In cyberwarfare, the toughest question to answer definitively is “Who did it?” It’s no surprise then that Microsoft Corp. avoided the attribution on everyone else’s lips in its analysis of last week’s cyberattacks on Ukraine. That would be Russia. But several clues suggest they not only came from the Kremlin but will follow a pattern of spilling into other countries in Europe and the U.S. too. That ratchets up geopolitical tension across the world: Ukraine is currently bracing for potential military action from Moscow; Russian President Vladimir Putin has 100,000 troops at the border; and Moscow’s security talks with the U.S. and NATO have broken down.
There’s a lot of circumstantial evidence for a Russian hand in the latest cyberattacks, which affected around 70 government agencies in Ukraine, the worst in the country in four years. They resemble a devastating series that was widely attributed to Moscow, which began in 2015, continued into 2017 and swamped Ukraine’s banks, media and electric utilities with malware targeting Windows-based systems. If so, the wider world outside of Ukraine had better start taking precautions.
Microsoft’s Threat Intelligence Center on Saturday said the latest assault had a similar profile to the 2015 attacks: appearing to be ransomware, residing in file directories, and executing when a computer is switched off. The researchers at the Center say it then overwrites a critical part of a computer’s hard drive with the following ransom note:
“Your hard drive has been corrupted.
“In case you want to recover all hard drives of your organization, You should pay us $10k via bitcoin wallet 1AVNM68gj6PGPFcJuftKATa4WLnzg8fpfv and send message via tox ID 8BEDC411012A33BA34F49130D0F186993C6A32DAD8976F6A5D82C1ED23054C057ECED5496F65 with your organization name.
“We will contact you to give further instructions.”
Except, that isn’t what a ransom note is usually like. Ransomware attackers often customize different messages for different victims; the attackers in Ukraine last week used the same note for multiple victims. And instead of just encrypting files that could later be deciphered after payment, the perpetrators were far more destructive, completely overwriting data with no possibility of recovery, according to the Microsoft researchers.
That’s reminiscent of the malware attacks against a range of Ukrainian organizations back in 2015 and 2016. Hackers with Russia’s GRU intelligence agency also planted fake ransomware messages to try and confuse investigators, according to the book “Sandworm” by Wired reporter Andy Greenberg. It culminated in the release of a devastating computer worm called NotPetya in June 2017. NotPetya, which purports to be ransomware but can’t actually undo the changes it makes, caused an estimated $10 billion of damage globally after spreading from machine to machine, prompting the White House to promise “international consequences” against Russia.
One victim was Chicago-based Mondelez International Inc., maker of Oreos and Triscuits. The food company found its email and logistics systems were disrupted for weeks. After it suffered permanent damage to 1,700 servers and 24,000 laptops, Mondelez filed a claim for costs of more than $100 million with its insurer, Zurich Insurance Group AG. Zurich denied the claim on the grounds that it didn't cover damages caused by war, interpreting the harm as a consequence of Russia’s shadow war in the Ukraine that included the annexation of Crimea in 2014. The case, which could have far-reaching ramifications for insurers, remains undecided.
As warfare becomes more digital, it is getting harder to dismiss geopolitical conflicts as distant and isolated. Only around 75% of NotPetya’s damage took place in Ukraine, according to a 2017 analysis by cybersecurity firm ESET. Germany was the second-hardest hit with around 9%. Companies and organizations across Europe and the U.S. also fell victim.
No wonder the U.S. Cybersecurity and Infrastructure Security Agency has publicly encouraged organizations to review Microsoft’s blog post, as well as its own advisory on protecting critical U.S. infrastructure from cyberattacks. Warnings about imminent cyber threat can appear paranoid — until they’re not. For now, you may not want to turn off your computer for the night.