Take on cybercriminals in real time

SimulationDeck recreates Petya/NotPetya for training

In Brief

Kapersky Lab broke the news of Petya/NotPetya on Twitter, providing initial updates about countries affected and alleging that the ransomware was an enhanced strain of Petya. Nusura wanted to learn more about the role of Social media during the Petya/NotPetya cyber-attack. Nusura’s team of cyber and social media subject matter experts used SimulationDeck to build a time-lapse simulation of the information environment. The information environment provides a lens through which government agencies and corporations can monitor the progression and effects of a cyber-attack. Organizations need to integrate cyber-attack preparedness into emergency response and communications plans, and training and exercise programs.

 

Kapersky Lab used Twitter to break the news of an apparent Petya outbreak and keep the public updated with new information, including this announcement that the ransomware was not Petya..

Challenge

Nusura wanted to better understand the role of social media, traditional news media, and other open source information during the global Petya/NotPetya cyber-attack. According to a Reuters article published by Fortune Tech, the Petya/NotPetya cyber-attack that began on June 27, 2017, infected thousands of computers in dozens of countries with file-erasing malware.

Initially mistaken for Petya ransomware, the virus first infected computer systems in Ukraine where it locked computer files in infected systems and displayed a ransom message demanding $300 in Bitcoin.

Four hours into the attack, Kapersky Lab used Twitter to break the news that the virus was actually a destructive wiperware that permanently deleted files with no options for restoration. Over the course of nearly three days, the attack affected major corporations across industries including shipping giant Maersk and WPP, the world’s largest advertising agency. The global economic impact was immense, costing $850 million worldwide according to Reuters.

 

Janus Cybercrime Solutions also used Twitter to confirm that this new ransomware was not a version of Petya.

During the attack and in the days that followed, Nusura noticed that social media played a key role in providing information about the progression of the virus and corporate response actions. For example, Kapersky Lab, an internet security giant, broke the news of Petya/NotPetya on Twitter, providing initial updates about countries affected and alleging that the ransomware was an enhanced strain of Petya.

According to an article by UK publication The Register, Janus Cybercrime Solutions, the hacking group responsible for creating the original Petya virus, later also confirmed via Twitter that this new ransomware was not a version of Petya..

Nusura social media analysts and cyber security experts needed a way to capture, re-create, and replay the event in order to better study the relevant social media posts and other open source data.

GeoDeck is a geo-location tool on SimulationDeck that allows users to emulate geo-tagging social media posts and analyze where social media activity occurs during an incident.

Approach

The team used Nusura’s proprietary training and exercise delivery tool, SimulationDeck, to create a microcosm of the information environment related to the Petya/NotPetya cyber-attack. First, Nusura captured hundreds of key social media posts, news stories, website articles, text and video blogs, and TV news broadcasts related to the attack.

The team then uploaded these real-world sources from the information environment into SimulationDeck’s social media and website simulators, turning a three-day cyberattack into a four-hour simulation. The team also used metadata from real-world social media posts to geo-locate representative posts on SimulationDeck’s social media mapping tool, GeoDeck.

Results

The information environment provides a lens through which to evaluate the progression and effects of a cyber-attack. In the same way that social media provides emergency responders with information about the progression and effects of a hurricane or other natural disaster, social media can also provide situational awareness for organizations monitoring the progression and effects of a cyber-attack. For example, many affected organizations like Maersk and Posteo used social media to update employees, customers, and other stakeholders about the impacts of the attack and protective actions the organizations were taking. In another example, social media was used by the press to share a photo from an anonymous source after DLA Piper was impacted.

 

@Petya_Payments was a Twitter handle created to report payments made to the hackers’ bitcoin wallet. As cybersecurity experts revealed that NotPetya was malware, social media users used the @Petya_Payments handle to help warn affected organizations to avoid paying the ransom.

 

Maersk used social media to update employees, customers and other stakeholders about the impacts of the attack and protective actions the organizations were taking.

While the information environment can provide tremendous situational awareness and help inform better decision-making, it can be impossible to navigate effectively without a plan and operating procedures for effectively gathering and leveraging the hundreds of thousands of data points.

The information environment during and after reports of the Petya/NotPetya cyber-attack surfaced was overwhelming and convoluted. Volumes of social media posts covered a wide range of themes, including concerns from affected companies, proposed fixes for the corrupted files, and speculation about whether or not the virus was actually ransomware. There were also multiple sources of information among different groups of social media users. On Twitter, for example, one set of information was circulated in posts with the #Petya/#NotPetya hashtags, while the @Petya_Payments account posted information that sometimes conflicted with those posts.

Cyberspace is the new theater of war. Preparedness and practice are critical.

Organizations need cyberattack response plans that include protocols for leveraging the information environment both as an intelligence gathering and decision-making tool, and as a communications platform. Plans must be validated and teams trained to execute the plans proficiently in order to promote organizational resiliency.

Social media and the increasingly important role played by the information environment is changing the way organizations understand and respond to emergencies and crises of all kinds. As the information environment continues to evolve, teams must be well prepared and practiced at engaging with this dynamic digital ecosystem in order to successfully confront and manage future crises.

*Personally identifiable information (PII) was removed from social media posts from members of the public.

RELEVANT CASE STUDIES

SHARE THIS

WHAT OTHERS ARE SAYING...

“The training was a real eye-opener for us with SimulationDeck. The public information officers didn’t expect it to be a stressful situation, and we were scrambling to verify information and respond to information that was being put out by the online newspaper, television news, and social media. The information was realistic, nothing felt simulated and we realized we needed to work much harder honing in our skills. This was the first time we set up a JIC and it was a lot harder and more complex than we anticipated. The local government has 30 public information officers, and many of them have been in the business a long time, but SimulationDeck showed us that being able to do public information in their daily lives is much different than managing public information in a disaster.”

Christine Lett,
VITEMA Public Information Officer

“For the BigX, we’re really, really focused on exercise integrity and objective integrity and to make sure our scenarios are as realistic as we can possibly get. So, having the newsreels, and the tweets come in, and those kinds of things, that really would drive any kind of decision making, or anything like that at the lower level in emergency management coordinating or the EOC, helps those folks practice making decisions over and over so in the real event they’ll be a lot more comfortable dealing with anything that might be coming in.”

Molly McFadden,
Emergency Preparedness Director North Central Texas Council of Governments

“Nusura team members are highly skilled at facilitating collaboration and engaging stakeholders in a personable, effective manner. What sets Nusura apart from other consultants is their absolute commitment to steering the project to full fruition.”

Patty Eaton,
Public Risk Communications,
County of Santa Clara Office of Emergency Services

"Using SimulationDeck for Vibrant Response helped us show higher command what to expect from social media and how we can effectively leverage it during a crisis. SimulationDeck helps us exercise like 21st Century soldiers.”

Maj. Dominic Sansone,
Missouri National Guard

Nusura: Experience Innovation. Call us at 1.888.375.5685