According to NATO CCD COE, the recent massive attack based on NotPetya ransomware was powered by a “state actor.” The malware infected over 12,000 devices in around 65 countries, the malicious code hit major industries and critical infrastructure.
Recently the analysis conducted by various groups of experts confirmed that ransomware was designed to look like ransomware but it was wiper malware designed for sabotage purpose.
Attackers might have used a diversionary strategy hide a state-sponsored attack on Ukraine critical infrastructure.
Experts from NATO CCD COE believe the attack was likely launched by a nation-state actor, or it was commissioned to a non-state actor by a state. The attackers were well funded and the attack they conducted was very complex and expensive.
The experts observed that despite the operation was complex, the attackers did not spend much effort for managing the payments, a circumstance that suggests hackers were not financially motivated.
“As the extortion of money seems to be just a negligently prepared cover according to various news then the question about the motivation behind NotPetya attack should be looked from other perspectives. Even though the same vulnerability was used by WannaCry, the actors behind these two similar attacks are likely not the same. In both cases a possible financial gain for attackers has been more than modest. However, an effect was achieved, a large-scale successful disruptive attack almost globally, is almost identical in both cases. ” continues the NATO release.
“NotPetya is a sign that after WannaCry, yet another actor has exploited vulnerability exposed by the Shadow Brokers. Furthermore, it seems likely that the more sophisticated and expensive NotPetya campaign is a declaration of power – demonstration of the acquired disruptive capability and readiness to use it,” concluded Lauri Lindström, researcher at NATO CCD COE Strategy Branch.
The first is that the attack was powered by technologically capable criminals but with poor operational abilities. Attackers used one bitcoin wallet and used a single email account to contact.
The second theory is that the real motivation behind the attack is sabotage on a large scale.
“Perhaps this attack was never intended to make money, rather to simply disrupt a large number of Ukrainian organizations. Launching an attack that would wipe victim hard drives would achieve the same effect, however, that would be an overtly aggressive action,” O’Gorman wrote in a blog post.
“Effectively wiping hard drives through the pretense of ransomware confuses the issue, leaving victims and investigators to ask: ‘Are the attackers politically motivated, or criminally motivated?'”
WannaCry and NotPetya raise again the question about the possible response options of the international community and the necessity of norms of state behavior in the cyber space.
Both arguments were discussed at the recent Italy G7 Summit, with my colleagues at the G7 cyber group we proposed a set of norms of state behavior to address these problems. The result was a voluntary, non-binding norms of State behavior during peacetime in the G7 DECLARATION ON RESPONSIBLE STATES BEHAVIOR IN CYBERSPACE.
NATO CCD COE calls for a special joint investigation to attribute the attack to a specific actor and persecute it.
“WannaCry and NotPetya raise again the question about the possible response options of the international community. The number of affected countries shows that attackers are not intimidated by a possible global level investigation in response to their attacks. This might be an opportunity for victim nations to demonstrate the contrary by launching a special joint investigation.” concludes the press release.