Putin isn’t playing.
Earlier this week, a massive, widespread cyber-attack disrupted critical services around the world:
A major ransomware attack has brought businesses to a close throughout Europe, in an infection reminiscent of last month’s WannaCry attack. The most severe damage is being reported by Ukrainian businesses, with systems compromised at Ukraine’s central bank, state telecom, municipal metro, and Kiev’s Boryspil Airport. Systems were also compromised at Ukraine’s Ukrenego electricity supplier, although a spokesperson said the power supply was unaffected by the attack.
The virus has also spread internationally. The Danish shipping company Maersk has also reported systems down across multiple sites, including the company’s Russian logistics arm Damco. The virus also reached servers for the Russian oil company Rosneft, although it’s unclear how much damage was incurred. There have also been several recorded cases in the United States, including the pharmaceutical company Merck, a Pittsburgh-area hospital, and the US offices of law firm DLA Piper.
Originally characterized as a ‘ransomware’ effort, cybersecurity experts very quickly began to take a different view:
The haze of yesterday’s massive ransomware attack is clearing, and Ukraine has already emerged as the epicenter of the damage. Kaspersky Labs reports that as many as 60 percent of the systems infected by the Petya ransomware were located within Ukraine, far more than anywhere else…
the infections seem to specifically target Ukraine’s most vital institutions, rather than making a broader attempt to find lucrative ransomware targets. These initial infections are particularly telling because they were directly chosen by whoever set the malware in motion. Computer viruses often spread farther than their creators intended, but once Petya was on the loose, the attackers would have had no control over how far it reached. But the attackers had complete control over where they planted Petya initially, and they chose to plant it by some of the most central institutions in Ukraine…
The broader political context makes Russia a viable suspect...
…the line between common criminals and state agents can be difficult to parse. A recent indictment in the Yahoo hacking case charged Russian officials alongside freelance hackers, and the division of labor was often unclear. Criminals can be enlisted as privateers, or agents can adopt criminal tactics as a way of disguising themselves. If the suspicions around Petya are correct, that line may be growing even thinner, as globe-spanning attacks get lost in the fog of war.
Andy Greenberg at Wired has been exhaustively reporting on Russia’s cyberwarfare campaign, especially it’s efforts directed against Ukraine, and finds Putin’s fingerprints on Petya/NotPetya Ransomeware:
Ukrainian cybersecurity analysts view Ukraine as the primary target, and the Petya outbreak as just another strike in their ongoing cyberwar with organized and relentless hackers that the Ukrainian government has publicly linked to Russian state actors. "I think this was directed at us," says Roman Boyarchuk, the head of the Center for Cyber Protection within Ukraine's State Service for Special Communications and Information Protection. "This is definitely not criminal. It is more likely state-sponsored."
As for whether that state sponsor was Russia, "It’s difficult to imagine anyone else would want to do this," Boyarchuk says…
"According to the obtained intermediate data of our analysis, our analysts concluded that the destructive effects in the infrastructures of the organizations studied were carried out with the help of [ransomware], but also with direct involvement of intruders who already had some time in the infrastructure," writes ISSP forensic analyst Oleksii Yasinsky in an email to WIRED. ISSP declined to provide more details about the evidence of those prolonged intrusions, but argues that the attackers' techniques match the "handwriting" of previous attacks from 2015 and 2016 that Ukrainian president Petro Poroshenko has called acts of "cyberwar," waged by Russia's intelligence and military services. Yasinsky declined to name the exact Petya victims whose networks had shown those fingerprints, but he notes that they include one major Ukrainian bank and a critical infrastructure company.
ISSP says it also found that Petya doesn't act solely as ransomware. Rather than just encrypting infected hard drives and demanding $300 in bitcoin for the decryption key, in some cases it simply wiped machines on the same network, deleting a victim computer's deep-seated master boot record, which tells it how to load its operating system. Other researchers at Comae Technologies and Kaspersky noted Wednesday that the ransomware's encryption appears to be irreversible, even if a victim pays the ransom.
It’s important to remember, when cybercriminals operating in Russia engage in global operations that directly or indirectly benefit Russia, it happens with— and only with-- the approval of, if not the explicit direction from, Putin:
At home and abroad, Russia’s gangsters and spooks are often closely connected. Criminals are suspected in assassinations of Chechen rebels in Turkey; Russian cybercriminals have been used to fight the Kremlin’s virtual wars in Georgia and Ukraineand to crack into German and Polish government systems; and cigarette smugglers in the Baltics appear to have been used to raise funds for Russian political influence operations…
Organized crime is certainly often close to the state, and in some areas it has clearly been used to the advantage of Russian elites. A classic example is the harnessing of Russian hackers, who are granted a degree of impunity in return for their willingness from time to time to target the Kremlin’s foes…
Organized crime is neither a simple pawn of the state nor wholly independent, but it often has to work within parameters set by the Kremlin.
In 1994, Russian President Boris Yeltsin warned that his country was becoming “a superpower of crime.” Today, Vladimir Putin appears to be courting that very same status, but in a profoundly different way, regarding Russian-based organized crime abroad not as a threat or an embarrassment but a potential opportunity.
The use of such a widespread ransomware attack by associates of Putin can be seen as smokescreen, covering for the crippling assault on Ukraine’s infrastructure and economy, but also as a warning to the west— we can do this anytime, anywhere, and shut down whatever we want.
And on cue, our president has made a startling request of his security and diplomatic staff for an upcoming state visit with Russia:
Donald Trump has told White House aides to come up with possible concessions to offer as bargaining chips in his planned meeting next week with Vladimir Putin, according to two former officials familiar with the preparations…
“They have been asked for deliverables, but there is resistance to offering anything up without anything back in return,” said one former official familiar with the debate inside the White House.
Putin getting something for nothing out of Trump?
He’s been getting that, and much more, as his return on his investment in Trump’s presidency.
Putin isn’t playing.