A "state actor" was behind the cyberattack that hit over 12,000 devices in around 65 countries on Tuesday hitting major industries from advertising to oil, according to a NATO-affiliated think-tank .
The "Petya" ransomware attack encrypted files on a computer and demanded $300 worth of the cryptocurrency bitcoin in order to unlock them. Kaspersky Lab estimates at least 2,000 targets were affected, mostly in Russia and the Ukraine, but attacks were registered in several other countries, including Germany, the U.K. and China.
Researching the attack, a NATO-affiliated research institution says it was likely launched by a state actor, or by a non-state actor with support and approval from a state, as the operation was very complex and expensive.
"The operation was not too complex, but still complex and expensive enough to have been prepared and executed by unaffiliated hackers for the sake of practice. Cyber criminals are not behind this either, as the method for collecting the ransom was so poorly designed that the ransom would probably not even cover the cost of the operation," NATO's Cooperative Cyber Defense Centre of Excellence (CCDCOE), said in a press release on Friday.
The implications of this mean that the cyberattack could be interpreted as an act of war, according to the organization. On Wednesday, NATO secretary general Jens Stoltenberg said a cyber attack could trigger Article 5, the principal of collective defense.
"As important government systems have been targeted, then in case the operation is attributed to a state this could count as a violation of sovereignty. Consequently, this could be an internationally wrongful act, which might give the targeted states several options to respond with countermeasures," Tomáš Minárik, researcher at NATO's CCDCOE law branch, in the press release.
The investigators added that the cyberattack was a "declaration of power" and a demonstration of the culprit's ability to cause disruption.
More than 30 percent of affected firms were financials, according to analysis by Kaspersky Lab, while at least half of those targeted were industrial organizations, such as utilities, oil and gas, transportation, logistics, manufacturing and other companies.
"The nature of this malware is such that it could easily stop the operation of a production facility for a considerable amount of time", said Kirill Kruglov, security expert at Kaspersky Lab, in a press release published Thursday.
Initially it seemed the attack was caused by cybercriminals looking to extract ransoms from victims, but NATO's analysis appears to put this theory aside. In terms of the bitcoin ransom demanded, it appears the attackers haven't made much. Only a total of 3.99 bitcoins has been paid in ransom so far, worth a total of $10,284 at today's bitcoin price.
Even if someone paid the ransom, the associated email address has been shut down by the web provider. This means victims cannot get their files back, and any encrypted files are effectively lost.
"The underlying motive appears to be aimed at wreaking the maximum amount of disruption in Ukrainian infrastructure, while merely operating under the guise of ransomware," said Tyler Moffitt, a senior threat research analyst with cybersecurity firm Webroot, in a blog post on Thursday.
"This suspicion is supported by the absence of a payment portal or functional email address to deliver the ransom payment."
Other experts have echoed this. Cisco's security research organisation Talos said the intent of the actor behind the cyberattack was destructive, not economically motivated, in a blog post updated on Thursday.
Gavin O'Gorman, investigator in Symantec Security Response, shared two theories for the motive behind the attack.
The first is that it was caused by a technologically capable but not otherwise smart criminal, as they only used one bitcoin wallet and gave just one email account to contact, which will make it difficult to receive and make use of any ransom.
The other theory is that it was intended to cause as much disruption as possible.
"Perhaps this attack was never intended to make money, rather to simply disrupt a large number of Ukrainian organizations. Launching an attack that would wipe victim hard drives would achieve the same effect, however, that would be an overtly aggressive action," O'Gorman said in a blog post published Wednesday.
"Effectively wiping hard drives through the pretense of ransomware confuses the issue, leaving victims and investigators to ask: 'Are the attackers politically motivated, or criminally motivated?'"
O'Gorman added that he believed the attacks were politically motivated.
Correction: this article was updated to clarify Gavin O'Gorman's statement and the nature of NATO CCDCOE .