An unreleased CIA report is alleged to officially name Russia’s top foreign spy agency as the source of the NotPetya ransomware and the initial attacks against Ukraine.
The CIA reportedly concluded in November 2017 that Russia’s GRU foreign intelligence agency was responsible for the NotPetya attacks in June 2017. According to The Washington Post, unnamed officials said the classified CIA report attributed the NotPetya attacks to Russia’s GRU and said the hackers that created the ransomware worked for the Russian military’s GTsST, or Main Center for Special Technology.
The NotPetya attacks began by targeting Ukrainian agencies but quickly spread through the use of the EternalBlue exploit developed by the NSA and used in the WannaCry ransomware attacks.
Attributing the attacks to Russia is not in itself surprising as security researchers in June said Russia was the likely threat actor given that the initial NotPetya attacks targeted Ukraine government agencies through multiple software backdoors in the M.E.Doc tax program. However, experts noted that the CIA likely wanted to be certain before making any statement.
Tim Erlin, vice president of product management and strategy at Tripwire, the information security company headquartered in Portland, Ore., said “attributing cyberattacks to specific attackers or groups can be a challenging task.”
“It’s not always possible to make a direct connect, and indirect inferences are required to come to a conclusion. Accurate attribution is broadly valuable. While organizations should focus on the solid application of foundational controls first, characterizing the threat environment in terms of changing attackers can help prioritize more advanced protections,” Erlin told SearchSecurity. “It’s hard to say why the CIA didn’t publish this information sooner, though it’s important to realize that a three-month delay in disclosing this kind of nation-state attribution isn’t a very long time.”
The NotPetya attacks and Russian aggression
Tom Kellermann, CEO of Strategic Cyber Ventures LLC in Augusta, Ga., said the CIA likely “withheld attribution to prevent their sources and methods from being discovered.”
“The public announcement is significant as it is meant to warn the American public of the significant cyber threat posed by Russia,” Kellermann told SearchSecurity. “Cold War cyberattacks against the U.S. have dramatically increased over the past six weeks, as evidenced by the resurgence of Fancy Bear coming out of hibernation. We are under siege.”
Chris Morales, head of security analytics at Vectra Networks, a cybersecurity company based in San Jose, said the security industry felt comfortable attributing the NotPetya attacks to Russia “due to similarities of the NotPetya attack to prior attacks from Russia targeting the Ukraine.”
Chris Moraleshead of security analytics at Vectra Networks
“Russia has engaged in what the Pentagon calls ‘hybrid warfare’ against […] Ukraine, with three previously known attacks against the Ukrainian voting system and power grid dating back to 2014. With the CIA confirmation, NotPetya now looks like another attack in a succession of state-sponsored attacks,” Morales told SearchSecurity. “The bigger concern here for the U.S. is that we believe Russia is practicing and honing their craft against […] Ukraine, where they face little opposition from global powers. Cyberspace is the next major battle ground between major nation-states. Russia is arming themselves with cyber weapons that could be used against us or any other state as Russia would deem necessary in a bigger attack campaign. The irony of this attack is that it leveraged exploits developed by the NSA in their pursuit of weaponizing cyber space.”