Evolution of a cyberattack analyzing the first and second stages

The first epidemic was caused by the Brain virus (also known as the Pakistani virus) in 1987. Its developers were the brothers, Amdjat and Basit Farooq Alvi. According to McAfee data, the virus has infected more than 18 thousand computers in the United States (The first article.., 1988). However, it did not perform destructive actions (^{Yefymenko, 2007}); the program was written to determine the level of piracy in Pakistan. The virus infects the boot sectors, changes the disk label to (c) Brain, and leaves messages with the names, addresses, and telephone numbers of the authors. Its distinctive feature is the substitution of the infected sector with an uninfected original at the time of contact. Thus, the Brain can be called the first known stealth (invisible) virus. Within a few months, the program spread beyond Pakistan, and the epidemic reached global proportions by the summer of 1987.

The Lehigh virus was among the first destructive viruses. In 1987, it caused a mass infection of computers at Lehigh University (USA). Later, such phenomena would be called epidemics by analogy with biological viral diseases. The virus only infects the COMMAND.COM system files and is programmed to delete all the information on the current disk. The contents of hundreds of diskettes from the University library and students' personal diskettes were destroyed within a few days. All in all, about 4,000 computers were infected during the epidemic. However, Lehigh did not spread beyond the University (^{Novikovas et al., 2017}).

The Suriv family of memory-resident file viruses, detected in 1987, was created by an unknown Israeli programmer. The most famous modification, Jerusalem, gave rise to a global viral epidemic, the first real pandemic caused by an MS-DOS virus. Suriv viruses download code to a computer's memory, intercepting file operations and infecting COM and EXE files initiated by a user. This feature ensures the almost instantaneous spread of the virus on mobile data storage devices, at that time, floppy disks. Jerusalem differs from its predecessors by an additional destructive feature -the destruction of all running programs on Friday, the 13th. On the black date of May 13, 1988, the computers of many commercial firms, government agencies, and educational institutions, primarily in the United States, Europe, and the Middle East, became inoperable simultaneously.

On November 2, 1988, Robert Morris, a post-graduate student in the Department of Computer Science at Cornell University, released his worm. In less than a day, the worm spread to 6,000 machines -10% of the Internet at the time. It disabled many servers and users' computers connected to the network (^{Zobnin, 2015}). This was the first case of mass infection via the Internet in history. The Morris Worm applied the following techniques simultaneously to penetrate 4BSD and Sun 3 systems: the Remote Shell Protocol (RSH), the sendmail email transfer agent, and the finger network protocol. The first one came into play when one of the users' passwords was cracked on the already infected machine; the worm would then try to use the same login and password on a remote machine. Infection via sendmail occurred by exploiting a vulnerability in the debug code. Simply connected to the server via SMTP, the worm would give the DEBUG command, pass the source code to its head, and the command to run and compile instead of the filling command in the FROM and DATA fields. The worm gained access to the system via finger due to a vulnerability in the gets function of the libc library, which was used by the daemon to read a request from a remote machine. The worm passed 536 bytes to the daemon, provoking a stack failure and transferring the shell code control.

In all three cases, the worm ran the netstat command, read the /etc/hosts file, and searched for neighboring machines on the network in other ways. It would then read the /etc/passwd file and its extracted password hashes and try to find passwords using an internal 432-word database, the /usr/dict/words file, and its own high-performance DES algorithm implementation. Then, the operation was repeated for other hosts. The total damage caused by the Morris Worm was estimated at $96.5 million. After confessing, Morris was sentenced to three years' probation, a fine of $10,000, and 400 hours of community service.

Launched in June 1994, OneHalf is a very complex resident file-loading polymorphic virus that caused a global epidemic, including in Ukraine. Depending on the modification, the OneHalf infects boot sectors of disks and COM/EXE files, increasing their size by 3544, 3577, or 3518 bytes. The last two unencrypted hard disk cylinders are encrypted each time the infected computer is restarted. This process continues until the entire drive is encrypted. The built-in stealth procedure allows the virus to decrypt on the fly while requesting encrypted information. Consequently, the user will not notice anything suspicious for a long time. The only visual manifestation of the virus is the message, "Dis is one half. Press any key to continue..." This message is displayed on the screen when the number of encrypted disc cylinders reaches half their total number. However, when attempting to treat or after healing the disk's boot sectors, all the information on the disk becomes inaccessible and unrecoverable.

In June 1998, the Win95.CIH virus of Taiwanese origin was detected. It contains a logic bomb to destroy all information on hard drives and damage the BIOS contents on some motherboards. Because the program activation date (April 26) coincided with the date of the accident at the Chernobyl nuclear power plant, the virus received a second name, Chernobyl. The scale of the epidemic came to light on April 26, 1999, when according to various estimates, half a million computers worldwide were affected. The total damage was hundreds of millions of dollars. The epidemic center was South Korea, where more than 300,000 computers were infected.

After these first cyberattacks, this area of illegal activity was commercialized and used for profit. This change was followed by the emergence of a market for malware sold or rented, usually through specialized closed Internet resources. New centrally managed infected computers (so-called botnets) networks are also being sold or leased (^{Kozlovskyi et al., 2019}). Moreover, extortionware, spyware, denial of service attacks software, adware, and spamware, among others, are becoming increasingly widespread.

Ransomware, on the other hand, blocks or significantly complicates the user's ability to work on the computer, requiring a ransom to unlock the computer. Currently, there are several radically different approaches to the work of extortionware, which involves file encryption in the system, blocking or interfering with the system's operation, and blocking or interfering with the Internet browser's work. Spyware is secretly installed on a user's computer, secretly transmitting certain types of information to its server. Spyware can serve a variety of purposes, both harmless and very dangerous (^{Antoniuk et al., 2018}). An example of the former can be collecting particular programs' statistics to transmit them to developers to improve these programs. The authors' example of very dangerous ones includes receiving payment card details and client bank login credentials and transmitting them to the server.

A Denial-of-Service attack (DoS attack) involves interfering with the work of automated information systems; a successful implementation leads to the complete or partial inability of the mentioned systems to perform their functions (provide declared services). If such an attack is implemented from several sources simultaneously, it is called a distributed attack (DDoS attack, Distributed Denial-of-Service). DoS attacks are usually carried out to make the attacked system's resources inaccessible to legitimate users. The predicted consequences of these attacks include the inability to make payments via the Internet, loss of the attacked resource owner's image of the attacked hosting's owner, and replacing the blocked resource with a fake one. Business competitors often commit such actions to gain market advantage, or criminals to demand ransom to stop the attack.

Programs for remote DoS attacks can have a graphical interface and operate with the user's knowledge. The best-known program of this kind is LOIC, an acronym for Low Orbit Ion Cannon or low-orbit ion gun. However, the software secretly installed on an infected computer, becoming part of a botnet, is used more often. A botnet (robot and network) is a computer network consisting of several hosts with running bots -standalone software. Most often, a bot in a botnet is a malicious program secretly installed on the victim's computer, allowing an attacker to perform specific actions using an infected computer's resources (^{Levchenko & Britchenko, 2021}). An infected computer itself is often called a bot. Bots are usually used for illegal activities such as sending spam, retrieving passwords on a remote system, DoS attacks, obtaining users' personal information, and stealing credit card numbers and passwords. Among the largest known botnets is BredoLab, created in 2009 with about 30,000,000 bots, and Mariposa, created in 2008 with 12,000,000 bots.

Adware (from ad or advertisement) operation displays advertising. In some cases, this advertising can be useful. For example, when the developer inserts an ad to the program for advertiser discounts, and the user receives the program for free. However, the advertising program is often installed on the computer without the user's permission, most often even without the user's knowledge. Sometimes, the advertising displayed is so intrusive that it interferes with the work on the computer. Spam is the mass distribution of advertising or other correspondence to people who have not expressed a desire to receive it. The term spam primarily refers to promotional emails. Specialized programs designed for mass email sending are usually used for spam mass mailing. However, it is impossible to separate the legal program intended for sending mail and the malicious program intended for sending spam, as the harmfulness of distribution is determined by the recipients' authorization of this distribution.

Recently, malware has begun to be used as a weapon (cyber weapons) in so-called cyberwars (^{Nuklearlord, 2012a}), some of its operations commonly referred to as cyberat-tacks or cyber diversions. These publications' format does not provide the specific actions' exact criminal and legal qualifications; their designations (cyber-terrorist attack or cyber sabotage) are approximated. The use of Stuxnet malicious software is considered the first known case of cyber diversion (^{Nuklearlord, 2012b}). In late September 2010, it was discovered that the Stuxnet virus had caused serious damage to Iran's nuclear program. Exploiting operating system vulnerabilities and the infamous human factor, Stuxnet successfully affected 1,368 out of 5,000 centrifuges at the Natanga uranium enrichment plant and disrupted the Bushehr nuclear power plant launch. The client is still unknown.

However, many experts consider the United States and Israel as the developers and im-plementers of this cyber diversion (^{Nuklearlord, 2012b}; ^{Khlapkovskyi, 2016}; ^{Holovko, 2017}; Stuxnet virus delivers..., 2010). The perpetrator was a negligent Siemens employee who installed an infected flash drive in the workstation. The damage to Iran's nuclear facilities could be compared to an attack by the Israeli Air Force (^{Hold, 2010}).

After accessing the control system of the uranium enrichment centrifuges, the Stuxnet malware changed the centrifuges' normal mode of operation. As a result, they were either accelerated to a critical speed or suddenly decelerated. However, the reading on the screen showed the operator a normal mode of centrifuge operation. Continuous work in these extreme conditions led to the rapid failure of several centrifuges. It should be objectively noted that some sources deny the effectiveness of Stuxnet's harmful effects (^{Stuxnet and Iran., 2010}).

In terms of applied technologies, Stuxnet is an extremely high-tech and original solution in which the human factor is minimized in its application. Its characteristic feature is a thorough check of the affected automated information system. If the system found is not the targeted, the malicious program self-destructs without causing any harm to the affected system. This feature is not typical of common malware, one of the reasons why intelligence agencies have considered developing Stuxnet. Several other software tools subsequently appeared, which, according to experts, can be considered cyber weapons, including Duqu, Wiper, Flame, Gauss, MiniFlame, Madi, Shamoon, and Narilam.

Cyberattacks, a threat to a state's national security: third-stage qualitative and quantitative study

According to the authors, greater attention was given to the world's first confirmed case of power grid failure resulting from a cyberattack in Ukraine in December, when the Ivano-Frankivsk region was left without electricity (80 thousand households) due to outside interference in the operation of power grid facilities (^{Hubenko, 2016}). The Security Service of Ukraine reported the detection of malicious software in the computer networks of some oblenergos (Prykarpattiaoblenergo, Kyivoblenergo, and Chernivtsioblenergo), accusing Russian criminal hacker groups of its distribution (^{SBU Press Service, 2015}). Experts from US government agencies (State Department, Department of Energy, Department of Homeland Security, and the FBI) later joined the investigation, confirming the involvement of Russian hackers in the information attack (^{Perez, 2016}). It was found that BlackEnergy malware was used in the attack carried out by a Russian hacker group known as Sandworm. Altogether, the cyberattack consisted of five elements: infecting networks with fake emails; obtaining control of the automated control system by disabling substations; decommissioning uninterruptible power supplies, modems, switchboards, and other IT infrastructure; destroying information on servers and workstations (using KillDisk utility); and attacking through call center telephone numbers (from Russian numbers) to deny energy services to subscribers (^{Interfax Ukraine, 2016}).

On June 27, 2017, an unknown malware attacked many private and public companies in Ukraine, including banks (^{Cyberattack in Ukraine., 2017}). On that day, the National Bank of Ukraine warned other banks and financial sector industries about an external hacker attack by an unknown virus on several Ukrainian banks and some enterprises of the commercial and public sectors (^{National Bank of Ukraine, 2017}). According to Microsoft, a total of 12.5 thousand computers in the country were affected by the virus (^{Microsoft Defender Security Research Team, 2017}). Among the affected organizations were the Ukrzaliznytsia, Boryspil International Airport, Kyiv International Airport (Zhuliany), Epicenter, Nova Poshta, DTEK, Ukrenergo, Kyivenergo, Kyivvodokanal, Kyiv Metro, Antonov state enterprise, Document state enterprise, all national GSM mobile operators (Lifecell, Kyivstar, and Vodafone Ukraine), banks (Oschadbank, Ukrsotsbank, Ukrgasbank), and many others. State bodies also suffered an attack, particularly the Ukrainian Cabinet of Ministers and Ministry of Finance, and the website of the Lviv City Council, among others (^{Zakharov, 2017}).

On the evening of May 27, 2017, the Cyber Police Department of the National Police of Ukraine published that M.E.doc. software (for reporting and document management) updates were used to spread the NotPetya malware (^{Parfylo, 2016}; ^{Cyberpolice., 2017}). This information was later confirmed by experts from the ESET anti-virus laboratory (^{Bakhur, 2017}), Cisco Talos (^{Chiu, 2017}), and Microsoft (^{Microsoft Defender Security Research Team, 2017}). It should be noted that a month before the described events, the Cyberpolice Department warned the M.E.doc. program developers about their system's existing vulnerabilities, but the latter did not respond (^{Channel 24, 2017}). M.E.doc. Software is widely used for document circulation and reporting in Ukraine. This explains the extremely fast and massive spread of NotPetya malware on the computers of Ukrainian organizations. According to ESET, almost 80% of all NotPetya virus infections occur in Ukraine (^{Bakhur, 2017}). It should be noted that the update server of the M.E.doc. Program was hosted by the WNet Internet provider (^{Medium.com, 2017}), whose unreliability in terms of information security was reported by the SSU shortly before the described events (^{Security Service of Ukraine, 2017}; ^{Kapustynska, 2017}).

Specialists from the Kaspersky Lab (^{Ivanov & Mamedov, 2017}) and Comae Technologies researcher Matt Suiche (2017) have concluded that it is generally incorrect to call NotPetya a cryptographer. The fact is that this malware is essentially designed to destroy information. It is almost impossible to restore the affected data. This is not a mistake; it is the malware's authors' intention. Therefore, NotPetya should be called a Wiper.

In general, the cyberattack was conducted as follows. Having accessed the hosting of the M.E.doc. program update server, the attackers introduced the NotPetya malicious software into the next update package. During the M.E.doc. Program's automatic update, NotPetya malware was downloaded to the computers being updated. NotPetya encrypted the media (hard drives) on the affected computers blocking access to them.

At first glance, the NotPetya malware cyberattack looked like an attack by ordinary cybercriminals with selfish motives to make money by extortion. It was only during a thorough investigation involving both domestic and foreign experts that it was established that this cyberattack was, in fact, large-scale cyber sabotage or cyberattack planned and carried out by a criminal hacker group (or association of such groups). It is important to consider the algorithm of operation of this malicious software in more detail.

Once on the computer, the NotPetya malware determines whether Kaspersky, Norton, or Symantec antivirus is running, disabling the antivirus when detected. After identifying and disabling the antivirus, NotPetya encrypts the data on the disk (files with the extension 3ds, 7z, accdb, ai, Asp, Aspx, avhd, back, bak, c, cfg, conf, cpp, cs, ctl, dbf, Disk, djvu, doc, docx, dwg, eml, fdb, gz, h, hdd, kdbx, mail, mdb, msg, nrg, ora, ost, ova, ovf, pdf, php, pmf, ppt, pptx, pst, pvi, py, pyc, rar, rtf, sln, sql, tar, vbox, vbs, vcb, vdi, vfd, and vmc). Then, it deletes the MBR (the original MBR is stored in the 0x22 disk sector and is encrypted using the XOR bitwise operation encoding with key 0x7) and cleans the logs to hide traces of its actions as much as possible (^{Nesterenko, 2017}). If the process has administrative privileges in the operating system, then, before replacing the MBR, the encryptor checks for the file called perfc (or another empty file with a different name) without extension in the directory C:\Windows\ (the directory is specified in the code). This file has the same name as the dll library of this encryptor, without the extension. The presence of such a file in the specified directory can be one of the indicators of compromise. If the file is present in this directory, then the malware execution process is completed (thus, creating a file with the correct name can prevent MBR substitution and further encryption). If the encryptor does not detect such a file during the check, the file is created, and the process of executing malicious software is started. This action is probably to prevent the MBR replacement process from restarting. On the other hand, if the process does not have administrative privileges from the very beginning, the encryptor will not be able to check for an empty file in the C:\Windows\ directory, and the file encryption process will still start without replacing the MBR and restarting the computer.

After starting the malicious file, a task to restart the computer with a 1 to 2-hour delay is created. Thus, there is time to run the bootrec / fixMbr command to restore the MBR and the operating system. Accordingly, it is possible to start the system even after it has been compromised, but it will not be possible to decode the files. A unique AES key is generated for each disk, which remains in the memory until encryption is complete. Then, it is encrypted on the RSA public key and deleted. Recovering content after completion requires knowledge of the private key, without which it is impossible to recover data. The malware likely encrypts files to a maximum depth of 15 directories; files at greater depths are secure. If the disks were successfully encrypted after the reboot, a window with a message asking to pay a ransom of $ 300 (as of June 27, 2017, approximately 0.123 bitcoins) to obtain the key to unlock the files is displayed. Bitcoin wallet 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX is specified for money transfer.

NotPetya uses TCP ports 135, 139, and 445 (using SMB and WMI services) to spread. Spreading to other hosts on a network occurs in several ways. They include Windows Management Instrumentation (WMI), PsExec, and the MS17-010 (EternalBlue) vulnerability exploit. WMI is a technology to manage and monitor different parts of the Windows-based infrastructure centrally. PsExec is widely used for Windows administration and allows running processes on remote systems. However, running these utilities on the victim's computer requires local administrator privileges, which means that NotPetya can spread only from computers on which users have maximum operating system privileges. The EternalBlue exploit enables maximum privileges on an affected system. The encryptor also uses the publicly available Mimikatz utility to obtain credentials of all Windows users in plaintext, including local administrators and domain users. This toolkit allows NotPetya to spread even in infrastructures where the lessons of WannaCry were considered. This feature makes the encryptor very effective (Everything that you..., 2017).

NotPetya possesses functionality that allows it to spread to other computers in an avalanche-like process. It enables the encryptor to compromise the domain controller and attain control over all domain nodes, which fully compromises infrastructure. It should be noted that the NotPetya attack was not limited to Ukraine. Other countries also suffered huge losses. The malware has been used in Germany (9.06% of attacks), Poland (5.81%), Serbia (2.87%), Greece (1.39%), and Romania (1.02%). In Russia and the Czech Republic, it has accounted for less than one percent of all virus attacks (^{Stogniy, 2017}). In the Russian Federation, the computers of Rosneft (^{NTV, 2017}) and Bashneft (^{Russia was attacked., 2017}) stopped working almost simultaneously with Ukraine, resulting in the cessation of oil production at several sites.

Following Ukraine and Russia, attacks on networks began to be carried out in Spain, India (^{Griffin, 2017}), Ireland, Great Britain (^{Woods & Weckler, 2017}), and other countries and cities of the EU and the USA (^{Henley & Solon, 2017}). According to Mcafee, more infected computers were recorded in the United States than in Ukraine. However, ^{ESET (2017)} antivirus statistics show that the highest number of recorded infections occurred in Ukraine.

On December 13, 2020, the information about a large-scale cyberattack against thousands of governmental and non-governmental institutions in the United States was released. The cyberattack began no later than March of that year. The attackers exploited software vulnerabilities of at least three software developers in the United States, including Microsoft, SolarWinds, and Vmware (^{Menn, 2020}; ^{Krebs, 2020}). A supply chain attack on Microsoft cloud service provided attackers with a way to hack victims, depending on whether the services were purchased from an intermediary. The supply chain attack also struck the users of Orion SolarWinds IT monitoring and management tools, widely used by the U.S. Government and industry. Microsoft software vulnerabilities and VMWare allowed attackers to access emails and other documents to perform federated authentication of victims' resources using Single Sign-On (SSO) technology (^{Cimpanu, 2020}).

The attackers embedded their own module (FireEye experts called it "Sunburst") in the Orion system, which opened a backdoor to the victims' computer networks (^{Goodin, 2020}). Up to 200 organizations around the world were attacked. Most of them were US Government agencies and American companies; however, NATO, the UK Parliament, and the European Parliament were also affected (^{Gallagher & Donaldson, 2020}).

On May 7, 2021, Colonial Pipeline, an American oil pipeline system, suffered a cyberattack, which shut down all its pipelines (^{Bing & Kelly, 2021}). Given the scale of the cyberattack, the President of the United States, Joe Biden, declared a state of emergency (^{Suderman & Tucker, 2021}). The Colonial Pipeline system delivers gasoline, diesel, and avgas from Texas to New York. This pipeline network supplies ~ 45% of the fuel consumed on the east coast of the United States. The attack came amid growing concerns about the infrastructure's vulnerability to cyberattacks, revealed after several high-profile attacks, including the hacking of SolarWinds in 2020, which affected several government agencies, including the Pentagon, the Department of the Treasury, the Department of State, and the Department of Homeland Security.

On May 6, within hours of the attack, the company paid hackers five million in cryptocurrency to restore operations. After the payment, the hackers gave the operator a data decoder. However, it was very slow, and the company had to use its own backups. A state of emergency was declared on May 9, 2021, due to a pipeline shutdown. The fuel tanks' supply was arranged, but their capacity was insufficient. A regional emergency was declared for 17 states and Washington, D.C. Moreover, the Federal Government lightened traffic of motorized transportation on highways to stabilize fuel supplies from Texas. By May 12, the Colonial Pipeline website was down. On May 13, the pipeline resumed operations; however, it took several days for the company to return to standard operation. On May 19, company representatives confirmed the payment to hackers. According to the CEO, Joseph Blount, the company paid them $ 4.4 million (^{Eaton & Mallin & Barr, 2021}).

Cyberattacks should also be considered against the backdrop of the COVID-19 global pandemic. For example, according to South Korean intelligence services, in 2021, hackers from the Democratic People's Republic of Korea (DPRK) attacked the Pfizer pharmaceutical company to steal confidential information concerning vaccines. They also stated that the number of cybercrimes from Pyongyang had increased by 32% over the past year. North Korea has not yet reported a single case of coronavirus in the country. In 2020 alone, North Korean criminals tried to reach at least nine medical organizations, including Johnson & Johnson, Novavax Inc., and AstraZeneca (^{Denyer, 2021}).

Hackers from China also demonstrate considerable activity. The main area of their activity remains cyber espionage. Accordingly, in 2021, Chinese hackers hacked the Microsoft email service. It was established that the target included the data of research centers for the study of infectious diseases, law firms, universities, and companies. In addition, small businesses, municipal governments in several cities, and local governments were also affected, with a total of more than 20,000 organizations in the United States and tens of thousands worldwide. Microsoft claims that the cyberattack was probably carried out by attackers from China (^{BBC News, 2021}).