Experts on cyber security and representatives of Western intelligence agencies came to the conclusion that a cyber attack using a virus Petya, has paralyzed the work of dozens of companies around the world, was the work of the hands of criminal groups and hostile States.
According to many of them, circumstantial evidence that has been collected over the last week and the number of which is growing, pointing to the same state. Namely — to Russia.
Investigators with the cybercrimes, they say that the tactics, techniques and procedures (or what they call “TTP”), applied by those who launched the virus Petya correspond to the Kremlin scenario.
That attack was seemingly indiscriminate (virus attacked companies and organizations in more than 60 countries — from Danish shipping company Maersk to the us pharmaceutical group Merck) is causing concern to the security of Europe and the United States.
Many are concerned that this attack signals a new and dangerous escalation of a global cyber arms race. This attack shows how a hostile state, taking advantage of their increased capabilities, ready to cross boundaries, regardless of side effects. We are talking about increased opportunities to mislead and divert attention using traditional methods of espionage activities, the latest technology, as well as resorting in order to cover the services of representatives of the criminal world and hacker communities of the “dark web”.
“It was the killer, disguised as a kidnapper-extortionist, said Friday in an interview with The Financial Times John Watters (Watters John), head of the international Department kiberrazvedki company FireEye, one of the largest companies in the world working in the field of cybersecurity. — I would say that we are sufficiently sure that’s Russia.”
According to Watters’, FireEye in their assessments is based on different evidence. Among them — the technical characteristics of the infrastructure and networks used to run the virus Petya, objects of attack and the difficulty level of encoding used BY the malware and methods of primary infection.
“The definition of who is behind the cyber attack — a continuous process, and in the end you can never specifically say who it is. The maximum that can be achieved is a high degree of confidence, says Watters. But there are many facts pointing to Russia.”
Western intelligence agencies are inclined to the same conclusion. On Thursday evening a representative of the National Cybersecurity center in the UK, division of GCHQ, said that, in the opinion of the experts of its service, the purpose of the attacks was not to obtain money through extortion and destabilization of work.
“We’re trying to figure out what kind of state”, — said a senior British intelligence officer, who agreed to speak on condition of anonymity. Russia, he added, is currently the Prime suspect. Although the full picture is still far from clear, he added.
Signs that attack the virus Petya is not just a criminal attempt to obtain money by extortion, were visible from the beginning.
Unlike other viruses, ransomware, Petya not just encrypts the hard drive, but also erases the boot record of the infected device. Remote information to restore extremely difficult and, judging by the actions of the hackers, fix it, and they’re not going to.
Hackers selected a payment method of redemption was unreliable. They went way above and beyond, asking the victims to send notifications about the transfer of the ransom to one email address. Immediately after the attack address has been blocked by ISP email services.
If a method of extortion seemed amateurish, the malicious program itself was developed not Amateurs. The creators of the virus Petya in excess provided him some stolen from US by the exploits, which earlier this year published in the Internet hacker group Shadow Brokers associated with Russia.
The virus You spread, hiding inside the update files legitimate Ukrainian accounting MeDoc, which was sent to customers, thereby bypassing the firewalls. During the fraudulent hacker attacks this method of spread of the virus was not known. This required careful planning and compliance with maximum precautions to implement the hack program MeDoc. This method was used by a hacking group associated with the Russian intelligence services.
The most convincing indirect proof is who was the victim of virus. More than three quarters of organizations affected by the virus Petya — Ukrainian. And if Petya was spread abroad, that, according to cybersecurity experts, this is because the distribution channels of the virus were Ukrainian “daughters” of foreign companies.
Ukraine, which is in dire Straits, fighting with Pro-Russian separatists and irregular troops in the Eastern territories, first accused the neighboring country to attack. Russia his involvement in the attack and denies.
If it is Russia, then it indicates a dangerous shift in cyber warfare.
“Since the attack was subjected to an important state of the system, in the case that will determine the country, its perpetrators, can be considered a violation of sovereignty, said Thomas Minarik (Minarik Tomas), legal counsel located in Tallinn United center for advanced technology in the field of cyber defense, NATO (CCDCOE). “This could be considered as internationally wrongful act and, consequently, suffered from virus attacks, States could choose from several response options”.
The rapid spread of the virus Petya and extent of adverse consequences suggests that (in terms of when to determine the artist of a hacker attack is quite difficult) those who made it, not at all afraid of any criticism from other countries, nor the possibility of imposing sanctions.
“There is a strong likelihood that the situation very quickly gets out of control, says former employee of the military kiberrazvedki one of the European countries. — As a rule, and begin the war.”
“The boundaries are checked for strength constantly, says John Watters of company FireEye, and this check will continue until, until will not be given back.”