This work was done in my free time with my own resources. Imagine what we could do with a team!

The Case For Nation State Attribution
Jonathan Nichols
04 JULY 2017

Executive Summary

Compelling data has been collected which demonstrates that the actor group Telebotz (Sandworm, Energetic Bear, or BlackEnergy) is behind the #NotPetya (Petya, exPetya, ExPetr, GoldenEye, Nyetya, Diskcoder.C) attack.


Analysts at ESET have painted a compelling picture which demonstrates that the #NotPetya attacks were conducted by the same actors behind the DarkEnergy attacks against the Ukrainian power grid. This analysis uses inductive reasoning and probability to paint a compelling picture. The similarities between the DarkEnergy actors and the NotPetya actors are uncanny to such a degree that it is unlikely that any other actor group could have, accidentally or intentionally, conducted the attack with such striking similarity.

Yesterday I wrote a blog post detailing how public details of the NotPetya attack were not sufficient to point to an APT. Those facts have changed as of today, July 4th, ESET has published a fantastic report which should remove all but the most cynical of skpetics. Telebotz did NotPetya.

A Note on Terminology

The Information Security industry has a problem with terminology. Attackers, Viruses, and methodologies are frequently given different names by each industry group as these defenders vie for supremacy in marketing wars. This is an unfortunate state of affairs. Alas, until a NIST standard exists for uniform adversary naming, we must live in the world we’ve got, not the one we wish to inhabit (But seriously NIST, you’re dropping the ball here). For this report, I am calling this specific attack “NotPetya” to be in line with the most important policy authorities I wish this report to reach (NATO) and I’m labeling the actors “Telebots” to be in line with the analysts who conducted the bulk of the research I will be drawing on for this report. In an attempt to be exhaustive (and in a shameless grab at Search Engine Optimization), here is a current list of known industry names for the attackers and the methodologies:

NotPetya: Petya, exPetya, ExPetr, GoldenEye, Nyetya, Diskcoder.C

Telebots: Sandworm, Energetic Bear*, BlackEnergy*

(*source documents vary on whether Telebots/Sandworm are closely related or identical to the BlackEnergy/Energetic Bear group)

A Note on Analysis

It is relatively simple for a complex adversary to pretend to be an idiot, and it is impossible for an idiot to pretend to be a complex adversary. Due to this immutable fact, it is always good to start with the premise that the hacker you’re analyzing is an idiot. When facts demonstrate this premise to be false, revise the analysis up the food chain until you’ve found a sufficiently complex level of capability to fit the facts. To do otherwise invites trouble for the analyst and the organizations they support. Since all attacks done by idiots can also be done by experts, any analysis which presupposes that the attackers are experts becomes fallacious on its face. You cannot DISPROVE an attack was done by a professional, you can only prove that a professional must have done an attack. A begets B, but B does not always beget A.


Timeline of Events

December 2015 BlackEnergy (related to Telebotz) disrupts Ukrainian power grid
December 2016 KillDisk malware against Ukrainian financials, first instance of fake ransomware use by Telebotz to mask a wiper
January 2017 First instance of VPN tunnels used to spread botnet
January? 2017 Telebot incorporate password stealer, Mimikatz, and PsExec
14March 09:30 2017 PetrWrap (Filecoder.NKH) report from Kaspersky. Uses nearly identical ransom screen
14April 2017 Backdoor ZvitPublishedObject.dll in MeDoc Update owned by Telebots
24APR-10MAY 2017 No known backdoors present in MeDoc
15May 2017 New Backdoor compiled (Filecoder.AESNI.C aka XData)
15May 2017 Backdoor ZvitPublishedObject.dll in MeDoc Update owned by Telebots
17May-21June 2017 No known backdoors present in MeDoc
18May 2017 Publish of Filecoder.AESNI.C (few infections due to lack of backdoor)
22June 2017 New Backdoor compiled? (wording unclear)
22June 2017 Backdoor ZvitPublishedObject.dll in MeDoc Update owned by Telebots
27June 10:30 UTC 2017 MEDoc update spreads NotPetya (Discoder.C)


The timeline above demonstrates a clear evolution in capabilities from early 2016 until today. Early on, Telebotz is overserved developing the techniques to use fake ransomware to hide a wiper. They then develop the techniques to spread their viruses over VPN tunnels, incorporate password stealers, Mimikatz, PsExec, and compromise the MeDocs Update process. All of these techniques are present in the NotPetya attack.

Finding one such technique used by a separate hacking group would be a case of correlation. Finding two would be lucky. Finding so many correlating techniques which fit into a timeline that demonstrates a clear evolution in capabilities? Nature is rarely so beautiful as to grace humanity with that level of coincidence.

As this report was being written, the Ukrainian Cyber Police came to the same conclusion. Like me, they borrow heavily from the wonderful work of the people at ESET. (Source:

If you see ESET at a conference, be sure to buy them a beer and thank them for their service to the Western world.


NOTE: I’m doing this on my own free time and without assistance. Please forgive and alert me to any errors, both factual and editorial. If you want a Threat Intelligence analyst on your team, just drop me a line. I would have been happy to have shared this work with a team, with an editor, and under the banner of a team logo.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s