Lord Tariq Ahmad, Foreign Office Minister for Cyber Security, has directly attributed the NotPetya cyber-attack to the Russian Government. This would make it the first Western country to do so and lay blame at the doorstep of the Russian government for orchestrating and deploying the ransomware in 2017. In a statement issued by the English Foreign Office, Lord Ahmed stated “The UK Government judges that the Russian Government, specifically the Russian military, was responsible for the destructive NotPetya cyber-attack of June 2017…The attack showed a continued disregard for Ukrainian sovereignty. Its reckless release disrupted organizations across Europe costing hundreds of millions of pounds.” Ahmed further expressed that “The Kremlin has positioned Russia in direct opposition to the West yet it doesn’t have to be that way. We call upon Russia to be the responsible member of the international community it claims to be rather than secretly trying to undermine it.” At the time of writing no statement had been made by the Russian Government in response to the allegations.
The Work of the GRU, Maybe?
In the statement made by Lord Ahmad, no mention was made of which government organization the Foreign Office believes was in charge of the operation. Rather they attributed the attack to the Russian military as a whole. However, on January 12, The Washington Post reported that the American intelligence service the CIA had attributed the NotPetya attacks to Russian military hackers. It was determined by the CIA that the attack was intended to disrupt that country’s financial system amid its ongoing war with separatists loyal to the Kremlin. The Foreign Office agrees with the assumed intention made by the CIA with regards to the statement made on February 15. The report issued by the CIA concluded that the GRU, which is commonly known as the Russian Military's Main Intelligence Directorate, created the NotPetya strain of ransomware.
The CIA and other intelligence services around the globe believe the GRU to be behind not only the NotPetya attacks but a significant amount of attacks which have been targeting Ukraine. Many of these attacks coincided with Russia’s annexation of Crimea and aggression elsewhere in the region. The NotPetya attacks, which began on Ukraine’s Constitution Day, a public holiday, targeted mainly Ukrainian interests and businesses but also affected computer systems in Denmark, India and the United States. In conjunction with the CIA, the Estonian Foreign Intelligence Service claims that the GRU military spy agency is also behind APT28, a cyber-espionage unit also known as Fancy Bear, responsible for hacks all over the world, including the infamous DNC hack. Since the attack, Ukraine's Secret Service (SBY) has not been shy about blaming Russia for the NotPetya ransomware incident and like the UK they have gone public with their accusations leveled at Russia. In fact, a public statement was made a mere few days after the attacks.
Ransomware a staple of Criminals, not Spies
Why would a state-sponsored cyber espionage group use ransomware? Ransomware is typically used by criminal organizations and hackers to extort funds from victims in order to gain access to encrypted files. It is believed intelligence officers and security researchers that this was done to make it look like it was nonaligned hackers wanting to make some easy money rather than a department of the GRU specializing in cyber warfare. This would imply that the goal was solely the disruption of Ukraine’s financial system. It was clear that Ukraine’s financial system was the target when looking at the attack and the circumstances surrounding the attack.
In June 2017 it appeared initially a Ukrainian site that delivered updates for tax and accounting software programs was experiencing what is commonly referred to as a watering hole attack to distribute malware. A watering hole attack is when hackers use a legitimate website to distribute malware through updates and downloads. Once analysts and security researchers began to look at the code once it was clear the campaign had started they noticed very little that would make it function like ransomware. It appeared to researchers that there was no reliable way to decrypt encrypted data. This would mean for the victim, even if they paid the ransom their data could not be decrypted. For researchers, this meant they were no longer dealing with ransomware but rather a data wiper. This approach does give a certain amount of credence to the idea that the attack was carried out by Russian military personnel and would fit the current modus operandi of the GRU in utilizing cyber warfare to disrupt Ukrainian interests.
It is not only Ukrainian businesses and banks which suffered. Massive corporations were infected with the data wiper which resulted in millions of dollars’ worth of losses. Shipping giant Maersk had to go to some extreme measures to attempt to recover from the attack. The company attempted to recover by installing over 4,000 servers, 45,000 PCs, and 2500 applications. This was compared to by IT staff as essentially having to install a new infrastructure from the ground up. In terms of a pure financial loss, it was estimated that Maersk lost anywhere between 250 million to 350 million USD. Other important businesses affected included global couriers FedEx, food conglomerate Mondelez, law firm giant DLA Piper, marketing firm WPP, pharma giant Merck, construction materials manufacturer Saint-Gobain, and oil giant Rosneft.
The Nation-States Playing the Blame Game
While the UK and other nations looked to assign blame to Russia for the NotPetya attacks it will matter very little to those companies and individuals that were affected by the attack. Due to the nearly anonymous nature of conducting a well-orchestrated attack, it is very rare that an attacker did, in fact, commit the attack. For investigators, only assumptions can be made with little recourse for the companies and even less chance of justice. Given that cyber espionage and cyber war cost far less than actual wars and far less dangerous for soldiers and agents attacks like NotPetya and BadRabbit will probably become commonplace.