The Petya cyber attack that crippled dozens of businesses worldwide was the work of hostile government, not a criminal group, cyber security analysts and western intelligence officials now believe.
For many of them, a growing body of circumstantial evidence amassed in the past week, points to one state in particular: Russia.
What cyber investigators term the “TTPs” — the tactics, techniques and procedures — of Petya’s operators, they say, cleave to the Kremlin’s playbook.
The apparently indiscriminate impact of the attack — it hit organisations in more than 60 countries, from the Danish shipping giant Maersk to the US pharmaceuticals group Merck — has set alarm bells ringing for security agencies in Europe and the US.
It signals a new and dangerous escalation of the global cyber arms race, many fear. It highlights the extent to which hostile states are prepared to push boundaries, regardless of collateral damage, thanks to their increasing ability to obfuscate and divert attention using old-fashioned spy tradecraft, technical sophistication and the criminal and hacking communities of the dark web for cover.
“This was a murderer masquerading as a kidnapper,” John Watters, the head of global cyber intelligence operations for FireEye, one of the world’s largest cyber security firms told the Financial Times on Friday. “I would put [it that] we are reasonably confident towards it being Russia.”
Mr Watters said FireEye based its assessment on various pieces of evidence, including technical data on the infrastructure and control networks used to launch the Petya attack, the targets, the sophistication of the coding in the malware used and the method of initial infection.
“Attribution is always on a continuum, never ending up with a ‘this is’,” Mr Watters stressed. “The best you can get is high confidence.” But, he said, “There are a lot of things that point to Russia.”
Western intelligence agencies are edging towards a similar conclusion. On Thursday evening, the UK’s National Cyber Security Centre, an arm of GCHQ, the digital surveillance agency, said it believed the intention of the attack was disruption not criminal gain.
“We’re looking at a nation state,” one senior Whitehall intelligence official said, speaking on condition of anonymity. Russia, he added, was the current prime suspect — though the full picture was far from clear, he added.
Right from the start there were signs that the Petya attack was more than just a criminal exercise to extract ransom money.
Unlike other ransomware, Petya does not simply encrypt a hard drive, but overwrites an infected machine’s master boot record — a step that is hard to reverse, indicating a lack of intention to do so.
The ransom payment method set up for the attack was flimsy. The hackers took the unorthodox step of demanding victims send notification of ransom payment to a single email address. It was blocked by the email service provider shortly after the attack began.
If the ransom technique looked amateur, the malware itself was anything but. Petya’s creators supercharged it with several US cyberweapons leaked by a Russian-backed group, the shadowbrokers, earlier this year.
Petya spread by hiding inside a legitimate software update from the Ukrainian accounting software company, MeDoc, sent out to clients, thus evading firewalls. Such a method of propagation is unheard of in criminal cyber attacks. It required an ultra-stealthy and carefully plotted compromise of MeDoc. Hacking groups linked to Russia’s intelligence services have shown a penchant for such methodology in the past.
The strongest piece of circumstantial evidence comes from the victims: more than three-quarters of organisations hit were Ukrainian. If Petya spread further afield, it was only because Ukrainian subsidiaries of foreign companies acted as conduits for the infection, cyber analysts believe.
Ukraine, which is locked in a grinding war with Russian-backed proxies and irregular forces in its eastern territories, was the first to point the finger at its neighbour. Russia has denied any responsibility.
If it is Russia, it would mark a dangerous shift in cyber-conflict.
“As important government systems have been targeted, then in case the operation is attributed to a state, this could count as a violation of sovereignty,” said Tomas Minarik, a legal expert at Nato’s cyber defence think-tank, the CCDCOE in Tallinn. “This could be an internationally wrongful act, which might give the targeted states several options to respond with countermeasures.”
The rapid spread of Petya and the wide collateral damage it caused suggest that its perpetrators, aided by the difficulty of attribution, are undeterred by foreign criticism or the threat of sanctions.
“There is huge scope for matters to spiral very quickly out of control,” says a former European cyber military official, “and that tends to be how wars start.”
“Boundaries are being tested all the time,” says FireEye’s Mr Watters, “and they are going to continue to be tested until there’s blowback.”
Get alerts on Cyber warfare when a new story is published