A $100bn company that ran NotPetya-like malware on its network turned up a surprise defense

Credit: ID 115483229 © Hani Suwaryo |

One security conscious $100 billion company this week exposed its global production IT environment to a de-fanged version of the fast-moving, data-destroying NotPetya malware that crippled several large corporations last June. 

The worm, dubbed EternalGlue, was created by researchers at NCCGroup, which named its modular malware after the National Security Agency’s EternalBlue weapon — the leaked exploit that helped both WannaCry and NotPetya rapidly overtake networks where at least one Windows machine had been compromised. The malware also employed an open source credential stealing tool called Mimikatz, as well as other techniques like credential impersonation. 

Western governments fingered North Korean hackers for WannaCry and Kremlin-backed hackers for NotPetya. NotPetya caused over $1 billion in damages across FedEx’s European subsidiary TNT Express, Maersk, and Mondalez International

NCCGroup rebuilt NotPetya in June 2017 for a customer who wanted to see how they would have fared if they’d been infected. Naturally, the customer didn’t want it to destroy their data, so they asked NCC to create a payload that delivered “telemetry and safeguards”.    

The pseudo-malware copied the way NotPetya spread, but included safeguards such as enable and propagate switches, kill and remove switches, telemetry, and a clean-up tool. Additional safeguards included measures to whitelist certain IP addresses, and success and failure reporting.