Cyber-espionage

The curious case of the #Petya Virus

Published

6 years ago

July 11, 2017

On June 27 the world was hit by the Petya computer virus, which blocked computers and asked the owners to pay $300 to recover access to their data. One of the countries affected more than any other was Ukraine where the virus was launched and where it proved to be destructive, with national institutions and crucial infrastructure like the central bank, the airport and the metro system infected – writes Chris Rennard

The virus initially looked like ransomware that demanded payments in the electronic currency “Bitcoin” in order to decrypt infected systems. But quickly, researchers and analysts came to suspect that this was more than just a ransomware attack, because whoever was behind it didn't actually make much money, and moreover it seemed to be deliberately targeting state institutions which were unlikely to be lucrative targets for such criminal demands. The real purpose of the whole operation was clearly different.

I have taken an interest in this following an apparent cyber attack on the UK Parliament’s email system last month. I took the precaution of telling my Twitter followers to contact me by text instead of email. It was a tweet that prompted dozens of newspaper headlines.

The Petya virus struck just a few days later. In that instance, experts initially speculated that this was a prototype state-sponsored cyber attack on Ukraine using malware as one of the weapons employed in the Russian Government’s arsenal of hybrid warfare tactics. But the major victim of the hacking attack was Rosneft in Russia, which is led by Igor Sechin, known to be close to the Russian security services. It seems unlikely that an attack on Ukraine would choose to also attack a prized Kremlin-related company like Rosneft.

New allegations in the Russian press, apparently based on leaked information, have now surfaced that the virus may in fact have been introduced as a massive deliberate attack on the Rosneft and Bashneft computer systems, and designed to destroy essential evidence of critical importance to ongoing court proceedings against the Russian conglomerate Sistema, owned by the Russian tycoon Vladimir Yevtushenkov. In the event, Rosneft was able to switch to a backup server and managed to avoid any serious consequences. But the finger of blame for the launch of the Petya malware is now being pointed at Sistema and Yevtushenkov.

Under this theory the collateral damage suffered by Ukraine and other countries was no accident; it was designed to be part of an intentional cover-up, to disguise the real purpose. By launching the attack in Ukraine first, the sponsor of the attack also ensured that there was little chance of the findings of any investigation by Ukrainian officials being shared with Russian investigators, as Ukraine has a deep suspicion and mistrust of the Russian authorities.

A Russian journalist who has investigated the attack believes there is “no other possible explanation.” He uses a pseudonym out of fear about reprisal. "I believe this attack was specifically targeted at Rosneft," he says.

In support of his contention, the journalist cites the fact that the cyber-attack started on the day the Arbitration Court of Bashkiria held its first hearing on Rosneft's suit against Sistema. This was no coincidence.

On June 23, Sistema assets worth $3 billion were frozen by the court as a security measure. This included shares in the Sistema operating companies Medsi clinics, the Bashkir Electric Grid Company and mobile telephone operator MTS, equivalent to almost half of Yevtushenkov’s capital.

As any amateur student of Sherlock Holmes knows, to determine the motive for a crime, the first step is to establish who would stand to benefit financially.

The sum of money at stake in the litigation between Rosneft and Sistema is $2.8 billion for the alleged fraudulent siphoning of funds by Sistema from Bashneft when Sistema owned it. The damages claimed by Rosneft would bankrupt Sistema if they were to lose the suit. Dire straits call for desperate measures, and what could be a better way for Sistema to seize advantage in the court case than destroying the plaintiff’s evidence?

A further argument that the journalist cites in support of his theory is that Sistema is the largest telecommunications holding company in Russia employing the country’s top IT professionals. They know how to deal with viruses and hacking, and consequently how to organise them. Who else from the former Soviet Union could mastermind such a powerful hacking attack?

A final missing piece in the jigsaw puzzle is that according to the conclusions of computer analysts one of the first sources of the hacking attack was a Ukrainian accounting programme called MeDoc, which sent out a suspicious software update. MeDoc is the name of software developed by the company Intellekt-servis. One of the biggest customers of Intellekt-servis in the region is Vodafone, the Ukrainian operating company for which is owned by the Russian MTS Group, one of the key assets of Sistema, Vladimir Yevtushenkov’s company.

We may never be able to conclusively attribute the responsibility for the hacking attacks, understand what their real motive was, and hold those responsible to account. But clearly, the most important concern has to be European and international cybersecurity.

The author - Lord Rennard - is former Chief Executive of the British Liberal Democrats

Share this article: