UK names Russia as source of NotPetya, USA follows suit
'Almost certain' assessment enough for official blast from Foreign Office
Updated The United Kingdon's Foreign and Commonwealth Office has formally "attributed the NotPetya cyber-attack to the Russian Government", specifically the nation's military.
"The decision to publicly attribute this incident underlines the fact that the UK and its allies will not tolerate malicious cyber activity," said a February-15th-dated statement from Foreign Office Minister for Cyber Security Lord (Tariq) Ahmad of Wimbledon.
The statement was issued after the UK's National Cyber Security Centre concluded "the Russian military was almost certainly responsible for the destructive NotPetya cyber-attack of June 2017." The centre has no higher rating than "almost certain", so "the UK government has made the judgement that the Russian government was responsible for this cyber-attack."
Another of the quotes the Office put into Lord Ahmad's mouth said "The United Kingdom is identifying, pursuing and responding to malicious cyber activity regardless of where it originates, imposing costs on those who would seek to do us harm." Which sounds rather like cyber-ops are in full swing.
Any such operations may well be seen as proportionate response, as another of the quotes from Lord Ahmad mentions the "hundreds of millions of pounds" in costs wrought by NotPetya.
NotPetya first hit the Ukraine, which quickly claimed Russia was the malware's source and claimed its deployment was made as part of ongoing destabilisation attempts.
The United States Central Intelligence Agency has also reportedly concluded that NotPetya was made in Moscow, but the UK's very public name-and-shame takes matters a step further and by mentioning allies all-but-implies the UK speaks for other nations too.
Merck's $310m NotPetya bill, stolen RDP logins selling for $10 a pop, bug patches, and moreREAD MORE
Lord Ahmad also said "The Kremlin has positioned Russia in direct opposition to the West yet it doesn't have to be that way" and called on Russia "… to be the responsible member of the international community it claims to be rather than secretly trying to undermine it."
NotPetya emerged in June 2017 masqueraded as ransomware named "Petya" but was rather more potent as it borrowed from the EternalBlue exploit that leaked from the US National Security Agency. Like Petya, NotPetya scrambled files, but did not offer decryption-for-cash. The malware instead hopped across networks, trashing filesystems as it went.
The UK's statement said NotPetya was targeted at Ukrainian "financial, energy and government sector" targets, an opinion shared by many other analyses. However the malware was indiscriminate, so quickly infected many other organisations.
The code was so effective that shipping company Maersk was forced to rebuild 4,000 servers, 45,000 PCs, and 2,500 applications" in order to restore its operations. Many other organisations experienced considerable disruptions, with FedEx bemoaning a $300m repair bill.
A later variant of the malware, "BadRabbit" hopped into view in October 2017 but was thankfully less virulent than its predecessor. ®
Updated to add
The US has now joined with its British cousins in calling Russia out on the attack.
"The attack, dubbed 'NotPetya,' quickly spread worldwide, causing billions of dollars in damage across Europe, Asia, and the Americas," said White House press secretary Sarah Huckabee Sanders in a February 15th statement.
"It was part of the Kremlin’s ongoing effort to destabilize Ukraine and demonstrates ever more clearly Russia’s involvement in the ongoing conflict. This was also a reckless and indiscriminate cyber-attack that will be met with international consequences."