carloscastilla - Fotolia

CIA attributes NotPetya attacks to Russian spy agency

The CIA reportedly concluded that Russia's foreign intelligence agency created and was responsible for the NotPetya attacks against Ukraine in June.

An unreleased CIA report is alleged to officially name Russia's top foreign spy agency as the source of the NotPetya ransomware and the initial attacks against Ukraine.

The CIA reportedly concluded in November 2017 that Russia's GRU foreign intelligence agency was responsible for the NotPetya attacks in June 2017. According to The Washington Post, unnamed officials said the classified CIA report attributed the NotPetya attacks to Russia's GRU and said the hackers who created the ransomware worked for the Russian military's GTsST, or Main Center for Special Technology.

The NotPetya attacks began by targeting Ukrainian agencies, but it quickly spread through the use of the EternalBlue exploit, which was developed by the National Security Agency and used in the WannaCry ransomware attacks.

Attributing the attacks to Russia is not in itself surprising, as security researchers in June said Russia was the likely threat actor, given the initial NotPetya attacks targeted Ukraine government agencies through multiple software backdoors in the M.E.Doc tax program. However, experts noted that the CIA likely wanted to be certain before making any statement.

Tim Erlin, vice president of product management and strategy at Tripwire Inc., an information security company headquartered in Portland, Ore., said "attributing cyberattacks to specific attackers or groups can be a challenging task."

"It's not always possible to make a direct connect, and indirect inferences are required to come to a conclusion. Accurate attribution is broadly valuable," Erlin told SearchSecurity. "While organizations should focus on the solid application of foundational controls first, characterizing the threat environment in terms of changing attackers can help prioritize more advanced protections.

"It's hard to say why the CIA didn't publish this information sooner, though it's important to realize that a three-month delay in disclosing this kind of nation-state attribution isn't a very long time," he continued.

The NotPetya attacks and Russian aggression

Tom Kellermann, CEO of Strategic Cyber Ventures LLC in Washington, D.C., said the CIA likely "withheld attribution to prevent their sources and methods from being discovered."

Cyberspace is the next major battleground between major nation states.
Chris Moraleshead of security analytics at Vectra Networks

"The public announcement is significant, as it is meant to warn the American public of the significant cyberthreat posed by Russia," Kellermann told SearchSecurity. "Cold War cyberattacks against the U.S. have dramatically increased over the past six weeks, as evidenced by the resurgence of Fancy Bear coming out of hibernation. We are under siege."

Chris Morales, head of security analytics at Vectra Networks, a cybersecurity company based in San Jose, Calif., said the security industry felt comfortable attributing the NotPetya attacks to Russia "due to similarities of the NotPetya attack to prior attacks from Russia targeting the Ukraine."

"Russia has engaged in what the Pentagon calls 'hybrid warfare' against ... Ukraine, with three previously known attacks against the Ukrainian voting system and power grid dating back to 2014. With the CIA confirmation, NotPetya now looks like another attack in a succession of state-sponsored attacks," Morales told SearchSecurity.

"The bigger concern here for the U.S. is that we believe Russia is practicing and honing their craft against ... Ukraine, where they face little opposition from global powers. Cyberspace is the next major battleground between major nation states," Morales continued. "Russia is arming themselves with cyberweapons that could be used against us or any other state as Russia would deem necessary in a bigger attack campaign. The irony of this attack is that it leveraged exploits developed by the NSA in their pursuit of weaponizing cyberspace."

Dig Deeper on Security operations and management