Wannacry (aka Wannacrypt) is a cyberattack worm that encrypts data on a computer and asks for a ransom payment in order to decrypt that data. The victimized computers cannot perform their normal functions, and cannot retrieve from their databases. Wannacry was spreading rapidly through Western Europe and the US during mid-May 2017. Wannacry might well be explained as an effort to raise cash.
A look-alike, but even meaner cyberattack called “petya” began spreading in Ukraine, parts of Eastern Europe, some of Russia, and a few US companies that trade in those areas. Strangely, it is targeted away from the usual, lucrative victims of Western Europe, the industrialized Pacific Rim countries and the US mainland. It seemed to be tightly aimed at the Ukraine’s government and commercial computers but it spread to their international trade partners. Not every computer in the target area seems infected. The selectivity has made experts suspicious.
Petya claims to be ransomware yet it presents an inadequate, almost token pathway for collecting the ransoms. Neither the authors of Petya, nor skilled hackers, can reverse the encryption of the data it attacks. So, paying ransom will not help the victims and knowledge that the encryption is irreversible will stem the payment of ransoms.
The authors of Petya made choices inconsistent with a genuine interest in the ransom money it might raise. Perhaps their goal was to inflict pain, but why choose that particular geographic area?
Petya’s focus on Ukraine suggests another likely scenario. It could be the next wave of Russia’s intelligence gathering from Ukraine government’s databases and communications. Russia has done that before using powerful tools such as Ouroburos. During 2010, Russia used a surveillance suite called Turla against the government systems of several European countries (including Ukraine). Later, during 2014, Russia penetrated Ukraine’s cyber assets in the lead up to the shadowy war on Ukraine’s eastern border. There, Russian troops aided by Ukraine’s Russian sympathizers attacked seeking territory along the Russian border.
Many thoughtful attacks are launched in multiple layers. The obvious top layer will be caught and removed, but the second (sleeper) layer can stay resident until activated to do serious spy work. The presence of seemingly unaffected computers in Petya’s target areas is a nagging feature that hints at a two-stage attack. Perhaps “unaffected” computers in the target area contain just a sleeper attack portion of Petya, not the top layer with its high drama call for ransoms.
In the past, Russia’s cyber tools embedded in Ukraine’s communications network gave them real time knowledge of Ukraine’s intentions, military concentrations, movements and capabilities. With Russia’s previously successful tactics in mind, it appears Petya may support the next sophisticated wave of Russian cyber spying to help it prevail in an upcoming ground offensive in eastern Ukraine.
Some coverage of these cyber-attacks emphasizes that Wannacry and Petya use cyber modules that Shadow Brokers took (or bought) from a “lost” collection of NSA programs. Some might say that NSA’s inadequate protection of those tools makes NSA responsible for Russia’s actions. NSA showed security flaws, but it is not accountable for Russia’s behavior. Russia regularly develops its own cyber-attacks (e.g. Turla, Ouroburos, and meddling in the 2016 Presidential election). Don’t expect a public answer, but the most important question is whether we can track and subvert their cyber-attacks.
Compared with conventional warfare, cyberattacks of the kind we have experienced so far result in few human casualties but large economic costs. If we allow our enemies to cyber-attack our critical infrastructures (dams, levees, airports, telecom, power generation, bridges), we will see massive casualties. The cyber emphasis should be on offense.