation state actor.”
Experts at major cyber firms quickly pushed back on Nichols’ research. Costin Raiu, director of Kaspersky Lab’s global research and analysis team, noted that Nichols based his simulated attack on public information about the M.E.Doc server’s use of a common file-transfer protocol — information that M.E.Doc’s creators could theoretically have faked. “I saw admins who deliberately put fake FTP version banners on their servers to trick hackers into attacking them with old exploits,” Raiu told MC. “Then they capture everything for analysis and block the attacker IPs. Therefore, it’s not proof that anyone could have done it; it might, or might not be.”
Nichols acknowledged that this was a possibility but called it unlikely. “This does not look like the kind of work of someone who’s going to set up a fake server,” he said. “This looks like a crappy server that hasn’t been updated since 2013, and all evidence suggests that to be true. … This could all be faked. But there’s no evidence.” Meanwhile, Ukrainian police blamed the small firm that makes M.E.Doc, saying its owners knew in advance of flaws in their software and that they may face criminal charges. Police also seized the firm’s servers.
HAPPY WEDNESDAY and welcome to Morning Cybersecurity! Hope everyone had a nice holiday. Send your thoughts, feedback and especially tips to email@example.com, and be sure to follow @timstarks, @POLITICOPro, and @MorningCybersec. Full team info is below.