Like a criminal setting fire to a crime scene, the infamous Petya malware outbreak may have been part diversion, part cover-up of more traditional network intrusions, according to a Booz Allen Cyber4Sight technical analysis.
Petya infected thousands of networks in Ukraine and wreaked havoc on the country in late June. Since then, the nature of the malware has vacillated from ransomware, which encrypts files and demands a payment to decrypt them, to a wiper, a type of malware that irreversibly destroys the machines it infects.
At the same time, experts have theorized about the motivations behind the people who carried out the attack: Were they, like most ransomware peddlers, criminals seeking to profit from ransom payments, or was Petya simply a vehicle for destruction?
It remains unclear what motivated the Petya outbreak and, to a degree, what kind of malware Petya is exactly. However, it is crystal clear that the attackers infected their victims by compromising a popular Ukrainian tax software called MEDoc, using its update service to spread the malware, which masqueraded as a new version of MEDoc.
Based on an analysis of submissions to a popular malware repository over a period of months—including malicious MEDoc updates and tools associated with a well-established threat group—Booz Allen Cyber4Sight believes that the TeleBots threat actors may have used the Petya malware as a mechanism for wiping forensic evidence of their activities at the conclusion of a traditional network intrusion.
Download the report below to learn more from our analysis.
