Shutterstock.com

White House Threatens ‘Consequences’ for 2017 Russian Cyberattack

In an unusual public statement, the White House fingered Russia and said it would respond with unspecified “international consequences" to NotPetya.

The White House has promised unspecified “international consequences” for a June 2017 Russian military cyberattack against Ukraine that went on to infect networks and computers around the world. When asked what “consequences” meant and whether the attack had affected U.S. government or financial interests beyond what had been previously reported, a national security official replied only saying, “We are not going to forecast our moves.”

A White House statement on Thursday said: “In June 2017, the Russian military launched the most destructive and costly cyber-attack in history. The attack, dubbed ‘NotPetya,’ quickly spread worldwide, causing billions of dollars in damage across Europe, Asia, and the Americas. It was part of the Kremlin’s ongoing effort to destabilize Ukraine and demonstrates ever more clearly Russia’s involvement in the ongoing conflict. This was also a reckless and indiscriminate cyber-attack that will be met with international consequences.”

The announcement came hours after the UK government made a similar statement.

Those consequences could include a retaliatory attack or sanctions, the later of which would eventually have to be announced, the former, not so much.

On June 27, a new piece of malware hit Ukrainian companies that since has been dubbed NotPetya, in part because it originally bore an intentional resemblance to encrypting ransomware called Petya. “The software, virus, malware, was planted on the computers of [chief financial officers] and chief accountants who have on their computers all the financial contracts, digital signatures for the banks, everything you have for business institutions,” Dmytro Shymkiv, the deputy head of the Presidential Administration of Ukraine, said at a recent George Washington University event.

“To cover the trace [sic], the NotPetya virus was spread to wipe out any trace of intelligence gathering. But it created enormous sabotage in the country. We have supermarkets not working. People could not get groceries. ATMs were not working. People could not withdraw their money,” he said.

The virus went on to hit Ukrainian energy company Kyivenergo, then Ukrenergo. It quickly spread internationally, hitting Danish power company Maersk IT and moved on from there, around the globe.

Junaid Islam, CTO of cybersecurity company VIdder and a consultant with the United States intelligence community, discussed the malware with Defense One in October. Like a lot of ransomware, NotPetya had a data-destroying or wiping capability. It also hopped laterally within networks by attacking and attempting to steal active directory credentials, essentially the list that tells the computer who and what to trust. (Petya, like many other ransomware, attempted to move from computer to computer within networks by stealing active directory credentials, but it didn’t do so as well as NotPetya.) By stealing and then using active directory credentials to gain access to new machines, the malware was able to mimic native functionality within the operating system. In essence, it looked like software that was supposed to be there.

“The machine learning algorithms that hunt for abnormalities wouldn’t go off. So [the malware] appears as a native process. The Russians have figured out how to do this. They tried it in Ukraine to see how successful this was and it was very successful,” said Islam.

For Islam, this represents a game-changer. But such attacks have also grown more destructive in part because of alleged NSA and CIA exploits that a group called Shadow Brokers have leaked.  

“Public government attribution on cyberattacks is more common in recent years than it’s been before but is still rare. Seeing multiple governments publicly attribute an attack is rarer and speaks to the damage and scale of the attack. The NotPetya attack was extremely damaging and reckless and should be met with harsh consequences. Multiple states doing public attribution helps set precedence important to establishing norms while reassuring the private sector,” cybersecurity researcher Robert M. Lee, the CEO and Founder of cyber security company Dragos, told Defense One.

Beyond unspecified consequences, there is also a legislative push to enact more cybersecurity information sharing between the United States and Ukraine, thanks to a bipartisan bill that recently passed the house.