The Daily Swig Web security digest

UK gov’t points finger at Moscow for last year’s NotPetya attack

James Walker | 15 February 2018 at 14:37

Russia accused of being responsible for one of 2017’s biggest cybersecurity incidents.

The Russian military is “almost certainly responsible” for last year’s NotPetya cyber-attack, which caused widespread disruption to Ukraine’s critical infrastructure systems and cost European businesses hundreds of millions of dollars, the UK government has stated.

In an unusual display of targeted, public condemnation against alleged nation-state actors, the UK’s foreign office minister, Lord Ahmad, said: “The UK government judges that the Russian government, specifically the Russian military, was responsible for the destructive NotPetya cyber-attack of June 2017.”

Reports of a malware attack against Ukraine’s financial, energy, and government sectors started to surface on June 27, as ATMs in Kiev were knocked offline and power plant workers were forced to manually monitor radiation systems at Chernobyl.

While antivirus vendor ESET estimated that 80% of all NotPetya infections were in the eastern European country, the cyber-attack was quick to traverse international borders, affecting organizations across Europe, Australia, and the US.

“The attack masqueraded as a criminal enterprise, but its purpose was principally to disrupt,” Lord Ahmad said in a statement earlier today. “Its indiscriminate design caused it to spread further, affecting other European and Russian business.”

The UK government’s decision to publicly attribute the spread of NotPetya to Russia follows a similar claim from the Security Service of Ukraine (SBU), which last year called on international help to trace the exact source of the outbreak.

Earlier this year, the Washington Post ran a story that indicated the CIA had also attributed the NotPetya cyber-attack to Russian military hackers.

For its part, the Kremlin has slammed what it calls “Russophobic” allegations of state-sponsored cyber-attacks.

“We strongly reject such accusations, we consider them to be groundless, they are part of the similarly groundless campaign based on hatred against Russia,” Russian presidential spokesman Dmitry Peskov told TASS, a Saint Petersburg-based news agency.

The UK government said it would continue to identify, pursue and respond to “malicious” cyber activity regardless of where it originates, imposing costs on those who are seeking to do harm.

“The attack showed a continued disregard for Ukrainian sovereignty,” said Lord Ahmad. “We call upon Russia to be the responsible member of the international community it claims to be rather then secretly trying to undermine it.”

Petya/NotPetya

In the immediate aftermath of the outbreak on June 27, 2017, some researchers suggested that the ransomware was a variant of the existing Petya malware.

However, Kaspersky Labs soon determined that the code was “significantly different” from all earlier known versions of Petya, leading to the now infamous moniker, NotPetya.

Providing a technical overview of the malware last July, the United States Computer Emergency Readiness Team said: “NotPetya differs from previous Petya malware primarily in its propagation methods. This variant… encrypts files with extensions from a hard-coded list.

“Additionally, if the malware gains administrator rights, it encrypts the master boot record, making the infected Windows computers unusable.”