Experts Say NotPetya Cyberattack Came From Russia

Experts are saying that the complexity and scale of the latest global cyberattack point to a hostile government, not a criminal group, as the originator of the attack. And many of them have an educated guess about who it was: Russia.

On June 27, the hostile software — dubbed “NotPetya” after initial reports misidentified it as the ransomware Petya — crippled organizations in more than 60 countries and in every possible vertical, from banks and shipping providers in the Ukraine to U.S. pharmaceutical companies. Corporates around the world arrived at work to whiteboard signs reading, “Do not turn on computers!”

The main target, however, appeared to be the Ukraine. The other 59 countries were just casualties. That’s what Kaspersky Labs and prominent cybersecurity guru Matt Suiche concluded within 24 hours of the attack, and it gels with officials’ gut instincts.

“All of this was done under the guise of financial gain, but in reality the purpose was to destabilize the situation inside our country,” said Ukraine’s Security Services Chief Vasyl Hrytsak.

NotPetya took an update from Ukrainian accounting software company MeDoc and made it its Trojan horse in order to get around firewalls.

John Watters, head of global cyber intelligence operations for FireEye, told The Financial Times, “There are a lot of things that point to Russia.” He added, however, that with such attributions, “The best you can get is high confidence.”

Exhibit A: Cyber investigators said the tactics, techniques and procedures of this attack lined up closely with the Kremlin’s playbook. Technical data revealed an infrastructure and control network that fit the Russian profile. The targets, coding and infection methods further backed the theory.

Furthermore, the majority of victims — more than 75 percent — were located in the Ukraine, and analysts believe that the infection only spread beyond those borders because it was able to use Ukrainian subsidiaries of foreign companies as a conduit. Russian-backed proxies have been an ongoing threat in the eastern territories of the Ukraine, though Russia denies any involvement in the NotPetya pandemic.

Although victims were asked to pay $300 to decrypt their locked data, experts don’t think collecting ransom was the primary goal.

The hackers demanded victims send notification of ransom payments to a singular email address — an unorthodox and flimsy method, said the Financial Times. More tellingly, the malware didn’t just encrypt the hard drive; it overwrote the master boot record. That’s not easy to reverse, and experts doubt that the attackers ever intended to do so.

No, the term “ransomware” wouldn’t do justice to this threat. This was like ransomware on steroids. Experts later dubbed NotPetya a “Massive Coordinated Cyber Invasion.” It was powered by multiple U.S. cyberweapons leaked earlier this year by the Russian-backed shadowbrokers.

What the attack lacked in ransom sophistication, it made up for in strategy, spreading through well-documented and preventable means with the apparent intent of distracting victims and disrupting response to the attack.

And there, it succeeded. Maersk, the world’s largest shipping company, reported July 4 that it was still experiencing issues at some of its 76 ports, where debilitated IT systems were preventing ships from docking and unloading. These ships had to be rerouted. The Copenhagen-based company was totally offline for six days.

Oleh Derevianko, head of Kiev cybersecurity firm Information Security Systems Partners (ISSP), told the BBC that what made NotPetya really scary was how much of the infiltration seemed to be carried out automatically and the surgical precision with which it was done.

NotPetya intercepted passwords, captured administrative privileges, deleted logs, encrypted and wiped data. But it also passed over certain hashes on machines and networks.

“The initial organizations that were hit, even in the networks where we saw most of the computers wiped out … there would be some machines that survived,” Derevianko said. “This immunity is strange. How did they survive, but more importantly, why?”

NotPetya takes the global cyber arms race to a whole new level, potentially marking a violation of sovereignty, NATO told the Financial Times. It targeted important government systems with no regard for collateral damage — the digital equivalent of civilian casualties. At least one hospital was down during the attack, and the affected U.S. health network had to delay procedures for patients during the downtime.

“This could be an internationally wrongful act,” said Tomas Minarik, a legal expert at NATO’s cyber defense think tank, “which might give the targeted states several options to respond with countermeasures.”