2

The US and the UK have publicly accused the Russian military of orchestrating attacks using the NotPetya malware:

Foreign Office minister Lord Ahmad of Wimbledon said: "The UK government judges that the Russian government, specifically the Russian military, was responsible for the destructive NotPetya cyber attack."

Russia denies being responsible.

Malware in the past, such as the Melissa and ILOVEYOU viruses, were created by individuals. The blame for Wannacry and Petya/NotPetya are put with countries. Is there a technical reason why Melissa and ILOVEYOU could be developed by individuals, but the development and deployment of Wannacry and Petya/NotPetya requires the resources of a state? I don't think either needs a supercomputer or a lot of bandwidth to be deployed; or does it?

gerrit
  • 1,829
  • 1
  • 17
  • 26
  • Generally, a state-level adversary will have access to large contractors who do research for them, like Raytheon SI. You can buy 0days in bulk and use state-of-the-art exploitation techniques. Individuals on the other hand are limited by their connections and their ingenuity. Though that does not mean that they are not necessarily as capable. There are individuals who have compromised entire countries' networks. – forest Feb 16 '18 at 03:27
  • Speaking to the allegations, this is actually [old](https://www.wired.com/story/russian-hackers-attack-ukraine/) [news](https://www.bleepingcomputer.com/news/security/security-firms-find-thin-lines-connecting-notpetya-to-ukraine-power-grid-attacks/). The Ukrainian government isnt the most trustworthy at the moment, but it seems rather odd (to me at least) for a hacker group to act like this if they are not somehow sponsored by a state actor. – Tom K. Feb 16 '18 at 10:21
  • To your question: What exactly do you mean by "technical reasons"? Obviously state actors have more money at their disposal than individuals. Money buys equipment and (most of the time) knowledge. Where is the question here? – Tom K. Feb 16 '18 at 10:25
  • @TomK. Money buys equipment; but it doesn't take a supercomputer or a lot of bandwidth to develop or send malware into the world (I think). – gerrit Feb 16 '18 at 11:13
  • @gerrit: You really have to specify your question or it is impossible to answer. There are still a lot of individuals that develop and distribute malware. There are also nation states backed group of developers who do the same. You either should focus your question on a specific type of malware or APT. – Tom K. Feb 16 '18 at 11:16
  • 1
    @TomK. I have edited the question. Is it clearer what I mean now? – gerrit Feb 16 '18 at 11:26

1 Answers1

5

The main question you probably need to ask is who has the motivation to do such an attack. While in former times it was often enough to brag about the attacks you did and show what a capable hacker you are, cyber attacks are now predominantly seen as crime. This means that bragging about it might even be dangerous and there must be other motivations. Thus the main motivations today are money in the direct form (i.e. ransomware, spam), getting access to important information (espionage) or causing damage against a competing individual, company or country (for example with DOS attacks).

Given that cyber attacks are seen as crime the return of investment should be much higher than the risk of getting prosecuted. If you are a lone individual mounting a larger attack then the risk of being prosecuted is high. If you are instead somehow backed by one state and attack another state then the risk of being prosecuted is usually much lower since you cause damage to competitors in the interest of "your" state. Such state-backing might take several forms: it might be that the attacker is actually employed or otherwise paid by the state for doing such attacks (i.e. state-sponsored) but it might also be a criminal or group of criminals who gets not prosecuted as long as their attacks are only directed at the competing state (state-backed). Or it might be something in between, i.e. criminals getting paid for doing a job for the state.

Many (but not all) of the attacks you see today could actually have been done by motivated individuals or small groups. This includes attacks like NotPetya. But you have to ask what the motivation was. It looks like that in case of NotPetya the main goal was to cause damage and that the main target was Ukraine. So, who might have a large interest in spending resources just to cause damage there? And who might therefore either pay somebody to do such attacks or at least protect the attacker against prosecution? Probably not some lone individuals acting only in their own interest.

Apart from this, some attacks actually require state level resources or at least resources only a larger company has. These are for example access to brilliant cryptographers, power to influence standard bodies or the power to make companies weaken the security of their products (like weakening cryptography or adding backdoors) if they still want to sell to the government etc.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • As an extra note, if NotPetya had been about about financial gain / actual ransoming of systems, the creators would have used different bitcoin wallets on each install, instead of 1 bitcoin wallet for every attack. For a very sophisticated piece of malware, it may have raked in about $8000 US, which is peanuts. Why would a criminal actor (or a group of them) spend this much effort to create an effective multi-factor attack, put the effort in to create a watering hole attack, and then just vandalize 1000s of computers? This seems like more than just a grudge against Ukrainian business. – claidheamh Feb 16 '18 at 16:21
  • Indeed there is plenty of evidence NotPetya was not designed as ransomware. For example they only offered a public e-mail channel to communicate - which they knew would be blocked right away. And once it was blocked, there was no way to get any files back and thus nobody has any reason to pay ransom. – George Y. Feb 16 '18 at 17:03