NATO, DHS probe Petya attack
NATO believes a nation state is likely behind the Petya/NotPetya malware attack and is contemplating response options as a former Pentagon official takes over the alliance's tech and cyber office.
The Department of Homeland Security is also issuing warnings to infrastructure providers and operators of industrial control systems that their operations are at risk due to the dissemination of Petya and its variants.
NATO's Cooperative Cyber Defense Center of Excellence released a statement on June 30, saying that accurate attribution is difficult to come by, but that cyber criminals were not behind the Petya attack.
"NotPetya was probably launched by a state actor or a non-state actor with support or approval from a state," stated the Center, which is based in Tallinn, Estonia. "Other options are unlikely."
The Center said that while a cyber operation with effects similar to an armed attack could trigger an Article 5 military response, so far -- despite the significant impact of the NotPetya attack -- there is no evidence of damage akin to a kinetic strike.
"As important government systems have been targeted, then in case the operation is attributed to a state this could count as a violation of sovereignty," said Tomáš Minárik, a researcher at the Center's Law Branch, in the statement. "Consequently, this could be an internationally wrongful act, which might give the targeted states several options to respond with countermeasures."
The NATO statement argues that NotPetya was more targeted than the WannaCry attack that used the same primary vulnerability -- EternalBlue, which was allegedly stolen from the National Security Agency and leaked in April 2017.
NATO said that NotPetya was carried out by a different entity than the WannaCry ransomware attack, and that Petya's ransomware aspect was a cover for a more targeted operation, such as "causing economic losses, sowing chaos, or perhaps testing attack capabilities or showing own power."
"Malware analysis supports the theory that main purpose of the malware was to be destructive because key used for encrypting the hard disk was discarded," said NATO.
DHS probes Petya/NotPetya
In the wake of the Petya attacks that plagued banks, the Industrial Control Systems Cyber Emergency Response Team warned U.S. infrastructure providers the attack could presage something more ominous.
ICS-CERT's Petya alert, posted on June 30 and updated July 3, warned that the malware had a variant that could be aimed at damaging networks and might not be seeking money. Petya, said the alert, has been known by ICS-CERT as a possible attack vector since 2016.
The new "Nyetya" variant, said a crosslink on CERT's page by Cisco's Talos Intelligence blog, was written by someone looking only to wipe data from disks and not restore it, even if ransom is paid.
"Talos believes that the actors behind Nyetya did not [intend] for the boot sector or the ten sectors that are wiped to be restorable," said the blog. "Thus, Nyetya is intended to be destructive rather than as a tool for financial gain."
Nyetya, said the ICS-CERT, is a new addition to the Petya malware, which keyed on a supply chain attack on a Ukrainian tax preparation software MEDoc.
Ukrainian police seized additional M.E. Doc servers after detecting new suspicious activity as the firm was preparing to release another update. Given the number of cyber attacks against Ukraine that have been attributed to Russia in recent years, officials in Ukraine are accusing Russia of launching this latest attack.
New cyber chief for NATO
The ongoing investigation into Petya comes as Kevin Scheid is taking the reins at NATO's Communications and Information Agency -- which is similar in nature and responsibility to the Pentagon's Defense Information Systems Agency.
Scheid's lengthy resume includes stints at OMB and the CIA, and as DOD's deputy comptroller and acting deputy chief management officer. From 2009-2013 he served as NATO's deputy general manager and director of acquisition of NATO NCI.
Scheid said in an interview with NATO public affairs that his first steps will be a series of deep dives into "areas of finance and the customer-funded regime, personnel management and the contract issues and how that is progressing, in acquisition, as well as the management of the organization."
Scheid served as deputy comptroller at the Pentagon while the U.S. was spending some $700 billion a year on the wars in Iraq and Afghanistan, and he will now be looking to squeeze the most he can out of NCI's one-billion Euro budget.
NATO is planning to spend three billion Euros on network modernization, mobility, authentication, cloud and weapon-systems software programs and upgrades in the next two years.
"The NATO Nations are careful with the money they invest in these projects, so every Euro is important," he said. "I think it's one of the big challenges in this job."
Sean Carberry is an FCW staff writer covering defense, cybersecurity and intelligence. Prior to joining FCW, he was Kabul Correspondent for NPR, and also served as an international producer for NPR covering the war in Libya and the Arab Spring. He has reported from more than two-dozen countries including Iraq, Yemen, DRC, and South Sudan. In addition to numerous public radio programs, he has reported for Reuters, PBS NewsHour, The Diplomat, and The Atlantic.
Carberry earned a Master of Public Administration from the Harvard Kennedy School, and has a B.A. in Urban Studies from Lehigh University.
Mark Rockwell is a staff writer at FCW.
Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.
Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.