By Stephen Bryen

The press is full of accusations that the Russians unleashed a highly damaging cyberattack called NotPetya in Ukraine last month. Unnamed US authorities and “private researchers” are claiming the attack was either carried out by the Russian state or backed by it. Does the evidence support the accusation?

NotPetya masquerades as ransomware, but its effects cannot be reversed. It wipes portions of data stored on hard drives. In Ukraine, NotPetya reportedly affected central-government operations, the national bank, the main airport in Kiev and the sensors at the Chernobyl reactor site that monitor radiation leaks.

Analysts point to evidence that the cyberattack was political, had Russia’s fingerprints on it, and is part of Moscow’s conflict with Kiev. The virus hit a day before Ukrainian Constitution Day, although it had been lurking for five days before it was unleashed.

But the arguments are speculative. There is no outright proof of any kind this was a Russian-supported or Russian-inspired operation. A Trump administration official told Bill Gertz of The Washington Free Beaconthat “the US government is not prepared to blame Moscow”, but that comment was buried in an accusatory story fingering Russia.

There are reasons to think the NotPetya attack was not Russian.

The first comes from an observation made by Cisco researchersexamining the attack. They believe the NotPetya attack was not motivated by money and hence was not a real ransomware assault. They do think the origin of the attack is political.

Ukrainian authorities say the attack originated in a Ukrainian company called M.E.Doc, which sells and supports tax accounting software and is owned by another company, Intellect Services. Cisco agrees that M.E.Doc was the source of the attack, that credentials to M.E.Doc’s servers were stolen or compromised, and that M.E.Doc had not updated its servers or fixed known vulnerabilities in its system since 2013.

But Cisco is puzzled that unleashing this destructive software revealed a powerful capability, something that a state actor like Russia would have been loath to do, even though Cisco researchers still think the attacks were potentially a Russian political operation.

Cisco reports: “Our Threat Intelligence and Interdiction team is concerned that the actor in question burned a significant capability in this attack. They have now compromised both their back door in the M.E.Doc software and their ability to manipulate the server configuration in the update server.

“In short, the actor has given up the ability to deliver arbitrary code to the 80% of UA [Ukrainian] businesses that use M.E.Doc as their accounting software, along with any multinational corporations that leveraged the software. This is a significant loss in operational capability, and the Threat Intelligence and Interdiction team assesses with moderate confidence that it is unlikely that they would have expended this capability without confidence that they now have or can easily obtain similar capability in target networks of highest priority to the threat actor.”

In short, a state actor would have to have decided to use this powerful tool knowing that it was a one-time affair and the state would lose the capability in future. There is no known strong reason for the Russians to have done this unless they considered NotPetya an expendable resource, or at least a resource with a short half-life that would soon become irrelevant as servers around the world were properly patched to remove the vulnerability.

One needs to keep in mind that the NotPetya malware is a variant of the WannaCry virus, and both NotPetya and WannaCry originated in the United States, invented by the National Security Agency or by a contractor working for the NSA and based on code known as EternalBlue combined with some elements of another NSA-sponsored malware known as EternalRomance. Russian cyber-warriors probably regard any US-origin tool as insufficiently powerful for economic or political warfare on a large scale.

In fact, while NotPetya caused a lot of trouble and economic loss, at the end of the day it was not sufficiently destructive to be considered a major disruptive tool. On a scale of 1 to 10 it was probably a 4.

There are other reasons to be suspicious of NotPetya’s origins. It was not confined to Ukraine; Microsoft reports that NotPetya appeared “in another 64 countries, including Belgium, Brazil, Germany, Russia, and the United States”.

In Russia, cash registers at retail gasoline outlets belonging to the oil giant Rosneft apparently were hit, according to the company. A number of transport companies, most notably the Danish shipping firm Maersk, suffered a NotPetya attack, allegedly because it is using the same software for its accounting systems distributed by M.E.Doc.

Ukrainian authorities say they are deeply concerned about NotPetya because M.E.Doc’s accounting software is critical to its energy and banking systems. Some companies are reported to be continuing to use the compromised software so that they can continue operating.

Can one conclude that the attack that hit 64 other countries as just a residual result of the Ukrainian cyber-event? Was NotPetya not so clever and not well focused? We do not know.

We do know the Ukrainian services had previously warned M.E.Doc about its vulnerabilities. And, after the NotPetya attack and after having raided M.E.Doc’s facility, Ukrainian services said they detected another cyberattack in the making at M.E.Doc, and prevented it.

It is most unusual to raid a company that may have been the victim of a cyberattack unless you suspect the company is the culprit or you have other motives, themselves political, but not necessarily having anything to do with Russians.

According to the office of the Ukrainian president, whatever damage was done was done and all systems in Ukraine are now operating normally.

One could make a case that the unleashing of NotPetya was an attempt to blame the Russians and, at the same time, punish M.E.Doc for not updating its security. This is an avenue of research that deserves some attention for the simple but cogent reason that a false-flag cyberattack could trigger a much bigger conflict – for example, Kiev has been working extra hard to draw the United States and Europe more and more into its conflict with Moscow. The Russians have attacked Ukrainian critical infrastructure before, so they already have a known modus operandi, exposing them to such a tactic.

On the political front, the Russians lacked any specific immediate motive to launch an attack on Ukraine’s critical infrastructure. In the case of previous attacks, especially the one on Ukraine’s power grid in December 2015, the Russians were responding to Ukrainian cuts in power going to Crimea. That attack was well focused, sophisticated and effective and disabled parts of the power grid belonging to Prykarpattyaoblenergo, an electric utility in western Ukraine. It could be repeated any time, so why then use a warmed-over ransomware tool with a far less certain outcome and without any assurance of results?

The case against the Russians is therefore weak when it comes to NotPetya. The best we can say now is that it is a puzzle over who did it, and why.

Tags: ; ; ; ;