NotPetya used NSA exploits even before release by Shadow Brokers

New research from security firm F-Secure suggests that NotPetya malware was made six months ago using NSA exploits before they were released by hackers

The NotPetya malware used code from exploits supposedly kept secure by the US National Security Agency (NSA), it has been revealed.

Research into the NotPetya malware released earlier this week has indicated that the two NSA exploits it uses were absorbed into its code in February before they were even publicly released by the Shadow Brokers group.

The research was released by Andy Patel, security advisor at security software and services firm F-Secure, in a blog post. He described the code as both "a mess… part of it most certainly isn't sophisticated. But… part of it is".

Two of three main components, he claims, describes as "shoddy", but "the third component, the bit that allows the malware to spread laterally across networks, seems very sophisticated and well-tested".

That is the part that incorporates the NSA exploits. He continued: "It appears to be well designed, well tested, and there's evidence that development on the network propagation component was completed in February.

"February is many weeks before the exploits EternalBlue and EternalRomance (both of which this module utilises) were released to the public (in April) by the Shadow Brokers. And those exploits fit this component like a glove."

However, he cautioned: "This isn't rock solid evidence, but it's far more compelling to us than any of the other reasoning we've seen so far."

In contrast, the WannaCry ransomware that went global in May, he added, the EternalBlue NSA exploit it used had only been picked up after the Shadow Brokers group had dumped them in the public domain in April.

"WannaCry didn't do the best job at implementing these exploits correctly. By comparison, this ‘Petya' looks well-implemented, and seems to have seen plenty of testing. It's fully-baked," wrote Patel, conjecturing that the NotPetya malware was rushed out, partly in response to the WannaCry ransomware.

"WannaCry burst onto the scene in May, and started trashing up the joint, causing everyone to scramble to patch SMB vulnerabilities. Microsoft even patched XP!

"The result of this was a sudden drop in effectiveness of carefully crafted network propagation components (such as the one we're talking about here). Whatever project these guys were working on, suddenly got its deadline adjusted. And hence everything else was done in a bit of a hurry," wrote Patel in the blog posting.

Patel conjectures that Petya is a nation state attack, possibly from North Korea.

F-Secure has also found that the malware has something against Kaspersky: if it finds Kaspersky security software running on the device (and, indeed, is able to run - Kaspersky claims that its heuristic detection picks up NotPetya and prevents it from running) then it "writes junk to the first 10 sectors of the disk, and then reboots, bricking the machine completely".

However, the main conclusion that Patel draws so far is that it had been in development for some time, but that its release was drastically brought forward as a result of WannaCry. And, like WannaCry, NotPetya is also flawed, in this case because its main elements have been rushed and have not been properly tested.