Trending / July 6, 2017

Was NotPetya an Act of Cyberwar?

Last week’s NotPetya attack, was it malware? Ransomware? A disk wiper? Something ravaged computer systems across the Ukraine and then spread to other countries, infecting and shutting down law firms, supermarkets, ATMs and hospitals.

Days after the attack, security researchers are still attempting to figure out what exactly NotPetya is. Yet, regardless of the final technical analysis, the big question remains: Was NotPetya an act of cyberwar?

Ransomware? Wiper? What?

At this point, it’s clear that NotPetya is malware, but is it ransomware or a wiper? This is where things only start to get complicated.

NotPetya is not exactly a disk wiper, but it’s certainly not ransomware either. I know, that doesn’t really help clear things up, now does it? The problem is that NotPetya doesn’t delete data with clear intent like a wiper, say, like Shamoon and KillDisk, would. NotPetya also doesn’t encrypt files with the intention of demanding a ransom for decryption keys like normal ransomware would.

In effect, NotPetya locks files and throws away the key, ensuring that victims can never recover their systems. In this way, the encrypted files are basically as good as gone, which is like a wiper. Therefore, it could be said that a ransomware infection that leaves no chance of ever recovering and decrypting files is equivalent to a wiper.

By now, most security researchers are solidly in the “it’s a wiper” camp, with leading experts such as Matt Suiche founder of Comae Technologies posting his analysis “Petya.2017 Is a Wiper Not a Ransomware and Kaspersky Labs posting similar conclusions “ExPetr/Petya/NotPetya Is a Wiper, Not Ransomware.”

Still, I think NotPetya is likely best described as a hybrid-attack. Or, perhaps, a ransom-wiper-ware?

Targeted Cyber Attack against the Ukraine?

Having established that we don’t know how to classify the attack, let’s dive into even murkier waters. Was NotPetya a targeted cyber attack against the Ukraine?

In just the last few months, we saw CrashOverride target and take down the Ukrainian power grid followed by four successive, highly focused malware attacks on the Ukraine that were dressed up to look like ransomware. These included XData, PSCrypt, NotPetya and an as-yet-unnamed attack discovered by security researcher MalwareHunter, which was designed to look like WannaCry, but is in fact, something altogether new.

This fourth attack also appears to have used a similar delivery method to both XData and NotPetya: the update servers of M.E.Doc, a popular accounting software package widely used in the Ukraine. While M.E.Doc vehemently denies it, Microsoft and Talos, among others, have pointed to the company as the source of the initial NotPetya distribution.

By far, NotPetya has been the most destructive attack, with the delivery vector appearing to be highly targeted towards infecting business and corporate victims in the Ukraine. The problem with malware like this is that once it’s released into the wild, it can spread to other systems, networks and countries on its own. So, was it targeted or not? The answer is an inconclusive “probably” at this point.

Without positive attribution, the growing consensus is that responsibility lies with a state actor or surrogate. A number of leading security researchers have suggested this, including the NATO Cooperative Cyber Defence Centre of Excellence who issued a statement on June 30th confirming:

“NotPetya was probably launched by a state actor or a non-state actor with support or approval from a state. Other options are unlikely. The operation was not too complex, but still complex and expensive enough to have been prepared and executed by unaffiliated hackers for the sake of practice. Cyber criminals are not behind this either, as the method for collecting the ransom was so poorly designed that the ransom would probably not even cover the cost of the operation.”

This leads us back to the initial question. If it was probably launched by a state actor or a surrogate and it was probably targeted at the Ukraine, and it was probably meant to cause widespread and indiscriminate economic damage, was NotPetya an act of cyberwar?  

The reason it’s so important to determine if it did or didn’t and if it is or isn’t is that NATO’s principle of collective defence binds its members together, committing them to protect each other. Collective defence, as defined in Article 5 of the treaty, boils down to: An attack against one Ally is considered as an attack against all Allies. Therefore, a solid yes with ample evidence would have dire political and military consequences.

Act of Cyberwar?

Though many indicators say that NotPetya was a wiper disguised as ransomware as well as a targeted cyber attack aimed at causing widespread destruction within the Ukraine by a state actor or surrogate, without a clear technical definition and only circumstantial evidence and no clear attribution, can it really be considered an act of cyberwar?

NATO says, “probably not”:

“If the operation could be linked to an ongoing international armed conflict, then law of armed conflict would apply, at least to the extent that injury or physical damage was caused by it, and with respect to possible direct participation in hostilities by civilian hackers, but so far there are reports of neither.

There is a lack of a clear coercive element with respect to any government in the campaign, so prohibited intervention does not come into play. As important government systems have been targeted, then in case the operation is attributed to a state this could count as a violation of sovereignty.” – Tomáš Minárik, researcher at NATO CCD COE Law Branch

Let’s face it. NATO isn’t going to make a clear call on who exactly is behind this any time soon. The current amount of circumstantial evidence probably wouldn’t be enough to get an eight-year-old grounded for a week let alone be conclusive enough to call out a specific nation state as having committed an international crime. To come anywhere close to declaring this an act of cyberwar, there are many details that need to be thoroughly investigated and proven and, thus far, we’re nowhere close to accomplishing that.

If Not an Act of Cyberwar, What Is NotPetya?

NATO will go out on a limb and say that “[NotPetya] could be an internationally wrongful act, which might give the targeted states several options to respond with countermeasures.”

If this is true and the international community concludes that NotPetya is an “internationally wrongful act” under international law, it could give rise to a joint EU response in the form of sanctions. The European Council issued a press release to this effect, further noting:

The EU diplomatic response to malicious cyber activities will make full use of measures within the Common Foreign and Security Policy, including, if necessary, restrictive measures. A joint EU response to malicious cyber activities would be proportionate to the scope, scale, duration, intensity, complexity, sophistication and impact of the cyber activity.

The EU reaffirms its commitment to the settlement of international disputes in cyberspace by peaceful means. In this context, all of the EU’s diplomatic efforts should as a priority aim to promote security and stability in cyberspace through increased international cooperation, and at reducing the risk of misperception, escalation and conflict that may stem from ICT incidents.

In the case it was neither an act of cyber-war and nor “internationally wrongful act,” what can we call it for now? Lauri Lindström, researcher at NATO CCD COE Strategy Branch will only go so far to say that it was a “declaration of power” and that the attack was merely a “demonstration of the acquired disruptive capability and readiness to use it.”

Declaration of power? What does that mean? The tech part was easy, but anything above layer 7 is also above my pay grade and comprehension. What I do think it means is that no one really knows what to do when it comes to cyber-whatevers like this and until they do, everyone is treading lightly while trying to figure it out.

Unfortunately, while all of this is going on, consumers, citizens, businesses and governments will continue to be in harm’s way and should consider investing in a visibility-based security posture so that they can better detect and rapidly respond to all of the above: cyber attacks, internationally wrongful acts and declarations of power!

Featured Webinars
Hear from our experts on the latest trends and best practices to optimize your network visibility and analysis.


People are talking about this in the Gigamon Community’s Security group.

Share your thoughts today

Back to top