Money is not always the answer. What do we know about latest cyber attack on Ukraine

The "Petya-Not Petya" ransomware attack's main target was Ukraine, according to ESET security company. Photo: ESET 


Article by: Givi Gigitashvili

On June 27, a wave of “unprecedented” cyber attacks hit Ukraine, targeting state institutions, banks, underground network, major firms, and airports, and causing disruptions on a massive scale. From the outset, the NotPetya virus seemed to be a typical ransomware attack, encrypting important files in infected computers and requiring victims to pay in exchange for decrypting their blocked files. However, it soon appeared that the attackers merely wanted to disguise their virus as a ransomware in order to mislead the public and media and hide their real intentions. What was the real rationale behind the attack?

Although a full investigation will take months (and whether any definite results will be reached remains doubtful), two things are already certain:

First, the attack was primarily aimed at Ukraine. Despite the virus spreading to 65 countries, 75.2% of all infected computers in the world could be found in Ukraine (Cisco’s Talos cyber security division asserted that the other 24.8% were merely “collateral damage,” as, like a real virus, hackers are unable to completely control the virus once launched). Government officials estimated that one in every ten computers at private companies and state offices in Ukraine was hit by the virus, which was seeded through a Ukrainian accounting software M.E.Doc, used by 80% of state institutions and businesses in the country.

Ukrainian sources have estimated that this attack would have far-reaching economic effects, costing Ukraine 0.5% of GDP for this year.

The second peculiar aspect of the attack is that it appears it was not motivated by financial gain. Experts agree that NotPetya is a destructive “wiper” malware designed to destroy data and disrupt the workflow of state and business institutions rather than a ransomware created for financial gains. One of the clues that led them to this conclusion was the payment mechanism the virus routed users to, which, for such a well-engineered malware, looked far too amateurish. For instance, the ransom note generated by the virus contained the same payment address for every victim, whereas typically a customized address is created for every victim separately. Moreover, victims were required to contact the attackers to send confirmation of payment to a single “customer service” email, which was immediately shut down by the German provider Posteo once they learned about the attack. Consequently, it was technically impossible for the victims who made the required payment to contact attackers in order to receive the decryption key to unlock blocked files.

NATO member countries also agreed that cyber attacks against any member of the alliance would trigger the mutual defense clause 

Furthermore, as the Tallinn-based NATO Cooperative Cyber Defense Centre of Excellence suggested last week, the attack itself was so expensive and complex that it would impossible for individual hackers to launch it. Based on available data, including that obtained from international antivirus companies, the Ukrainian state security service argued last week that the attack was organized by the same hackers who were involved in the cyber attack against Ukrainian power grid in December 2016.

Amidst the attack, NATO Secretary General Jens Stoltenberg claimed that, since the Warsaw NATO summit last year, cyber space has become a “military domain;” NATO member countries also agreed that cyber attacks against any member of the alliance would trigger the mutual defense clause in the same way as a conventional military assault.

This constitutes a major change in NATO policy as past cyber attacks – partially due to their novelty – were not treated as seriously. Indeed, when Russia unleashed a series of large-scale cyber attacks against NATO member Estonia back in 2007, the alliance did not enact its mutual defense clause. It appears that the threshold for such an enactment would need to be high, and merely affecting companies operating in many NATO member countries is not a reason enough to enact Article 5 of the Washington Treaty. In reality, the consequences of cyber attack would have to be equivalent of an armed attack.

Despite the growing support for the theory that the attack was orchestrated by state actors (and suspicions on who the state in question might be), NATO-led countermeasures for this particular attack may never happen. Failure to act may send a clear message to the attackers – you are free to violate a country’s sovereignty as long as you do it online. Such an eventuality could create grave disruptions for the global economy, and the NotPetya virus should serve as a wake-up call for the need for increased cyber security.

If such an investment is not made, the next cyber attack could have as its main targets other European countries or even NATO members.


Givi Gigitashvili is a freelance political analyst. He holds a Master’s degree in EU-Russia studies from the University of Tartu, Estonia and has recently finished a research internship at the Center for Economic and Social Research (CASE) in Warsaw.

Read more:


Your opinion matters! 

Dear readers! We want to know what you think. Please fill out this form about what we're doing right, what we could do better, and what you would like to see more on Euromaidan Press. This will help us create better content for you. Many thanks for your time!

Tags: , ,