Friday 16 Feb 2018 @ 09:15
National Cyber Security Centre
Printable version

Russian military ‘almost certainly’ responsible for destructive 2017 cyber attack

An assessment by the National Cyber Security Centre has found that the Russian military was almost certainly responsible for the ‘NotPetya’ cyber attack of June 2017.

The UK Government has made the judgement that the Russian government was responsible for the attack, which particularly affected Ukraine’s financial, energy and government institutions but its indiscriminate design caused it to spread further, affecting other European and Russian business.

The destructive attack masqueraded as ransomware, but its purpose was principally to disrupt. Several indicators seen by the NCSC demonstrated a high level of planning, research and technical capability.

The decision to publicly attribute this incident reiterates the position of the UK and its allies that malicious cyber activity will not be tolerated.

Foreign Office Minister of State with responsibility for Cyber, Lord (Tariq) Ahmad of Wimbledon, said:

“The UK Government judges that the Russian Government, specifically the Russian military, was responsible for the destructive NotPetya cyber-attack of June 2017.

“The attack showed a continued disregard for Ukrainian sovereignty.  Its reckless release disrupted organisations across Europe costing hundreds of millions of pounds.

“The Kremlin has positioned Russia in direct opposition to the West: it doesn’t have to be that way.  We call upon Russia to be the responsible member of the international community it claims to be rather then secretly trying to undermine it.

“The United Kingdom is identifying, pursuing and responding to malicious cyber activity regardless of where it originates, imposing costs on those who would seek to do us harm. 

“We are committed to strengthening coordinated international efforts to uphold a free, open, peaceful and secure cyberspace.”

The NotPetya attack saw a malicious data encryption tool inserted into a legitimate a piece of software used by most of Ukraine’s financial and government institutions.

Once an organisation’s machine was infected, the highly crafted tool was designed to spread rapidly, in some cases overriding the Master Boot Record (MBR) on infected computers and displaying a ransom note asking for payment in Bitcoins. The malware spread via trusted networks, rather than widely over the internet. Therefore, it effectively bypassed the processes put in place to prevent ransomware attacks.

The ransom note instructed victims to make payments to a single Bitcoin wallet with confirmation that they had paid. However, flaws in the payment process quickly became apparent as the ransom note did not display a ‘personal identification ID’ which would enable the attacker to know whose data to decrypt and the payment collection infrastructure was quickly taken down by the attacker’s email provider.

The malware was not designed to be decrypted. This meant that there was no means for victims to recover data once it had been encrypted. Therefore, it is more accurate to describe this attack as destructive than as ransomware.

NotPetya used the EternalBlue and EternalRomance exploits, which the Shadowbrokers group released in early 2017. Microsoft issued a patch for both exploits, so all the victim machines were ones that had not applied these patches.

Notes

Lord Ahmad’s full statement can be seen here.

 

Channel website: https://www.ncsc.gov.uk/

Original article link: https://www.ncsc.gov.uk/news/russian-military-almost-certainly-responsible-destructive-2017-cyber-attack

Share this article

Latest News from
National Cyber Security Centre

NCSC enters new partnership for PDNS delivery

17/04/2024 13:05:00

The National Cyber Security Centre announces new partnership to deliver the Protective Domain Name System (PDNS) service.

UK holds China state-affiliated organisations and individuals responsible for malicious cyber activity

26/03/2024 10:31:00

UK calls out pattern of malicious cyber activity by Chinese state-affiliated organisations and individuals targeting democratic institutions and parliamentarians.

NCSC and partners issue warning about state-sponsored cyber attackers hiding on critical infrastructure networks

08/02/2024 11:05:00

GCHQ’s National Cyber Security Centre and partners share details of how threat actors are using built-in tools to camouflage themselves on victims’ systems.

Business leaders urged to toughen up cyber attack protections

24/01/2024 13:12:00

New guidelines to help directors and business leaders boost their resilience against cyber threats.

Exploitation of vulnerabilities affecting Ivanti Connect Secure and Ivanti Policy Secure

15/01/2024 10:15:00

Organisations are encouraged to take immediate action to mitigate vulnerabilities affecting Ivanti Connect Secure (ICS) and Ivanti Policy Secure (IPS) gateways (CVE-2023-46805 and CVE-2024-21887), and follow the latest vendor advice.

UK exposes attempted Russian cyber interference in politics and democratic processes

08/12/2023 10:29:00

The UK condemns Russia’s sustained attempts at political interference in the UK and globally.

UK and allies expose Russian intelligence services for cyber campaign of attempted political interference

07/12/2023 14:25:00

The UK and allies call out the Russian Intelligence Services for a campaign of malicious cyber activity attempting to interfere in UK politics and democratic processes

NCSC launches Cyber Incident Exercising scheme

06/12/2023 15:25:00

New CIE assured providers give organisations support to create structured table-top or live-play cyber incident exercises.

UK and Republic of Korea issue warning about DPRK state-linked cyber actors attacking software supply chains

23/11/2023 16:05:00

Joint advisory observes cyber actors leveraging zero-day vulnerabilities and exploits in third-party software.