The government of Russia has officially been blamed by the U.K. for last year’s NotPetya ransomware attack.
In a statement today Lord Tariq Ahmad, the head of the Foreign Office’s cyber security division, said “the decision to publicly attribute this incident underlines the fact that the U.K. and its allies will not tolerate malicious cyber activity.”
“The U.K. Government judges that the Russian Government, specifically the Russian military, was responsible for the destructive NotPetya cyber-attack of June 2017. The attack showed a continued disregard for Ukrainian sovereignty. Its reckless release disrupted organizations across Europe costing hundreds of millions of pounds.
“The Kremlin has positioned Russia in direct opposition to the West yet it doesn’t have to be that way. We call upon Russia to be the responsible member of the international community it claims to be rather then secretly trying to undermine it.”
“The attack masqueraded as a criminal enterprise but its purpose was principally to disrupt,” the statement said. “Primary targets were Ukrainian financial, energy and government sectors. Its indiscriminate design caused it to spread further, affecting other European and Russian business.”
Although a member with Britain of the Five Eyes intelligence sharing group, Canada is more nuanced. Greta Bossenmaier, chief of the Communications Security Establishment — responsible for protecting this country’s government networks — issued a statement this morning that “CSE also assesses that actors in Russian were responsible for developing NotPetya. Canada condemns the use of the NotPetya malware to indiscriminately attack critical financial, energy, government, and infrastructure sectors around the world.”
UPDATE: The White House issued a brief statement with the same language as the British, saying the Russian military launched NotPetya.
In a notice to editors the statement says the U.K.’s National Cyber Security Centre assesses that the Russian military “was almost certainly responsible” for the attack.
The attack started June 27 in Ukraine, which immediately prompted speculation that those behind it were from Russia. Tension has been high between the two countries for some time, with Russia annexing Ukraine’s Crimea region in 2014. The ransomware then spread to the United States, the U.K., Spain, France and India. Soon 12,500 devices in 65 countries had been infected by the strain, called either ExPetr or NotPetya.
One company that publicly admitted it was particularly hard hit was Denmark-based international shipping firm Maersk, which estimated the costs of recovering at close to US$300 million. A news report quoted the company’s chairman telling month’s World Economic Forum it had to install 4,000 new servers, 45,000 new PCs, and 2,500 applications.
Other hard-hit victims were pharmaceuticals manufacturer Merck, which was quoted as telling financial analysts expected recovery costs would hit US$175 million, plus another $135 million in lost sales, and FedEx.
According to Microsoft, at least some of the initial infections started when Ukrainians used the legitimate updating process for tax software called MEDoc. What made NotPetya so lethal is that it’s also a worm that spreads laterally through an organization from the initial infection of one machine, helped by the ability to steal credentials. Among other vectors NotPetya exploits vulnerabilities that Microsoft patched in March, 2017, two months before the ransomware was launched. That led Verizon Enterprise Solution’s global security investigations manager and other infosec pros to conclude good patch management could have checked the spread of the malware.