On June 27, a wave of “unprecedented” cyber attacks hit Ukraine, targeting state institutions, banks, underground network, major firms, and airports, and causing disruptions on a massive scale. From the outset, the NotPetya virus seemed to be a typical ransomware attack, encrypting important files in infected computers and requiring victims to pay in exchange for decrypting their blocked files. However, it soon appeared that the attackers merely wanted to disguise their virus as a ransomware in order to mislead the public and media and hide their real intentions. What was the real rationale behind the attack?
Although a full investigation will take months (and whether any definite results will be reached remains doubtful), two things are already certain:
First, the attack was primarily aimed at Ukraine. Despite the virus spreading to 65 countries, 75.2% of all infected computers in the world could be found in Ukraine (Cisco’s Talos cyber security division asserted that the other 24.8% were merely “collateral damage,” as, like a real virus, hackers are unable to completely control the virus once launched). Government officials estimated that one in every ten computers at private companies and state offices in Ukraine was hit by the virus, which was seeded through a Ukrainian accounting software M.E.Doc, used by 80% of state institutions and businesses in the country.
The second peculiar aspect of the attack is that it appears it was not motivated by financial gain. Experts agree that NotPetya is a destructive “wiper” malware designed to destroy data and disrupt the workflow of state and business institutions rather than a ransomware created for financial gains. One of the clues that led them to this conclusion was the payment mechanism the virus routed users to, which, for such a well-engineered malware, looked far too amateurish. For instance, the ransom note generated by the virus contained the same payment address for every victim, whereas typically a customized address is created for every victim separately. Moreover, victims were required to contact the attackers to send confirmation of payment to a single “customer service” email, which was immediately shut down by the German provider Posteo once they learned about the attack. Consequently, it was technically impossible for the victims who made the required payment to contact attackers in order to receive the decryption key to unlock blocked files.
Amidst the attack, NATO Secretary General Jens Stoltenberg claimed that, since the Warsaw NATO summit last year, cyber space has become a “military domain;” NATO member countries also agreed that cyber attacks against any member of the alliance would trigger the mutual defense clause in the same way as a conventional military assault.
This constitutes a major change in NATO policy as past cyber attacks – partially due to their novelty – were not treated as seriously. Indeed, when Russia unleashed a series of large-scale cyber attacks against NATO member Estonia back in 2007, the alliance did not enact its mutual defense clause. It appears that the threshold for such an enactment would need to be high, and merely affecting companies operating in many NATO member countries is not a reason enough to enact Article 5 of the Washington Treaty. In reality, the consequences of cyber attack would have to be equivalent of an armed attack.
Despite the growing support for the theory that the attack was orchestrated by state actors (and suspicions on who the state in question might be), NATO-led countermeasures for this particular attack may never happen. Failure to act may send a clear message to the attackers – you are free to violate a country’s sovereignty as long as you do it online. Such an eventuality could create grave disruptions for the global economy, and the NotPetya virus should serve as a wake-up call for the need for increased cyber security.
If such an investment is not made, the next cyber attack could have as its main targets other European countries or even NATO members.
- Everything you need to know about the massive Petya cyberattack which started from Ukraine
- Ukrainian banks, enterprises, media and energy companies under powerful cyber attack, including Chornobyl NPP – LiveUpdates
- No more VPNs: Kremlin mulls limiting anonymising software
- Moscow expanding its cyber war against Ukraine
- Deception, Disinformation, and Doubt: Hybrid Warfare in Eastern Ukraine
- Putin conducts his foreign policy like a special op, Melnikov says
- Beware of Russian Cyber Warfare in 2016
- Cyber attacks have not hindered elections — SBU