The cost, actual damage, and number of organizations hit by the NotPetya attack are likely to be concealed by attempts to maintain stock prices and the patchwork of disclosure regulations around cyber attacks. The political ramifications, however, are coming into focus.
NATO leveraged the fact that the Ukraine bore the brunt of the attack (roughly 90 percent of NotPetya’s victims were in Ukraine and Russia) to deploy cyber defenses in the country. Additionally, the Ukraine is now working on an action plan to join NATO and meet membership standards by 2020. This discussion (never mind an agreement in principle to start the process) would have been unthinkable before the NotPetya attack. Russia has tolerated creeping NATO expansion and a general disregard for its concerns, but given the long history between the two territories, the Ukraine has always been a distinct redline for Moscow.
Microsoft estimates that the NotPetya attack impacted fewer than 13,000 Ukrainian endpoints and while other reports place the monetary damage at half a billion dollars. To put these numbers in perspective, the 2012 Saudi Aramco attack destroyed around 35,000 machines in the oil company’s network while the 1998 Chernobyl virus caused approximately $1 billion in damage.
In a mad dash to conquer news cycles and win the game of whodunit, convenient narratives around NotPetya have evolved, leading to false assumptions. This development could result in actions that, in retrospect, were based on belief rather than facts. Given our current lack of attribution, it appears that the reactions to the events between June 26 and July are following this pattern, even though they have the potential to rewrite European history.
What we know about NotPetya:
- A company that produces tax software was compromised and pushed at least three malicious updates to all its customers over the course of three months.
- This malicious update dropped a backdoor that used the update server as a command and control node.
- On June 27 abnormal external connections were spotted in the update server and the NotPetya payload was delivered to a subset of victims of the backdoor.
- NotPetya was a worm that was designed to spread both internally and externally to infected networks.
- NotPetya posed as ransomware but functioned more like a drive wiping tool designed to cause destruction.
Intrusion attribution: The missing piece of the puzzle
The Ukrainian government immediately blamed Russia, but not much evidence has been provided to support this belief. ESET has made the most robust attempt, but even their case relies on several degrees of separation between a nationality and activity. NATO, however, seized the opportunity to radically change the European cyber security landscape and push an agenda that has traditionally, and still likely is, a redline for Moscow.
The immediate increase in material aid and the ascension talks, which usually have been postponed, were suddenly rushed to NATO’s forefront, despite no attribution to a Russian national (let alone the Kremlin). Yet when previous attacks against the Ukraine were attributed to Russia, NATO did not come to the country’s aid. For example, when Russia “illegally annexed the Crimea,” NATO increased support to Ukraine by helping with programs to transition soldiers into civilian roles. The Alliance stood silent when Russia used BlackEnergy2 to take down a large percentage of the Ukrainian power grid in the middle of winter. Again, NATO looked the other way when Russia deployed one of the most advanced tools for disrupting critical infrastructure in Kiev. But, because 20,000 hard drives were lost, the two largest nuclear forces on the planet are now positioned head-to-head in Russia’s sphere of influence?
Regardless of whether we ever see real attribution, or even if the Alliance gets cold feet and prevents Ukraine from joining, the reactions to the NotPetya attacks are representative of the increasing demand of people and governments to “do something,” even if that something is potentially more disastrous than the incident itself. This disproportionate response by the Alliance only serves to decrease stability both globally and in cyberspace.
NATO’s response to NotPetya is one of the strongest we have seen in Europe, even though NotPetya falls on the lower end of the destructive attack spectrum. These reactions are sending confusing signals, and will likely result in opacity when states conduct a risk analysis of operations.
When uncertainty increases in a military operation, consequences and recklessness also increase. NATO countries should establish a deterrence regime in cyber space and create a framework of acceptable action. But the events that followed NotPetya caused a significant setback by undermining the consistency in messaging and action. It appears that the redline is not a destructive cyber attack, but rather one that hits multiple companies and countries.
Now we find ourselves in a new world shaped by frantic action instead of coherent policy and good intention. Russia is in a worse position now and has a stark choice to make. The options are either increasing pressure on Ukraine to make NATO ascension impossible or falling back and letting the public lose interest in bearing the cost of protecting Ukraine. This is a new, unexpected calculation for the Kremlin and one that derived from a mediocre cyber operation. The first group to accurately predict the line between cyberspace and geo-political action is going to revolutionize state craft. Now we have our first clearly defined case study.
