The massive cyberattack nicknamed Petya has ravaged computers around the world, even knocking out radiation monitoring computers and compromising the U.S. drug company Merck. Like the WannaCry attack in May, it was ransomware that demanded a few hundred dollars in bitcoin to unlock frozen data.
To security specialist Golan Ben-Oni, it also had echoes of a lesser-known attack in April on his company, the New Jersey-based conglomerate IDT Corporation.
Here & Now‘s Robin Young talks with Ben-Oni (@gbenoni) about the latest attack and his campaign to protect his company against the next one.
On the recent wave of cyberattacks, in light of the attack that hit his company in April
“We were really worried that what we saw back in April would really start to take the world by storm, and at the time, I was kind of accused of being a little negative, ‘Maybe this only happened to you,’ and one of the early indicators that this was dangerous was that it wasn’t really about ransomware. What we saw did something else, which was very troubling, which essentially was that it stole credentials. When credentials, which are usernames and passwords, are taken, you start to worry about what’s going to happen next, and this was very different from WannaCry, which essentially was just a ransomware event.”
On how the tools behind these attacks are able to circumvent cybersecurity software
“The trouble that we’re having here is that these tools were designed not to be spotted. I mean, these were created by some of the top security individuals on the planet, you know, who happen to work for the U.S. government, so the reason that this was largely successful was because it was designed to go undetected.”
On the ‘wormlike capabilities’ of the April attack to infect other companies
“This had wormlike capabilities, which means that, you know, we saw it attempt to move out, but when it failed to do so, it triggered the ransomware event, which basically was kind of like the match that burned the house down. So at that point the system essentially took itself out of service. So it did not spread any further. We did take a very close look at the systems that came to us, because again we recorded them, and what we realized was that those systems were also compromised.”
On his efforts to identify the attacker from April’s attack
“So my team at IDT and now my new company, IO Security, took a look at the attack factors. While I can’t get into too much public detail about how we did so, we did find our attacker.
“Ordinarily, when you provide this kind of detail to law enforcement, it’s really in their hands at that point. And it’s enough basically for them to take the next step.”
On trying to identify who’s behind the Petya attack
“Here’s the problem. Once the NSA tools get released, basically the first thing that’s gonna happen is a significant reverse engineering of that code to try to understand how it worked. And then for any interested party, they can begin to make use of that for anything they want.
“The reality is that there are tools out there, weaponized tools, and I can tell you that I know of 14-year-old kids that can do this.”
On using patches to prevent these kinds of attacks
“The attacks that we saw leveraged two NSA tools — Eternal Blue and Double Pulsar — that were addressed by Microsoft back in March. You know, if the average organization is taking 120 days to issue patches, and, you know, these NSA tools get dropped and people start weaponizing them, there really is a lot of time to get that done, so that’s one thing that we learn. But the other is that the industry has been telling everybody that all you have to do is patch, and what we’ve come to learn over the evening last night is that that’s not always true. That it really only takes one unpatched system to get hit, and then from there it can move laterally in your organization and even affect systems that are fully patched. So this is the problem now, that you can do everything that everyone has told you to do and still be vulnerable.”