Ukraine has said Russian security services were involved in the recent Petya cyber attack aimed at destroying its important data and spreading panic.
The SBU, Ukraine’s state security service, said on Saturday the attack, which started in Ukraine and spread around the world on Tuesday, was by the same hackers who attacked its power grid in December 2016.
Ukrainian politicians were quick to blame Russia for Tuesday’s attack but a Kremlin spokesman dismissed “unfounded blanket accusations”.
Cyber security firms are trying to piece together who was behind the computer worm, dubbed NotPetya by some experts, which conked out computers across an estimated 60 countries, disrupted shipping, and shut down a chocolate factory in Australia.
“The available data, including those obtained in co-operation with international antivirus companies, give us reason to believe that the same hacking groups are involved in the attacks, which in December 2016 attacked the financial system, transport, and energy facilities of Ukraine using TeleBots and BlackEnergy,” the SBU said.
“This testifies to the involvement of the special services of Russian Federation in this attack.”
Russia and Ukraine have been at loggerheads since 2014 when Russia annexed Crimea.
The SBU in an earlier statement on Friday said it had seized equipment it said belonged to Russian agents in May and June to launch cyber attacks against Ukraine and other countries.
“The main purpose of the virus was the destruction of important data, disrupting the work of public and private institutions in Ukraine, and spreading panic among the people,” the SBU said of the recent attack.
A cyber attack in December on a Ukrainian state energy computer caused a power cut in the northern part of the capital Kiev.
The 2016 attack followed on from a similar attack on Ukraine’s power grid in 2015. The attacks involved the use of the BlackEnergy trojan delivered via spear-phising.
“The uniqueness of Black Energy is, it’s very modular — the attacker can change the malware’s behaviour pretty fast,” said Ehud Shamir, CISO at security company SentinelOne, in March 2016.
“Part of the modular Black Energy malware acts as a network sniffer, and this discovered data such as user credentials that allowed the attacker to access the industrial control system and jeopardise the electricity supply.”
The blame for that attack on Ukraine was pinned on Russia-aligned hackers.
In June, Russian President Vladimir Putin said the country does not conduct hacking activities, but that patriotic Russians might strike out and attack others.
“Hackers are free people, just like artists who wake up in the morning in a good mood and start painting,” Putin said at the time.
“The hackers are the same. They would wake up, read about something going on in interstate relations and if they feel patriotic, they may try to contribute to the fight against those who speak badly about Russia.”
Despite the US stating that Russia was behind the hacking of Democratic Party emails, Putin said hackers cannot have a “radical impact” on the elections of other countries.
Last week, NATO Secretary General Jens Stoltenberg said the collective defence article in the North Atlantic Treaty could be invoked in the face of a cyber attack.
“We have also decided that a cyber attack can trigger Article 5 and we have also decided — and we are in the process of establishing — cyber as a military domain, meaning that we will have land, air, sea, and cyber as military domains,” he said.
Although initially appearing in the guise of ransomware, security experts said the malware was actually designed to wipe data, since it was unable to decrypt and restore files it overwrote.
“We believe the ransomware was in fact a lure to control the media narrative, especially after the WannaCry incidents to attract the attention on some mysterious hacker group rather than a national state attacker like we have seen in the past in cases that involved wipers such as Shamoon,” Matt Suiche of Comae Technologies said last week.
Microsoft confirmed via its telemetry data a number of initial infections occurred via Ukraine-based tax accounting software MEDoc.
“Although this vector was speculated at length by news media and security researchers — including Ukraine’s own Cyber Police — there was only circumstantial evidence for this vector. Microsoft now has evidence that a few active infections of the ransomware initially started from the legitimate MEDoc updater process,” the company said.
The Russian foreign ministry and Federal Security Service did not immediately respond to requests for comment on the latest allegations.