NATO cyber center, DHS probe Petya attack
- By Sean D. Carberry, Mark Rockwell
- Jul 05, 2017
The NATO Cooperative Cyber Defense Center of Excellence (CCD COE) believes a nation state is likely behind the Petya/NotPetya malware attack and is contemplating response options as a former Pentagon official takes over the alliance's tech and cyber office.
The Department of Homeland Security is also issuing warnings to infrastructure providers and operators of industrial control systems that their operations are at risk due to the dissemination of Petya and its variants.
The CCD COE, which is funded by NATO nations but is not part of NATO’s military command or force structure, released a statement on June 30, saying that accurate attribution is difficult to come by, but that cyber criminals were not behind the Petya attack.
"NotPetya was probably launched by a state actor or a non-state actor with support or approval from a state," stated the center, which is based in Tallinn, Estonia. "Other options are unlikely."
The center said that while a cyber operation with effects similar to an armed attack could trigger an Article 5 military response, so far -- despite the significant impact of the NotPetya attack -- there is no evidence of damage akin to a kinetic strike.
"As important government systems have been targeted, then in case the operation is attributed to a state this could count as a violation of sovereignty," said Tomáš Minárik, a researcher at the center's Law Branch, in the statement. "Consequently, this could be an internationally wrongful act, which might give the targeted states several options to respond with countermeasures."
The statement argues that NotPetya was more targeted than the WannaCry attack that used the same primary vulnerability -- EternalBlue, which was allegedly stolen from the National Security Agency and leaked in April 2017.
The center said that NotPetya was carried out by a different entity than the WannaCry ransomware attack, and that Petya's ransomware aspect was a cover for a more targeted operation, such as "causing economic losses, sowing chaos, or perhaps testing attack capabilities or showing own power."
"Malware analysis supports the theory that main purpose of the malware was to be destructive because key used for encrypting the hard disk was discarded," the NATO CCD COE stated.
DHS probes Petya/NotPetya
In the wake of the Petya attacks that plagued banks, the Industrial Control Systems Cyber Emergency Response Team warned U.S. infrastructure providers the attack could presage something more ominous.
ICS-CERT's Petya alert, posted on June 30 and updated July 3, warned that the malware had a variant that could be aimed at damaging networks and might not be seeking money. Petya, said the alert, has been known by ICS-CERT as a possible attack vector since 2016.
The new "Nyetya" variant, said a crosslink on CERT's page by Cisco's Talos Intelligence blog, was written by someone looking only to wipe data from disks and not restore it, even if ransom is paid.
"Talos believes that the actors behind Nyetya did not [intend] for the boot sector or the ten sectors that are wiped to be restorable," said the blog. "Thus, Nyetya is intended to be destructive rather than as a tool for financial gain."
Nyetya, said the ICS-CERT, is a new addition to the Petya malware, which keyed on a supply chain attack on a Ukrainian tax preparation software MEDoc.
Ukrainian police seized additional M.E. Doc servers after detecting new suspicious activity as the firm was preparing to release another update. Given the number of cyber attacks against Ukraine that have been attributed to Russia in recent years, officials in Ukraine are accusing Russia of launching this latest attack.
New cyber chief for NATO
The ongoing investigations into Petya come as Kevin Scheid is taking the reins at NATO's Communications and Information Agency -- which is similar in nature and responsibility to the Pentagon's Defense Information Systems Agency.
Scheid's lengthy resume includes stints at OMB and the CIA, and as DOD's deputy comptroller and acting deputy chief management officer. From 2009-2013 he served as NATO's deputy general manager and director of acquisition of NATO NCI.
Scheid said in an interview with NATO public affairs that his first steps will be a series of deep dives into "areas of finance and the customer-funded regime, personnel management and the contract issues and how that is progressing, in acquisition, as well as the management of the organization."
Scheid served as deputy comptroller at the Pentagon while the U.S. was spending some $700 billion a year on the wars in Iraq and Afghanistan, and he will now be looking to squeeze the most he can out of NCI's one-billion Euro budget.
NATO is planning to spend three billion Euros on network modernization, mobility, authentication, cloud and weapon-systems software programs and upgrades in the next two years.
"The NATO Nations are careful with the money they invest in these projects, so every Euro is important," he said. "I think it's one of the big challenges in this job."
Note: This article was corrected on July 5 to make clear that the NATO Cooperative Cyber Defense Center of Excellence is not part of NATO proper.
Sean Carberry is a former FCW staff writer who focused on defense, cybersecurity and intelligence.
Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.
Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.
Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.
Click here for previous articles by Rockwell.
Contact him at firstname.lastname@example.org or follow him on Twitter at @MRockwell4.