Cyber Puzzlement: The Latest Cyber Ransom Attack in the Ukraine May Not Have been Russian

by Stephen Bryen

This article previously appeared in Asia Times under the title Cyberattack in Ukraine May Not Have Been Russian

The press is full of accusations that the Russians unleashed a highly damaging cyber attack called NotPetya in Ukraine. Unnamed U.S. authorities and “private researchers” are claiming it was Russian, either carried out by the state or backed by it. Does the evidence support the accusation?

NotPetya masquerades as ransomware, but its effects cannot be reversed.  It wipes portions of data stored on hard drives.  In the Ukraine NotPetya reportedly affected central government operations, the national bank, the main airport in Kiev and the sensors at the Chernobyl reactor site that monitor radiation leaks. 

Analysts point to evidence that the cyber attack was political, had Russia’s fingerprints on it, and is part of the conflict with Ukraine.  The virus hit a day before Ukrainian Constitution Day, although it was lurking for five days before it was unleashed.

But the arguments are speculative. There is no outright proof of any kind this was a Russian-supported or Russian-inspired operation. A Trump administration official told Bill Gertz of the Washington Free Beacon that “the U.S. government is not prepared to blame Moscow,” but that comment was buried in an accusatory story fingering Russia. 

There are reasons to think the NotPetya attack was not Russian. 

The first comes from an observation made by Cisco researchers examining the attack. They believe the NotPetya attack was not motivated by money and hence was not a real ransomware assault. They do think the origin of the attack is political. Ukrainian authorities say the attack originated in a Ukrainian company called M.E. Doc, which sells and supports tax accounting software, and is owned by another company, Intellect Services. Cisco agrees that M.E. Doc was the source of the attack, that credentials to M.E. Doc’s servers were stolen or compromised, and that M.E. Doc had not updated its servers or fixed known vulnerabilities in its system since 2013.

«M.E.Doc» – это Ваш лучший помощник в работе со всеми типами документов в электронном виде, такими как: налоговые накладные, акты, счета, налоговые отчеты, договора и др. Любой электронный документ, созданный в «M.E.Doc» и подписанный ЭЦП, является оригиналом бумажного документа в электронном виде.

But Cisco is puzzled that unleashing this destructive software revealed a powerful capability that a state actor, such as Russia would have been loath to do even though Cisco researchers still think the attacks were potentially a Russian political operation. 

Cisco reports:

“Our Threat Intelligence and Interdiction team is concerned that the actor in question burned a significant capability in this attack.  They have now compromised both their backdoor in the M.E.Doc software and their ability to manipulate the server configuration in the update server.”

“In short, the actor has given up the ability to deliver arbitrary code to the 80% of UA businesses that use M.E.Doc as their accounting software, along with any multinational corporations that leveraged the software.  This is a significant loss in operational capability, and the Threat Intelligence and Interdiction team assesses with moderate confidence that it is unlikely that they would have expended this capability without confidence that they now have or can easily obtain similar capability in target networks of highest priority to the threat actor.” 

In short, a state actor would have to have decided to use this powerful tool knowing that it was a one-time affair and the state would lose the capability in future.  There is no known strong reason for the Russians to have done it unless they considered NotPetya an expendable resource or at least a resource with a short half-life that would soon become irrelevant as servers around the world were properly patched to remove the vulnerability.

One needs to keep in mind that the NotPetya malware is a variant of the WannaCry virus, and both NotPetya and WannaCry originated in the United States, invented by NSA or by a contractor working for NSA and based on code known as EternalBlue combined with some elements of another NSA sponsored malware known as EternalRomance.  Russian cyber warriors probably regard any U.S. origin tool as insufficiently powerful for economic or political warfare on a large scale.  In fact, while NotPetya caused a lot of trouble and economic loss, at the end of the day it was not sufficiently destructive to be considered a major disruptive tool. On a scale of 1 to 10 it was probably a 4. 

There are other reasons to be suspicious of NotPetya’s origins. It was not confined to the Ukraine; Microsoft reports that NotPetya appeared “in another 64 countries, including Belgium, Brazil, Germany, Russia, and the United States.”  In Russia, cash registers at retail petrol outlets belonging to the oil giant Rosneft apparently were hit, according to the company.  A number of transport companies, most notably the Danish shipping firm Maersk suffered a NotPetya attack, allegedly because it is using the same software for its accounting systems distributed by M.E. Doc. Ukrainian authorities say they are deeply concerned about NotPetya because its accounting software is critical to its energy and banking systems.  Some companies are reported to be continuing to use the compromised software so that they can continue operating. 

Can one conclude that the attack that hit 64 other countries as just a residual result of the Ukrainian cyber event?  Was NotPetya not so clever and not well focused?  We do not know.

We do know the Ukrainian services had previously warned M.E. Doc about its vulnerabilities.  And, after the NotPetya attack and after having raided M.E. Doc’s facility, Ukrainian services said they detected another cyber attack in the making at M.E. Doc, and prevented it. 

It is most unusual to raid a company that may have been the possible victim of a cyber attack unless you suspect the company is the culprit or you have other motives themselves political, but not necessarily having anything to do with Russians.

According to the office of the Ukrainian President’s, whatever damage was done was done and all systems in Ukraine as now operating normally. 

One could make a case that the unleashing of NotPetya was an attempt to blame the Russians and, at the same time punish M.E. Doc for not updating its security.  This is an avenue of research that deserves some attention for the simple but cogent reason that a false flag cyber attack could trigger a much bigger conflict –e.g., the Ukrainians have been working extra hard to draw the United States and Europe more and more into the conflict between the Ukrainians and Russians. The Russians have attacked Ukrainian critical infrastructure before, so they already have a known modus operandi, exposing them to such a tactic. 

On the political front, the Russians lacked any specific immediate motive to launch an attack on Ukraine’s critical infrastructure. In the case of previous attacks, especially the attack on Ukraine’s power grid in December 2015, the Russians were responding to Ukrainian cuts in power going to Crimea.  That attack was well focused, sophisticated and effective and disabled parts of the power grid belonging to Prykarpattyaoblenergo.  It could be repeated anytime, so why then use a warmed over ransomware tool with a far less certain outcome and without any assurance of results?

The case against the Russians is, therefore weak when it comes to NotPetya.  The best we can say now is that it is a puzzlement over who did it and why.