NATO cyber center, DHS probe Petya attack

sphere of binary data 

The NATO Cooperative Cyber Defense Center of Excellence (CCD COE) believes a nation state is likely behind the Petya/NotPetya malware attack and is contemplating response options as a former Pentagon official takes over the alliance's tech and cyber office.

The Department of Homeland Security is also issuing warnings to infrastructure providers and operators of industrial control systems that their operations are at risk due to the dissemination of Petya and its variants.

The CCD COE, which is funded by NATO nations but is not part of NATO’s military command or force structure, released a statement on June 30, saying that accurate attribution is difficult to come by, but that cyber criminals were not behind the Petya attack.

"NotPetya was probably launched by a state actor or a non-state actor with support or approval from a state," stated the center, which is based in Tallinn, Estonia. "Other options are unlikely."

The center said that while a cyber operation with effects similar to an armed attack could trigger an Article 5 military response, so far -- despite the significant impact of the NotPetya attack -- there is no evidence of damage akin to a kinetic strike.

"As important government systems have been targeted, then in case the operation is attributed to a state this could count as a violation of sovereignty," said Tomáš Minárik, a researcher at the center's Law Branch, in the statement. "Consequently, this could be an internationally wrongful act, which might give the targeted states several options to respond with countermeasures." 

The statement argues that NotPetya was more targeted than the WannaCry attack that used the same primary vulnerability -- EternalBlue, which was allegedly stolen from the National Security Agency and leaked in April 2017.

The center said that NotPetya was carried out by a different entity than the WannaCry ransomware attack, and that Petya's ransomware aspect was a cover for a more targeted operation, such as "causing economic losses, sowing chaos, or perhaps testing attack capabilities or showing own power."

"Malware analysis supports the theory that main purpose of the malware was to be destructive because key used for encrypting the hard disk was discarded," the NATO CCD COE stated.

DHS probes Petya/NotPetya

In the wake of the Petya attacks that plagued banks, the Industrial Control Systems Cyber Emergency Response Team warned U.S. infrastructure providers the attack could presage something more ominous.

ICS-CERT's Petya alert, posted on June 30 and updated July 3, warned that the malware had a variant that could be aimed at damaging networks and might not be seeking money. Petya, said the alert, has been known by ICS-CERT as a possible attack vector since 2016.

The new "Nyetya" variant, said a crosslink on CERT's page by Cisco's Talos Intelligence blog, was written by someone looking only to wipe data from disks and not restore it, even if ransom is paid.

"Talos believes that the actors behind Nyetya did not [intend] for the boot sector or the ten sectors that are wiped to be restorable," said the blog. "Thus, Nyetya is intended to be destructive rather than as a tool for financial gain."

Nyetya, said the ICS-CERT, is a new addition to the Petya malware, which keyed on a supply chain attack on a Ukrainian tax preparation software MEDoc.

Ukrainian police seized additional M.E. Doc servers after detecting new suspicious activity as the firm was preparing to release another update. Given the number of cyber attacks against Ukraine that have been attributed to Russia in recent years, officials in Ukraine are accusing Russia of launching this latest attack.

New cyber chief for NATO

The ongoing investigations into Petya come as Kevin Scheid is taking the reins at NATO's Communications and Information Agency -- which is similar in nature and responsibility to the Pentagon's Defense Information Systems Agency.

Scheid's lengthy resume includes stints at OMB and the CIA, and as DOD's deputy comptroller and acting deputy chief management officer. From 2009-2013 he served as NATO's deputy general manager and director of acquisition of NATO NCI.

Scheid said in an interview with NATO public affairs that his first steps will be a series of deep dives into "areas of finance and the customer-funded regime, personnel management and the contract issues and how that is progressing, in acquisition, as well as the management of the organization."

Scheid served as deputy comptroller at the Pentagon while the U.S. was spending some $700 billion a year on the wars in Iraq and Afghanistan, and he will now be looking to squeeze the most he can out of NCI's one-billion Euro budget.

NATO is planning to spend three billion Euros on network modernization, mobility, authentication, cloud and weapon-systems software programs and upgrades in the next two years.

"The NATO Nations are careful with the money they invest in these projects, so every Euro is important," he said. "I think it's one of the big challenges in this job."

Note:  This article was corrected on July 5 to make clear that the NATO Cooperative Cyber Defense Center of Excellence is not part of NATO proper. 

About the Authors

Sean Carberry is an FCW staff writer covering defense, cybersecurity and intelligence. Prior to joining FCW, he was Kabul Correspondent for NPR, and also served as an international producer for NPR covering the war in Libya and the Arab Spring. He has reported from more than two-dozen countries including Iraq, Yemen, DRC, and South Sudan. In addition to numerous public radio programs, he has reported for Reuters, PBS NewsHour, The Diplomat, and The Atlantic.

Carberry earned a Master of Public Administration from the Harvard Kennedy School, and has a B.A. in Urban Studies from Lehigh University.

Mark Rockwell is a staff writer at FCW.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at or follow him on Twitter at @MRockwell4.

Rising Stars

Meet 21 early-career leaders who are doing great things in federal IT.


  • SEC Chairman Jay Clayton

    SEC owns up to 2016 breach

    A key database of financial information was breached in 2016, possibly in support of insider trading, said the Securities and Exchange Commission.

  • Image from

    DOD looks to get aggressive about cloud adoption

    Defense leaders and Congress are looking to encourage more aggressive cloud policies and prod reluctant agencies to embrace experimentation and risk-taking.

  • Shutterstock / Pictofigo

    The next big thing in IT procurement

    Steve Kelman talks to the agencies that have embraced tech demos in their acquisition efforts -- and urges others in government to give it a try.

  • broken lock

    DHS bans Kaspersky from federal systems

    The Department of Homeland Security banned the Russian cybersecurity company Kaspersky Lab’s products from federal agencies in a new binding operational directive.

  • man planning layoffs

    USDA looks to cut CIOs as part of reorg

    The Department of Agriculture is looking to cut down on the number of agency CIOs in the name of efficiency and better communication across mission areas.

  • What's next for agency cyber efforts?

    Ninety days after the Trump administration's executive order, FCW sat down with agency cyber leaders to discuss what’s changing.

Reader comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above

More from 1105 Public Sector Media Group