The UK Foreign Office minister Tariq Ahmad has condemned Russia for the damaging, disruptive and costly NotPetya cyber attacks in June 2017.
The UK’s National Cyber Security Centre (NCSC) assesses that the Russian military was almost certainly responsible for the destructive NotPetya cyber-attacks of June 21017.
Given this is the highest level of assessment and the broader context, the UK government has made the judgement that the Russian government was responsible for this cyber attack, the Foreign Office said in a statement, adding that the attack masqueraded as a criminal enterprise, but its purpose was principally to disrupt.
Primary targets were Ukrainian financial, energy and government sectors, but the malware’s “indiscriminate design” caused it to spread further, affecting other European and Russian businesses.
NotPetya, which started as a fake Ukrainian tax software update, infected hundreds of thousands of computers in more than 100 countries in just a few days. This ransomware is a variant of an older attack dubbed Petya, except the later attack uses the same exploit behind WannaCry.
The malware spread through trusted networks, rather than widely over the internet, bypassing the processes put in place to prevent ransomware attacks, the NCSC said.
Affected companies outside the Ukraine included London-headquartered WPP, Danish shipping giant AP Moller–Maersk, US-based pharmaceutical company Merck, multinational law firm DLA Piper, Russian oil company Rosneft, Netherlands-based shipping company TNT and French construction materials company Saint-Gobain.
Maersk said the attack cost up to £222m, while the UK’s WPP got off relatively lightly, with the NotPetya attack reportedly costing it between £10m and £15m before insurance.
Read more about ransomware
- How does the Locky ransomware file type affect enterprise protection?
- How does Locky ransomware get distributed by the Necurs botnet?
- Focus: How to avoid being hit by ransomware.
- Large UK firms are prepared to pay out more than £136,000 on average to cyber criminals who launch ransomware attacks.
“The attack showed a continued disregard for Ukrainian sovereignty. Its reckless release disrupted organisations across Europe, costing hundreds of millions of pounds,” said Ahmad, Foreign Office minister for cyber security.
“The Kremlin has positioned Russia in direct opposition to the West, yet it doesn’t have to be that way. We call on Russia to be the responsible member of the international community it claims to be, rather then secretly trying to undermine it.
“The United Kingdom is identifying, pursuing and responding to malicious cyber activity regardless of where it originates, imposing costs on those who would seek to do us harm. We are committed to strengthening coordinated international efforts to uphold a free, open, peaceful and secure cyber space,” he said.
The Foreign Office said the decision to publicly attribute this incident underlines the fact that the UK and its allies will not tolerate malicious cyber activity. The UK’s public attribution comes a month after US reports that a classified CIA report concluded in November 2017 that Russia’s foreign intelligence agency created and was responsible for the NotPetya attacks.
This is the second time the UK government has taken this course of action. In December 2017, the Foreign Office publicly blamed a North Korean group for the WannaCry ransomware attack in May 2017.
The Foreign Office said it is “highly likely” that the North Korea-based Lazarus Group was behind the attack, which hit 300,000 computers in 150 countries, including 48 NHS Trusts.
NotPetya was identified as the most destructive ransomware of 2017, followed closely by WannaCry, based on data collected from the Webroot BrightCloud threat intelligence platform. NotPetya was ranked highest because it was engineered to do damage to a country’s infrastructure.
The NotPetya malware used EternalBlue, the same exploit WannaCry used a month earlier. But unlike most ransomware, NotPetya’s main purpose was to cause disruption.
“The malware was not designed to be decrypted. This meant that there was no means for victims to recover data once it had been encrypted. Therefore, it is more accurate to describe this attack as destructive [rather] than as ransomware,” the NCSC said.
As well as EternalBlue, NotPetya used the EternalRomance exploit, both of which the Shadowbrokers group released in early 2017. “Microsoft issued a patch for both exploits, so all the victim machines were ones that had not applied these patches,” the NCSC said.