'Russian military behind NotPetya attacks': UK officially names and shames Kremlin

After blaming North Korea for WannaCry, UK now officially pins crippling NotPetya attacks on Russia.
Written by Liam Tung, Contributing Writer

All you need to know about ransomware in 60 seconds

The UK government has officially accused the Russian government of June's disruptive and hugely costly NotPetya malware attack.

"The UK Government judges that the Russian government, specifically the Russian military, was responsible for the destructive NotPetya cyber-attack of June 2017," Foreign Office minister for Cyber Security, Tariq Ahmad, said in a statement.

"The attack showed a continued disregard for Ukrainian sovereignty. Its reckless release disrupted organisations across Europe, costing hundreds of millions of pounds."

Initially NotPetya was thought to be ransomware, but security researchers quickly concluded it was more likely to be destructive malware designed to wipe systems.

The UK's National Cyber Security Centre (NCSC) today revealed it came to the same conclusion, noting that the malware was only masquerading as ransomware and its main purpose was to disrupt.

The NCSC said the Russian military was "almost certainly responsible" for the NotPetya attack.

Shipping container firm Maersk, FedEx's Dutch delivery subsidiary TNT Express, and UK firm Reckitt Benckiser were among global firms that suffered severe disruptions and several hundred million dollars in lost revenue. However, the firms however were collateral damage in the ongoing conflict between Ukraine and Russia.

NotPetya employed the NSA exploits for Windows known as EternalBlue and EternalRomance as well as credential-dumping tools to spread internally across networks once one machine was infected. The exploits were leaked in April by The Shadow Brokers.

The malware initially infected organizations via a compromised update from Ukraine accounting software provider MEDoc. Its MEDoc software is one of two accounting packages required for companies doing business in the Ukraine and is widely used by Ukraine agencies.

Maersk, which used MEDoc at its Ukraine offices, recently revealed it was forced to reinstall 45,000 PCs, 4,000 servers and 2,000 applications hit by NotPetya. The company reported losses of $300m due to the incident.

NCSC notes that Ukraine's financial, energy and government institutions bore the brunt of NotPetya. However, the "indiscriminate design" of the malware caused it to spread to other European and Russian businesses.

Though it is unusual to officially blame another nation for a cyberattack, the US and Five-Eye partners blamed the WannaCry ransomware attack on North Korea. The idea, in part at least, is to name and shame nation-state attackers for their actions.

Russia and North Korea have consistently denied responsibility for the NotPetya, WannaCry, and other cyberattacks.

The UK's Ahmad said the Kremlin has positioned Russia in direct opposition to the West.

"It doesn't have to be that way. We call upon Russia to be the responsible member of the international community it claims to be rather then secretly trying to undermine it," he said.

"The United Kingdom is identifying, pursuing and responding to malicious cyber activity regardless of where it originates, imposing costs on those who would seek to do us harm."

Previous and related coverage

A massive cyberattack is hitting organisations around the world

Victims in Ukraine, Russia, Denmark, the UK and the United States have all reported being hit by a cyberattack: authorities are investigating "global ransomware incident".

NotPetya cyber attack on TNT Express cost FedEx $300m

Falling victim to global ransomware attack "posed significant operational challenges", the company says in its latest financial report.

Ukraine police make arrest in NotPetya ransomware case

A 51-year-old Ukrainian national was arrested in connection with the ransomware attack

NonPetya ransomware forced Maersk to reinstall 4000 servers, 45000 PCs

The shipping giant has suffered millions of dollars in damage due to the ransomware attack.

Editorial standards