‘They sow chaos wherever they can’: A familiar actor may be behind the massive ‘Petya’ cyberattack

Cyberattack ukraine
A supermarket hit by a cyberattack in Ukraine on June 27, 2017. Mikhail Golub/Twitter

A colossal cyberattack on Tuesday has been wreaking havoc on countries and corporations across the globe, and cybersecurity experts are zeroing in on a familiar name as the possible culprit.

The attack, dubbed “Petya,” is a ransomware worm that has so far targeted Ukrainian banks and airports, Russian state-owned oil giant Rosneft, British advertising company WPP, US pharmaceutical giant Merck, and shipping company A.P. Moller-Maersk, which said every branch of its business was affected.

Analysts at several cybersecurity firms have confirmed that the Petya assault utilised a powerful and dangerous cyberweapon reated by the National Security Agency that was leaked in April by the hacker group Shadow Brokers.

Though it’s too soon to be certain, experts say it seems as though a confluence of factors may be pointing to Russian state involvement in carrying out the attack.

‘Ukraine was targeted’

Ukraine was hardest hit by the attack, which came one day before the country’s Constitution Day.

Russia’s and Ukraine’s rocky ties have been well-documented, and their relationship has been in steep decline since Russia annexed the territory of Crimea in 2014 and steadily pursued greater military aggression towards its neighbour.

“The first thing that raises a red flag to me is that right now, Russia’s main antagonist is Ukraine,” said Alex McGeorge, the head of threat intelligence at Immunity, Inc., a cybersecurity firm that specialises in nation-state cyber threats.

McGeorge added that the methodology of the the attack also “gives a really good and stable foothold on networks that would matter to somebody who was interested in attacking Ukraine.”

“If I’m interested in disrupting Ukraine, this is great for me,” he said.

In addition to major disruptions to the Ukrainian power grid, banks, government offices, and airports, the country’s Chernobyl plant was also forced to switch to manual radiation monitoring of its site.

Anton Gerashchenko, an adviser to Ukraine’s interior minister, wrote in a Facebook post that the attack was “the largest in the history of Ukraine.”

Greg Martin, the CEO of cybersecurity firm JASK, said he believes that because of its political climate and the geopolitical factors at play, “Ukraine was targeted by bad actors who are using it as a cyberweapon testing ground over the past couple of years.”

In 2015, a massive cyberattack leveled against the country’s power grid cut electricity to almost 250,000 Ukrainians. Cybersecurity experts linked the attack to IP addresses associated with Russia. Since then, Wired Magazine’s Andy Greenberg reported last week, Ukraine has seen a growing crisis in which an increasing number of Ukrainian corporations and government agencies have been hit by cyberattacks in a “rapid, remorseless succession.”

Ukraine is now host to what may turn into a full-blown cyberwar, Greenberg reported. Two separate attacks on the country’s power grid were part of a “digital blitzkrieg” waged against it for the last three years, which multiple analysts have connected to Russian interests.

“You can’t really find a space in Ukraine where there hasn’t been an attack,”Kenneth Geers, a NATO ambassador focusing on cybersecurity, told Wired.

“What we know about the Russians is that it’s part of their M.O. and they sow chaos wherever they can,” McGeorge said. “Having this foothold everywhere for all these important Ukrainian networks speaks directly to that goal.”

Vladimir Putin
Vladimir Putin Adam Berry/Getty Images

‘The numbers just don’t work’

Analysts have also cast doubt on the notion that Tuesday’s attack was carried out in a ploy to turn a profit, because it’s unlikely that the actors behind it will recoup any investment they made into their efforts.

The hackers behind a crippling cyberattack carried out in May, dubbed “WannaCry,” made about $US50,000 worth of the Bitcoin cryptocurrency.

“The numbers just don’t work,” McGeorge said. WannaCry’s accumulation was “a pittance when you’re talking about nation-state levels.”

And it’s likely Tuesday’s attack will yield even less than that.

The attack was carried out using an email address that was taken down within the first day of the infection occurring. That proves “there was never a chance that someone was going to be able to cash in on this. If you’re doing a massive ransomware campaign, you have to have resiliency built into the way you get paid,” McGeorge said. “We don’t see a lot of that here.”

“Traditionally, the ransomware attack has not been the tool of a nation-state,” said Jason Glassberg, the co-founder ofCasaba Security. However, the appearance of a ransomware attack could lend a nation-state the cover of plausible deniability, he added.

“The ransomware aspect to this could actually provide Russia with a great point of distraction to control the narrative when discussing the attack,” McGeorge said.

Russian companies were struck but quickly recovered

In addition to several other companies, Russia’s state-owned oil company, Rosneft, also reported that it was attacked, as did Russian steelmaker Evraz.

While the attack brought serious consequences for other corporations — like shipping giant Maersk — neither Rosneft nor Evraz suffered similar fallout. Rosneft said its oil production had not been impacted, and Evraz said the attack had not affected its output.

Ukraine currently relies heavily on Russia for its oil and natural gas reserves, and it’s likely Rosneft was hit by the attack because it regularly deals with the Ukrainian government.

“But one of the standing gentleman’s agreements the [Russian intelligence agency] FSB has with the Russian hacking community is, ‘Do whatever you want, so long as it doesn’t hurt Russia,'” McGeorge said.

And while hackers can’t stop these companies from getting infected, they can stop the attack from propagating, which is likely why neither Rosneft nor Evraz saw significant damage to their output, McGeorge added.

Tuesday’s attack was the second serious cyberattack carried out in a little over a month. If it has Russian origins, Martin said, “we can expect that it will be much more far-reaching and sophisticated.”

“But it still might just be a harbinger of what’s to come in the future,” Glassberg said.

NOW WATCH: Watch Russia’s newest fighter jet in action — the MiG-35