It’s been nearly eight months since the malware known as NotPetya tore through the internet, rippling out from Ukraine to paralyze companies and government agencies around the world. On Thursday, the White House finally acknowledged that attack. And in a reversal of its often seemingly willful blindness to the threat of Russian hacking, it has called out the Kremlin as NotPetya’s creator.
“In June 2017, the Russian military launched the most destructive and costly cyberattack in history,” reads the short statement published by the White House Thursday afternoon. NotPetya, the statement continues, “quickly spread worldwide, causing billions of dollars in damage across Europe, Asia, and the Americas. It was part of the Kremlin’s ongoing effort to destabilize Ukraine, and demonstrates ever more clearly Russia’s involvement in the ongoing conflict. This was also a reckless and indiscriminate cyberattack that will be met with international consequences.”
That brief statement, which follows similar from the UK and Danish governments earlier today, represents a long awaited—or perhaps long overdue—response to a Russian cyberwar that has barraged every level of Ukrainian society, and with NotPetya, spilled out into the rest of the world.
After years of hacker attacks on Ukrainian targets that have destroyed hundreds of computers, terabytes of government data, and twice caused the first-ever hacker-induced blackouts, the NotPetya worm hit Ukraine in late June of last year and quickly spread beyond of the country’s borders. Within days, in part thanks to a leaked NSA hacking technique, it had paralyzed multinational giants including Merck, Maersk, Fedex, and many others, permanently encrypting the hard drives of tens of thousands of those victims’ computers. The attack cost those companies hundreds of millions of dollars each in cleanup costs and lost business, according to their disclosures to shareholders.
Though the White House didn’t provide any evidence of the link between NotPetya and Russia, the notion that Russian military hackers were behind it doesn’t come as a surprise to most in the cybersecurity community. Despite NotPetya’s initial disguise as a form of profit-focused ransomware, security companies like the Ukrainian firm ISSP and the Slovakian company ESET linked the malware early on to a group known as Sandworm or Telebots, believed to be the Russian team responsible for spearheading Russia’s cyberwar attacks on Ukraine. In January, the Washington Post reported that the CIA had found Russia’s military intelligence agency, the GRU, responsible for NotPetya.
But a more formal recognition of Russia’s hand in that massively damaging attack nonetheless represents a landmark, says John Hultquist, who led the team at security firm FireEye that first identified Sandworm. “Without ever being formally attributed by governments naming them publicly, they enjoyed a certain amount of protection from any response,” Hultquist says. “It appears the administration has drawn a line in the sand with an actor that’s been extremely aggressive and enjoyed quite a bit of anonymity until now.”
Beyond a mere recognition of NotPetya’s source and scope, the White House’s statement represents a new turn in its relations with the Russian government. President Trump has, after all, stubbornly refused again and again to name the Russian government as the source of the hacker meddling in the 2016 US election, even after US intelligence agencies named the Kremlin as the culprit behind the breaches of the Democratic National Committee and the Clinton Campaign. Just earlier this week, in fact, a panel of intelligence agency directors told Congress that the White House has essentially failed to take any steps to prevent future election interference by Russian hackers.
The attribution of NotPetya to Russia represents a far more proactive response to the threat of Russian hacking, says Thomas Rid, a professor at Johns Hopkins University’s School of Advanced International Studies. “This is far easier for them to talk about. It’s not a partisan issue. It’s a safer attribution call for them to make,” says Rid. “This is the first step in actually drawing a red line so that something like NotPetya isn’t done again.”
Just how the US government will inflict the “international consequences” that the White House’s statement promises remains unclear. The Obama administration responded to various state-sponsored hacker attacks with, in some cases, indictments of hackers involved and sanctions. But the Trump administration has failed to even carry forward legally imposed sanctions on Russia imposed by Congress to punish the country for its role in meddling with the 2016 US election.
But FireEye’s Hultquist says he’s hopeful that the White House’s statement is nonetheless a step towards real deterrence of the broader cybersecurity threat Russia represents. “There are diplomatic, economic and other military tools that can be brought to bear, but the first step is attributing the activity,” he says.
Hultquist believes Sandworm’s attacks aren’t finished yet. But a recognition of the group at the highest level of the US government is perhaps a start towards reining them in. “This won’t be the last time we see of them,” he says. “But when the blame falls again on Russia, it’s going to be a lot easier for the public to digest and for action to be taken.”