THE TWO US NATIONAL SECURITY AGENCY (NSA) exploits used by the NotPetya malware were allegedly absorbed into its code in February before they were even publicly released by the Shadow Brokers group.
That's according to research released by Andy Patel, security advisor at F-Secure. He described the code as both "a mess… part of it most certainly isn't sophisticated. But… part of it is".
Two of three main components he describes as "shoddy", but "the third component, the bit that allows the malware to spread laterally across networks, seems very sophisticated and well-tested".
That is the part that incorporates the NSA exploits. He continued: "It appears to be well designed, well tested, and there's evidence that development on the network propagation component was completed in February.
"February is many weeks before the exploits EternalBlue and EternalRomance (both of which this module utilises) were released to the public (in April) by the Shadow Brokers. And those exploits fit this component like a glove."
However, he cautioned: "This isn't rock solid evidence, but it's far more compelling to us than any of the other reasoning we've seen so far."
In contrast, the WannaCry ransomware that went global in May, he added, the EternalBlue NSA exploit it used had only been picked up after the Shadow Brokers group had dumped them in the public domain in April.
"WannaCry didn't do the best job at implementing these exploits correctly. By comparison, this ‘Petya' looks well-implemented and seems to have seen plenty of testing. It's fully-baked," wrote Patel, conjecturing that the NotPetya malware was rushed out, partly in response to the WannaCry ransomware.
"WannaCry burst onto the scene in May, and started trashing up the joint, causing everyone to scramble to patch SMB vulnerabilities. Microsoft even patched XP!
"The result of this was a sudden drop in effectiveness of carefully crafted network propagation components (such as the one we're talking about here). Whatever project these guys were working on, suddenly got its deadline adjusted. And hence everything else was done in a bit of a hurry," wrote Patel in the blog posting.
Patel conjectures that Petya is a nation-state attack, possibly from North Korea.
F-Secure has also found that the malware has something against Kaspersky: if it finds Kaspersky security software running on the device (and, indeed, is able to run - Kaspersky claims that its heuristic detection picks up NotPetya and prevents it from running) then it "writes junk to the first 10 sectors of the disk, and then reboots, bricking the machine completely".
However, the main conclusion that Patel draws so far is that it had been in development for some time, but that its release was drastically brought forward as a result of WannaCry. And, like WannaCry, NotPetya is also flawed, in this case because its main elements have been rushed and have not been properly tested.
Or it could be... you know... they just sold out
Liberties and EDRi created a landslide support letter
Choose your headshot carefully
Firm also claims its fingerprint tech outperforms Apple's Face ID