Global computer networks blitzed by new ‘ransomware’ attack

By Blake Sobczak | 06/28/2017 07:19 AM EDT

A containment dome covers the site of the Chernobyl nuclear meltdown in Ukraine. The site was associated with ransomware attacks across the globe yesterday.

A containment dome covers the site of the Chernobyl nuclear meltdown in Ukraine. The site was associated with ransomware attacks across the globe yesterday. Tim Porter/Wikimedia Commons

A fast-spreading cyberattack hit manufacturers, banking companies and energy firms across the globe yesterday, including the Ukrainian agency monitoring the cleanup of the Chernobyl nuclear site.

The State Agency of Ukraine on Exclusion Zone Management, which oversees a vast radioactive area surrounding the site of a deadly 1986 nuclear explosion, said yesterday that a cyber incident had forced workers to manually check radiation levels after they were effectively locked out of their normal workstations.

"Due to the temporary shutdown of Windows, industrial site radiation monitoring is performed manually," the agency said in a Ukrainian language news announcement, adding that a site of a state-owned nuclear operator was temporarily pulled offline "in connection with the cyberattack."


Representatives from the agency did not respond to requests for comment, but the online press release noted that other safety technologies at the Chernobyl "exclusion zone" in northern Ukraine were functioning normally. A spokeswoman told Agence France-Presse that workers were patrolling parts of the site with hand-held radiation meters "like it was decades ago."

Ukraine has been steadily recovering from the Soviet-era nuclear disaster, though fully cleaning up the site is still set to take nearly 50 years. Authorities last year managed to slide a massive steel shelter over one of the contaminated reactors to curb further leaks (Greenwire, Nov. 29, 2016).

The same cyberattack that roiled Chernobyl, along with several Ukrainian media, banking and utility firms, also appears to have infected dozens of organizations worldwide, from Russian state-owned oil giant Rosneft OAO to American pharmaceutical giant Merck & Co. The incident involved a new "ransomware" variant — so called because the malware locks up important files on infected computers and holds the key hostage.

Rosneft said on Twitter that no oil production or preparation processes had been stopped by the attack, though it noted that the incident "could lead to serious consequences." The oil company added that it had contacted law enforcement authorities and switched to a reserve control system for some of its operations as a precaution.

"The big worry that a lot of us have is that [ransomware is] going to jump to control systems," said Page Stoutland, vice president for scientific and technical affairs at the Nuclear Threat Initiative. "You can imagine the difficulty if all of a sudden you’re blind to your control system because it’s taken over by ransomware."

The U.S. Department of Homeland Security posted an alert yesterday about the widespread attacks, which it said appeared to be linked to the previously known "Petya" threat. Cybersecurity experts say the new samples appear to take advantage of a flaw in a proprietary Microsoft Corp. server messaging protocol. Microsoft published a fix for the vulnerability earlier this year, though many organizations haven’t applied it.

A DHS spokesman said the agency is ready to assist U.S. companies potentially affected by the malware, adding that the agency "is monitoring reports of cyberattacks affecting multiple global entities and is coordinating with our international and domestic cyber partners."

The new attack appears to have hit Ukraine and Russia hardest in terms of the number of machines infected, based on early research from Russia-based cybersecurity firm Kaspersky Lab.

It comes mere weeks after a similarly contagious ransomware variant, dubbed "WannaCry," quickly wormed its way into computer networks worldwide (Energywire, May 15). Experts say the latest variant appears to have been crafted to spread more effectively than WannaCry.

Mike Assante, a former U.S grid security official who now leads industrial control system security at the SANS Institute cyber training group, urged infrastructure operators yesterday to "think pretty broadly" about what ransomware could potentially do to their most sensitive systems.

"You could lose access to key files that could interrupt or disrupt the control system," he said.