The attack, dubbed “Petya,” is a ransomware worm that has so far targeted, among others, Ukrainian banks and airports; Russian state-owned oil giant Rosneft; British advertising company WPP, US pharmaceutical giant Merck; and shipping company A.P. Moller-Maersk, which said every branch of its business was affected.
Analysts at several cybersecurity firms have confirmed that the Petya assault utilized a powerful and dangerous cyberweapon reated by the National Security Agency that was leaked in April by the hacker group Shadow Brokers.
Though it’s too soon to be certain, experts say it seems as though a confluence of factors may be pointing to Russian state involvement in carrying out the attack.
‘Ukraine was targeted’
Ukraine was hardest hit by the attack, which came one day before the country’s Constitution Day.
Russia and Ukraine’s rocky relationship has been well-documented, and it has seen a steep decline since Russia annexed the territory of Crimea in 2014 and steadily pursued greater military aggression towards its neighbor.
“The first thing that raises a red flag to me is that right now, Ukraine’s main antagonist is Russia,” said Alex McGeorge, the head of threat intelligence at Immunity, Inc., a cybersecurity firm that specializes in nation-state cyber threats.
McGeorge added that the methodology of the the attack also “gives a really good and stable foothold on networks that would matter to somebody who was interested in attacking Ukraine.”
“If I’m interested in disrupting Ukraine, this is great for me,” he said.
In addition to major disturbances to the Ukrainian power grid, banks, government offices, and airports, the country’s Chernobyl plant was also forced to switch to manual radiation monitoring of its site.
Anton Gerashchenko, an adviser to Ukraine’s interior minister, wrote in a Facebook post that the attack was “the largest in the history of Ukraine.”
Greg Martin, the CEO of cybersecurity firm JASK, said he believes that because of its political climate and the geopolitical factors at play, “Ukraine was targeted by bad actors who have been using it as a cyberweapon testing ground over the past couple of years.”
In 2015, a massive cyberattack leveled against the country’s power grid cut electricity to almost 250,000 Ukrainians. Cybersecurity experts linked the attack to IP addresses associated with Russia. Since then, Wired magazine’s Andy Greenberg reported last week, Ukraine has seen a growing crisis in which an increasing number of Ukrainian corporations and government agencies have been hit by cyberattacks in a “rapid, remorseless succession.”
Ukraine is now host to what may turn into a full-blown cyberwar, Greenberg reported. Two separate attacks on the country’s power grid were part of a “digital blitzkrieg” waged against it for the last three years, which multiple analysts have connected to Russian interests.
“You can’t really find a space in Ukraine where there hasn’t been an attack,”Kenneth Geers, a NATO ambassador focusing on cybersecurity, told Wired.
“What we know about the Russians is that it’s part of their M.O. and they sow chaos wherever they can,” McGeorge said. “Having this foothold everywhere for all these important Ukrainian networks speaks directly to that goal.”
‘The numbers just don’t work’
Analysts have also cast doubt on the notion that Tuesday’s attack was carried out in an attempt to make money, because it’s unlikely that the actors behind it will recoup any investment they made into their efforts.
The hackers behind a crippling cyberattack carried out in May, dubbed “WannaCry,” made about $50,000 worth of the Bitcoin cryptocurrency.
“The numbers just don’t work,” McGeorge said. WannaCry’s accumulation was “a pittance when you’re talking about nation-state levels.”
And it’s likely Tuesday’s attack will yield even less than that.
The attack was carried out using an email address that was taken down within the first day of the infection occurring. That proves “there was never a chance that someone was going to be able to cash in on this. If you’re doing a massive ransomware campaign, you have to have resiliency built into the way you get paid,” McGeorge said. “We don’t see a lot of that here.”
“Traditionally, the ransomware attack has not been the tool of a nation-state,” said Jason Glassberg, the co-founder ofCasaba Security. However, maintaining the appearance of a ransomware attack could lend a nation-state the cover of plausible deniability, he added.
“The ransomware aspect to this could actually provide Russia with a great point of distraction to control the narrative when discussing the attack,” McGeorge said.
Russian companies were struck but most quickly recovered
In addition to several other companies, Russia’s state-owned oil company, Rosneft, also reported that it was attacked, as did Russian steelmaker Evraz.
While the attack brought serious consequences for other corporations — like shipping giant Maersk — neither Rosneft nor Evraz suffered similar fallout. Rosneft said its oil production had not been impacted, and Evraz said the attack had not affected its output.
Ukraine currently relies heavily on Russia for its oil and natural gas reserves, and it’s likely Rosneft was hit by the attack because it regularly deals with the Ukrainian government.
“But one of the standing gentleman’s agreements the [Russian intelligence agency] FSB has with the Russian hacking community is, ‘Do whatever you want, so long as it doesn’t hurt Russia,'” McGeorge said.
And while hackers can’t stop these companies from getting infected, they can stop the attack from propagating, which is likely why neither Rosneft nor Evraz saw significant damage to their output, McGeorge added.
However, Home Credit Bank, one of Russia’s top 50 lenders, saw significant disruption in its operations. The bank was reportedly paralyzed and was forced to shut down all its offices on Tuesday.
Tuesday’s attack was the second serious cyberattack carried out in a little over a month. Though it’s still too early to drawn any conclusions, if this attack has Russian origins, Martin said, “we can expect that it will be much more far-reaching and sophisticated.”
“But it still might just be a harbinger of what’s to come in the future,” Glassberg said.