A top Department of Homeland Security official says the U.S. government was unable to fully measure the scale and impact of two recent ransomware outbreaks, dubbed WannaCry and NotPetya, due to a lack of private sector engagement.
Christopher Krebs, acting undersecretary for the National Protection and Programs Directorate, told an audience of cybersecurity professionals Wednesday that the biggest issue with both incidents came from an absence of reports from businesses who were affected. While experts say that WannaCry and NotPetya disrupted business operations at American companies, it’s not clear how many enterprises were damaged or to what degree.
The government wanted to collect more information from affected companies in order to better assess the initial infection vector, track the spread of the virus and develop ways to deter similar future attacks.
Collecting data from victim organizations was important in the WannaCry and NotPetya incidents, a senior U.S. official who spoke on condition of anonymity told CyberScoop, because the information could have been used to inform policymakers about the perpetrator of the attack and potential responses.
Several leading cybersecurity firms, including FireEye and ESET, attribute the NotPetya outbreak to a Russian hacking group. WannaCry is believed to be the work of North Korean operatives. The likely purpose of NotPetya, experts say, was to disrupt and damage Ukraine’s economy through the spread of destructive ransomware. WannaCry’s purpose was less clear.
“I am still convinced the spread of WannaCry was an accident,” the official said. “It seems like they sort of fat-fingered it and it got out before they had planned.”
Analysis written by security researchers in the aftermath of WannaCry — which leveraged leaked computer code linked to the NSA — suggested that the poorly configured ransomware had been likely launched for financial purposes but it ultimately failed to collect ransoms due to issues with its code. Ransomware works by encrypting a victim’s hard drive and requiring payment, typically in the form of bitcoin, to unlock the computer, making it reusable again.
A senior U.S. official told CyberScoop that only a half-dozen U.S. companies spoke to the U.S. government to signal that their systems were affected by NotPetya. Many more engaged private companies like Symantec on the issue, the official said.
“What we we’re told by Symantec was much higher … like add a few zeroes,” the official said.
There’s very little public information concerning how disruptive NotPetya was in the U.S. Only a few examples are known, including infections to shipping logistics company Maersk and international law firm DLA Piper — both of which have a significant presence in the U.S.
Cisco’s Talos Team previously found that the likely reason for why NotPetya spreading into outside of Ukraine was due the virus’ ability to jump through virtual private networks (VPN) connections between Ukrainian firms and international companies, some of which are based in the U.S. In addition, the initial infection vector was a booby-trapped software update rolled out by a popular Ukrainian accounting software firm named M.E.Doc.
Wednesday’s comments mirror those previously made by other leaders in government, including former FBI Director James Comey. Private sector companies infected with ransomware largely tend to keep those incidents secret by privately working with contractors rather than the federal government.