Collateral Damage: Notpetya Takes Russia's Cyber War Global

As the victims of NotPetya recover from the initial shock, forensic teams have dug into NotPetya’s code, only to find a nasty surprise. Hidden behind the red ransom message was NotPetya’s true purpose: to destroy data and disrupt the operations. Specialists discovered that during the process of infection NotPetya would overwrite the master boot record, the part of a computer responsible for giving instructions on how to start up, before then encrypting files. However, they discovered that bugs in the encryption process would mean that in many cases, victims paying for a decryption key would likely have found it useless in recovering data. Indeed, following the attack Forbes, the business magazine, tested a master decryption key put on sale by the attackers on the dark web for around $250,000, and found that the key could only decrypt certain files, not the infected hard drives.

Another unusual characteristic of the attack was that the perpetrators initially used a single email account for receiving messages proving payment of the ransom before auctioning the master key on the dark web. Unsurprisingly, the NotPetya attackers’ account was almost immediately suspended by the email provider, cutting victims’ line of communication with the attackers and making it impossible to request the decryption key. This was a poor imitation of the typical modus operandi of ransomware attacks which create custom email accounts for each victim.

The weakness of the attackers’ payment system was in complete contrast to the sophisticated design of the malware’s infection and spreading methods, leading to a growing consensus amongst security researchers that the NotPetya attack was not in fact motivated by financial gain. Researchers have called for NotPetya to be re-categorised as part of a growing trend of attacks masquerading as ransomware which are actually ‘wipers’, a type of malware designed to destroy or permanently deny access to data. Such attacks are often suspected to be state-sponsored due to their failure to make money for attackers.

With the financial motivations of traditional cybercriminals ruled out, speculation has grown that NotPetya was designed with either political motivations, or to prove a point by hacking groups in it ‘for the lulz’. The concept of ‘lulz’, an internet shorthand for ‘laughs’ usually involves a critique of society’s lack of internet savviness or has consequences considered by the perpetrators to be interestingly shocking or humorous. No such motivation has come to light so far in relation to the NotPetya attack and politically, only one country obviously stands to gain from disruption in Ukraine: Russia. 

Fingerprints can be found in the attack’s timing, origin and apparent target. Since the 2014 annexation of Crimea, Russia has been engaged in an ongoing campaign of hybrid warfare in Ukraine, employing misinformation and cyber arms alongside conventional military involvement to secure its new territory. The destabilisation of Ukraine through NotPetya seems well aligned with this strategy. By targeting the MeDoc software, NotPetya punished not only Ukrainian organisations, but also international companies doing business in the country, while playing smoke and mirrors with the identity of its creators. NotPetya also follows a string of cyber-attacks targeting Ukrainian businesses and critical infrastructure, the most significant of which include two blackouts caused by sophisticated hacking and affected hundreds of thousands of Ukrainians just before Christmas in both 2015 and 2016. The NotPetya attack came pointedly a day before Ukraine’s Constitution Day, a public holiday celebrating the adoption of a national constitution five years after independence from the Soviet Republic of Russia. 

So far, a number of groups have gone on record accusing Russian involvement in the attack. Both Ukraine's security service (SBU), and ESET, a Slovenian cyber security firm, have publicly stated that they believe the NotPetya malware was created by the same group allegedly to be behind the December 2016 blackout in Ukraine, known as ‘Sandworm’ or alternatively as ‘Telebots’. ESET’s view has also been echoed by FireEye, a leading US cyber security company which is an authority on the group, which it links to Russian government backers. Sandworm is allegedly a repeat offender and is believed to be behind recent alleged cyber-attacks on EU and NATO officials. 

In response to these allegations, a Kremlin spokesman dismissed the claims as "unfounded blanket accusations”. Critics of those who accuse Russia also point to the fact that Russian companies suffered the second highest number of infections NotPetya after Ukraine, the most significant example being Rosneft, the state-controlled oil company. However, it is entirely feasible that the Russian companies were hit because NotPetya spread further than was intended. It would also not be the first time that Russian covert operations have accepted a degree of collateral damage at home to create a smokescreen of plausible deniability.

Whether guilty or not, the Ukrainian SBU’s accusations have put Russian, and more widely, state-sponsored cyber operations in the spotlight. Amid serious allegations of Russia’s interference in the 2016 US presidential elections and fears of similar attempts to influence the upcoming German elections, Russia’s alleged cyber operations are being taken seriously at an international level. NATO spokespersons have said that NotPetya “could most likely be attributed to a state actor”, and likely represents a “declaration of power; a demonstration of acquired disruptive capability and readiness to use it.” The seriousness of this analysis has sparked discussions about the possibility of retaliation, either with cyber or conventional military action, should a NATO member state be the subject of a state-sponsored cyber-attack. This has been echoed by a number of world leaders who have reemphasised their commitment to retaliate against cyber-attacks either in kind or with conventional military action. However, in practice significant retaliations against cyber-attacks have been few and far between, as countries have struggled to justify response in the face of the legal challenges of attributing responsibility for attacks. As a result, more state-sponsored hacks like NotPetya are likely to come, emboldened by the success of NotPetya and the global WannaCry ransomware attack of May 2017. 

Outside the political sphere of NotPetya’s significance in the context of Russian aggression in Ukraine, the fallout of NotPetya poses a serious security challenge for businesses that are increasingly being caught in the crossfire of politically motivated cyber sabotage. The consequences of failing to act are severe, with multinational organisation which were victims of NotPetya claiming financial losses of up to £100 million. In the face of these threats, many businesses that previously believed themselves to be prepared against traditional levels of cyber-attacks are revaluating their cyber security needs. Re-evaluation of how quickly security updates must be applied and the possibility of having networks in geopolitical centres of hybrid conflict isolated from global networks are all measures under consideration. Fortune will favour those with the foresight to act now, as the new world order of hybrid warfare and cyber aggression gains pace.