The latest outbreak of ransomware has renewed discussions of invoking NATO Article 5 in response to cyberattacks—the article calls for mutual defense against a military attack.
NATO Secretary General Jens Stoltenberg offered no vague allusions in his remarks from Brussels. He described the Petya computer virus as a cyberwarfare attack on Ukraine, perhaps one that has gotten out of hand, since some key computer systems belonging to the most likely culprit have become infected.
“The attack in May and this week just underlines the importance of strengthening our cyber defences and that is what we are doing. We exercise more, we share best practices and technology, and we also work more and more closely with allies,” said Stoltenberg, as quoted by the UK Telegraph.
“NATO helps Ukraine with cyber defence and has established a trust fund to finance programs to help Ukraine improve its cyber defences. We will continue to do this and it is an important part of our cooperation,” he added.
The Hill recalls that last year, Stoltenberg said that “a severe cyberattack may be classified as a case for the alliance, then NATO can and must react.”
He added that the nature of the response would “depend on the severity of the attack.”
Petya, like WannaCry before it, has been quite severe. It does not have a “kill switch” like WannaCry did, which allowed security teams to disable the virus on a global scale by registering a certain website address, but a more limited “vaccine” that can protect individual computers has been discovered.
As ABC News describes it, the protection technique is a localized kill switch that tricks the virus into becoming inert by creating a file called “Perfc” (with no file extension) in the C:\Windows directory of infected computers. The current iteration of the malware is designed to halt its malicious encryption of user data when it sees this file exists. Sadly, cybersecurity experts assume it is only a matter of time before the hackers release a new version of the virus that does not have this localized kill switch.
ABC also has some interesting notes on the taxonomy of the virus, as researchers work to determine how closely related it really is to the Petya ransomware first detected by researchers over a year ago. Some security analysts think the virus has been modified so extensively, retaining little beyond the ugly skull-and-crossbones animation and threatening message it displays to victims, that it has been nicknamed “NotPetya.”
Analyzing the virus thoroughly is essential, both to defeating it and determining exactly where it came from. Stoltenberg is far from alone in thinking “NotPetya” is best seen as a cyberattack disguised as ransomware, which was also a popular theory about WannaCry.
WannaCry’s perpetrators were notoriously lax about collecting the meager $300 ransom in Bitcoin they demanded, while NotPetya’s masters initially did a better job of at least pretending they care about the money. That charade seems to have ended quickly, since, as the Verge notes, the email address attached to the Bitcoin wallet of the thieves was shut down soon after the ransomware attack made global headlines.
As Wired reported on Wednesday:
As more details come to light, Ukrainian cybersecurity firms and government agencies argue that the hackers behind the ransomware called Petya (also known as NotPetya or Nyetya) are no mere thieves. Rather, they pin the attacks on political operatives seeking to disrupt Ukrainian institutions yet again, using a massive ransom scheme to hide their true motive. And some Western cybersecurity analysts tracking the Petya plague have come to the same conclusion.
“I think this was directed at us. This is definitely not criminal. It is more likely state-sponsored,” Ukrainian cybersecurity chief Roman Boyarchuk told Wired. He added it was “difficult to imagine” that any state but Russia would be interested in sponsoring such an attack on Ukraine.
Boyarchuk also noted that not only did the initial ransomware outbreak occur in his country, with over 60 percent of known infections occurring there to date, but it struck just before Constitution Day, when Ukraine celebrates its post-Soviet independence, and it was accompanied by a car bomb attack that killed a special forces officer in Kiev.
Another key piece of evidence advanced by Ukrainian analysts is that advance work appears to have been done several months ago to plant the NotPetya virus in key organizations, using techniques similar to previous attacks Ukraine considers cyberwarfare from Russian intelligence operatives.
Most telling is that this iteration of the Petya virus does not actually release the victim’s data if they pay the ransom—it permanently encrypts their data and renders it useless, sometimes destroying other machines on targeted networks without even bothering to ask for a ransom payment. Similar tactics have been used against Ukrainian computers in the past by a Russia-linked hacker gang known as “Sandworm.”
Cybersecurity analysts around the world have discovered another important clue to NotPetya’s true intentions, which is that one of its primary means of infecting computers involves exploiting a piece of Ukrainian accounting software called MeDoc.
The Verge quotes an information security expert who provided a pithy summary of current thinking about this ransomware’s origins and true purpose, saying, “There’s no f**king way this was criminals.”
Of course, murky chains of responsibility are a key attraction of cyberwarfare for criminals, terrorists, and hostile state actors. It is extremely difficult to pin a cyberattack on state sponsors with complete certainty. All of the evidence pointing at the latest virus as a weapon of espionage against Ukraine is circumstantial.
Some experts caution that it could be a moneymaking scheme at heart, even if the ransom component of the ransomware is nonfunctional, because the virus could be stealing valuable data from targeted systems or paving the way for more lucrative attacks in the future.
These attacks are digital dirty bombs that spread far beyond their original targets, as NotPetya quickly escaped the borders of Ukraine. NotPetya nourished fears of a real dirty bomb when it infected computer systems used by the Chernobyl nuclear plant, although the major consequence has been decommissioning the technicians that tromp around the irradiated zone and measure radiation levels with hand-held scanners.
The perpetrators really have no way to target viral attacks precisely, especially if their code does not include the kind of global “kill switch” that halted WannaCry in the nick of time.
The Telegraph notes that British Defense Secretary Michael Fallon talked about military retaliation against state-sponsored cyberattacks on Tuesday, echoing Jens Stoltenberg’s thoughts about treating militarized malware as a NATO Article 5 trigger.
Gizmodo calls for an international cyberwar treaty immediately, noting the effect on Ukraine’s infrastructure of the NotPetya attack is comparable the damage airstrikes could have inflicted, minus the rubble and piles of corpses. If a nation-state is proven responsible for the outbreak, it would be hard to argue with classifying it as an act of war.
A clear international legal code classifying cyberattacks as equivalent to real-space terrorism or military conflict might give state-sponsored hackers, criminal gangs, and “lone wolf” saboteurs pause, assuming of course they don’t remain confident that responsibility can never be established firmly enough to justify harsh sanctions or military retaliation.