Rosneft reported an attack on its servers. Petya at Rosneft: the oil company complained of a powerful hacker attack

The Rosneft company complained of a powerful hacker attack on its servers. The company announced this in its Twitter. “A powerful hacker attack was carried out on the company’s servers. We hope that this has nothing to do with the current legal proceedings,” the message states.

“The company contacted law enforcement agencies regarding the cyber attack,” it says in the message. The company emphasized that a hacker attack could lead to serious consequences, however, “thanks to the fact that the company switched to a backup production process control system, neither oil production nor oil preparation was stopped.” An interlocutor of the Vedomosti newspaper, close to one of the company’s structures, indicates that all computers at the Bashneft refinery, Bashneft-Dobyche and the Bashneft management “rebooted at once, after which they downloaded an unknown software and displayed the splash screen of the WannaCry virus.”

On the screen, users were asked to transfer $300 in bitcoins to a specified address, after which users would allegedly be sent a key to unlock their computers by e-mail. The virus, judging by the description, encrypted all data on user computers.

Group-IB, which prevents and investigates cybercrimes and fraud, has identified a virus that affected an oil company, the company told Forbes. We are talking about the Petya encryption virus, which attacked not only Rosneft. Group-IB specialists. found out that about 80 companies in Russia and Ukraine were attacked: the networks of Bashneft, Rosneft, Ukrainian companies Zaporozhyeoblenergo, Dneproenergo and the Dnieper Electric Power System, Mondelēz International, Oschadbank, Mars, Nova Poshta, Nivea, TESA and others. The Kyiv metro was also subject to a hacker attack. Government computers of Ukraine, Auchan stores, Ukrainian operators (Kyivstar, LifeCell, UkrTeleCom), PrivatBank were attacked. Boryspil Airport was also allegedly subject to a hacker attack.

The virus spreads either as wannacry or through mailing lists - company employees opened malicious attachments in emails Email. As a result, the victim’s computer was blocked and the MFT (NTFS file table) was securely encrypted, explains a Group-IB representative. At the same time, the name of the ransomware program is not indicated on the lock screen, which complicates the process of responding to the situation. It is also worth noting that Petya uses a strong encryption algorithm and does not have the ability to create a decryption tool. The ransomware demands $300 in bitcoins. The victims have already started transferring money to the attackers’ wallet.

Group-IB specialists found that a recently modified version of the Petya ransomware, “PetrWrap,” was used by the Cobalt group to hide traces of a targeted attack on financial institutions. The Cobalt criminal group is known for successfully attacking banks around the world - Russia, Great Britain, the Netherlands, Spain, Romania, Belarus, Poland, Estonia, Bulgaria, Georgia, Moldova, Kyrgyzstan, Armenia, Taiwan and Malaysia. This structure specializes in contactless (logical) attacks on ATMs. In addition to ATM control systems, cybercriminals are trying to gain access to interbank transfer systems (SWIFT), payment gateways and card processing.

The press service of Group-IB, which investigates cybercrimes, told RBC that the hacker attack on a number of companies using the Petya encryption virus was “very similar” to the attack that occurred in mid-May using the WannaCry malware. Petya blocks computers and demands $300 in bitcoins in return.

“The attack took place around 2 p.m. Judging by the photographs, this is the Petya cryptolocker. Method of distribution in local network similar to the WannaCry virus,” follows from a message from the Group-IB press service.

At the same time, an employee of one of the Rosneft subsidiaries, which is engaged in offshore projects, says that the computers did not turn off, screens with red text appeared, but not for all employees. However, the company is collapsing and work has stopped. The interlocutors also note that all electricity was completely turned off at the Bashneft office in Ufa.

At 15:40 Moscow time, the official websites of Rosneft and Bashneft are unavailable. The fact of no response can be confirmed on server status checking resources. The website of Rosneft’s largest subsidiary, Yuganskneftegaz, is also not working.

The company later tweeted that the hack could have led to “serious consequences.” Despite this, production processes, production, and oil preparation were not stopped due to the transition to a backup control system, the company explained.

Currently Arbitration court Bashkiria completed a meeting at which it considered the claim of Rosneft and its controlled Bashneft against AFK Sistema and Sistema-Invest for the recovery of 170.6 billion rubles, which, according to oil company, Bashneft suffered losses as a result of reorganization in 2014.

A representative of AFK Sistema asked the court to postpone the next hearing for a month so that the parties have time to familiarize themselves with all the petitions. The judge scheduled the next meeting in two weeks - on July 12, noting that the AFC has many representatives and they will cope within this period.

As for oil refineries, especially Bashneft plants, the degree of automation there is very high, and a hacker attack can really certain conditions bring trouble. Considering that Bashneft was passing over Lately twice from hand to hand, apparently, the degree of protection there is not too high now. As for the rest of Rosneft's divisions, the production divisions, of course, suffered certain troubles due to this hacker attack, but the situation here is such that the degree of automation is not yet too high. In this situation, server crashes are not very pleasant, but technological process has almost no effect. I would say in the words of a famous character from an ancient cartoon: “It’s even good that we’re still feeling bad.” Because in currently The hacker attack did not bring much harm, but it very clearly showed that this area, I mean network protection, is very important. And this importance will certainly progress, and in situations when we, that is, Russia, find ourselves in some kind of crisis, this may turn out to be very critical. Therefore, for Rosneft this can be considered a very timely and useful test.

It is very difficult to say who is behind the hacker attack. In my line of work, I deal with hackers quite a lot, and I can tell you that half of the hackers are hardly predictable people, and it makes no sense to look for any serious reasons for their attacks, because it’s all connected with what people call "The roof has gone crazy." As for the other half, indeed, this area of ​​activity is taking on ever greater proportions every year, and legislation will need to think about this topic, be more prescribed and cruel than it is now. But, as I understand it, a serious professional manager who occupies the highest levels in some company of a similar profile must understand that this kind of attack makes no sense. The only thing that makes sense is that the company pays more attention to data protection in the future. Here we also need to take into account the psychology of managers. Still senior management management in our oil companies is very far from IT technologies, and the degree of their motivation to engage in one or another type of protection could be reduced. Again, I think this attack was rather beneficial.

We don’t share our assumptions, it’s not ethical. This is the task law enforcement- to establish, so our assumptions are of no interest to anyone. Rosneft and affiliated companies are operating normally, we have switched to a backup system. Thanks to this, damage that could have been very serious was avoided. Production divisions, oil production, preparation and refining - everything is working normally, there were no failures.

The widespread hysteria of the general public regarding “hacker attacks” is very amusing. Either Russia allegedly influenced the US elections, or WannaCry haunts everyone. Now, someone has “dishonored” Rosneft. Stop looking for depth where there is none. You will be surprised, but schoolchildren of the 80th level who have spent a year or two “rubbed” on the relevant forums are capable of all this. A medium-sized one based on the same ZeuS" on specialized sites will cost at least $10,000. For 50,000 you will already have a very decent ransomware on a self-written engine. On the same sites you can easily find performers who will drive traffic to your, for example, phishing landing ( if you “promote” like this) or those who will competently spam the new virgin database of addresses of the country you are interested in. If schoolchildren are seasoned and know exactly what they want, they take on a team of several “dialers” who sell the file over the phone, posing as contractors or. employees of the attacked organization, if we are talking about targeted attacks. If the schoolchildren are savvy, in addition to all this, they bribe a person or two in the attacked organization and then the chances increase significantly. This is not difficult to do.

Thought can be developed and developed. The point is not in the technical part, which today, if desired, is available to absolutely everyone. The fact is that people on the ground are too relaxed and do not expect that they can be attacked. The success of any attack is always the stupidity of the person on the other end.

Stupidity and greed. Behind today's attack on both Rosneft and everyone else, including the Ukrainian government, there is nothing but stupidity and greed.
The stupidity of lower-level clerks who:

• disable antiviruses because "I want to shake it and it won't work"
• They don’t even update licensed Windows because "I need to work, not wait for updates" And “How is it possible not to turn off the computer at night? What if someone tries to look at my browser history?”
• sabotage any attempts to switch offices to Linux because: “I’ve already unlearned my skills, there’s no need for me to learn how to use new programs”.

And the greed of top-level employees, because of which unlicensed Windows was installed en masse in offices. Because these scoundrels reason like this: "Fuck it, we spent millions of dollars on computers alone, and you want us to spend on every workplace spent, in addition to 500 bucks for hardware, another 500 bucks for Windows + MS Office or, even more so, 700 bucks to retrain staff on Linux? Oh, Linux also requires expanding the staff of administrators? - No, go to work! I'm sure if you work as you should, no virus will get through. Moreover, we pay you so much money. And in general, when I was selling computers during perestroika, no one bought any software, and everything worked!”

These two factors, and only they led to the fact that all these post-Soviet " effective managers“They got themselves into such a big mess. And that serves them right!