NATO CCD COE attributed the massive NotPetya attack to a ‘state actor’ and call for a joint investigation

Pierluigi Paganini July 02, 2017

NATO attributed the massive NotPetya attack to a ‘state actor,’ NotPetya and WannaCry Call for a Joint Response from International Community.

According to NATO CCD COE, the recent massive attack based on NotPetya ransomware was powered by a “state actor.” The malware infected over 12,000 devices in around 65 countries, the malicious code hit major industries and critical infrastructure.

Recently the analysis conducted by various groups of experts confirmed that ransomware was designed to look like ransomware but it was wiper malware designed for sabotage purpose.

Attackers might have used a diversionary strategy hide a state-sponsored attack on Ukraine critical infrastructure.

Experts from NATO CCD COE believe the attack was likely launched by a nation-state actor, or it was commissioned to a non-state actor by a state.  The attackers were well funded and the attack they conducted was very complex and expensive.

The experts observed that despite the operation was complex, the attackers did not spend much effort for managing the payments, a circumstance that suggests hackers were not financially motivated.

“The operation was not too complex, but still complex and expensive enough to have been prepared and executed by unaffiliated hackers for the sake of practice. Cyber criminals are not behind this either, as the method for collecting the ransom was so poorly designed that the ransom would probably not even cover the cost of the operation,” NATO’s Cooperative Cyber Defense Centre of Excellence (CCD COE), said in a press release on Friday.
This declaration could have serious consequences, the cyber attack could be interpreted as an act of war, and can trigger a military response of the alliance under the Article 5 of the North Atlantic Treaty, the principal of collective defense.
“The global outbreak of NotPetya malware on 27 June 2017 hitting multiple organisations in Ukraine, Europe, US and possibly Russia can most likely be attributed to a state actor, concluded a group of NATO CCD COE researchers Bernhards Blumbergs, Tomáš Minárik, LTC Kris van der Meij and Lauri Lindström. Analysis of both recent large-scale campaigns WannaCry and NotPetya raises questions about possible response options of affected states and the international community.” wrote Tomáš Minárik, researcher at NATO’s CCD COE law branch.
“As important government systems have been targeted, then in case the operation is attributed to a state this could count as a violation of sovereignty. Consequently, this could be an internationally wrongful act, which might give the targeted states several options to respond with countermeasures,”
Despite the WannaCry attack and the NotPetya one present many similarities, according to the NATO CCD COE researchers, they were conducted by different threat actors.

“As the extortion of money seems to be just a negligently prepared cover according to various news then the question about the motivation behind NotPetya attack should be looked from other perspectives. Even though the same vulnerability was used by WannaCry, the actors behind these two similar attacks are likely not the same. In both cases a possible financial gain for attackers has been more than modest. However, an effect was achieved, a large-scale successful disruptive attack almost globally, is almost identical in both cases. ” continues the NATO release.

“NotPetya is a sign that after WannaCry, yet another actor has exploited vulnerability exposed by the Shadow Brokers. Furthermore, it seems likely that the more sophisticated and expensive NotPetya campaign is a declaration of power – demonstration of the acquired disruptive capability and readiness to use it,” concluded Lauri Lindström, researcher at NATO CCD COE Strategy Branch.

notpetya Petwrap ransomware

Gavin O’Gorman, the investigator in Symantec Security Response, made a couple of hypothesis about the motive behind the attack.

The first is that the attack was powered by technologically capable criminals but with poor operational abilities. Attackers used one bitcoin wallet and used a single email account to contact.

The second theory is that the real motivation behind the attack is sabotage on a large scale.

“Perhaps this attack was never intended to make money, rather to simply disrupt a large number of Ukrainian organizations. Launching an attack that would wipe victim hard drives would achieve the same effect, however, that would be an overtly aggressive action,” O’Gorman wrote in a blog post.

“Effectively wiping hard drives through the pretense of ransomware confuses the issue, leaving victims and investigators to ask: ‘Are the attackers politically motivated, or criminally motivated?'”

WannaCry and NotPetya raise again the question about the possible response options of the international community and the necessity of norms of state behavior in the cyber space.

Both arguments were discussed at the recent Italy G7 Summit, with my colleagues at the G7 cyber group we proposed a set of norms of state behavior to address these problems. The result was a voluntary, non-binding norms of State behavior during peacetime in the G7 DECLARATION ON RESPONSIBLE STATES BEHAVIOR IN CYBERSPACE.

NATO CCD COE calls for a special joint investigation to attribute the attack to a specific actor and persecute it.

“WannaCry and NotPetya raise again the question about the possible response options of the international community.  The number of affected countries shows that attackers are not intimidated by a possible global level investigation in response to their attacks. This might be an opportunity for victim nations to demonstrate the contrary by launching a special joint investigation.” concludes the press release.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini 

(Security Affairs – NotPetya, NATO)

[adrotate banner=”5″]

[adrotate banner=”13″]

you might also like

leave a comment