Glider from the game of Life, rising from the left




Topic: #NotPetya

Weak Arguments for Attribution of Network Attacks


You would think that experienced diplomats would demand extremely reliable evidence for attributing a network attack to agents of a foreign government. But accurate attribution is so difficult, the perceived need to find someone to blame is so profound, and the notional political advantages of blaming some currently unpopular rival state are so compelling that governments are willing to proceed with accusations on incredibly weak and ambiguous evidence.

A case in point: The government of the United Kingdom has joined the United States in blaming the widespread and consequential propagation of the NotPetya ransomware on the agents of the Russian government. Here is the basis for their confident accusation:

1. More computers were affected in the Ukraine than in any other country. The Russian government hates the Ukrainian government.

2. One vector for the spread of the malware was an accounting software package used in the Ukraine. The Russian government hates Ukrainian software developers.

3. The attack “fits a pattern” that also describes other attacks that have been previously attributed to agents of the Russian government (on even flimsier evidence).

4. NotPetya was a variant of an earlier ransomware package called Petya, but it appears to have been reimplemented from scratch instead of being adapted from the Petya codebase. This demonstrates the level of technical sophistication characteristic of a nation-state. Russia is a technically sophisticated nation-state.

5. The ransomware feature of NotPetya didn't work, and provided no way for the victims to pay the ransom to the attackers. Instead, NotPetya simply waited for the payment window to run out and then wiped the targeted system's drives. Similarly, the Russian military has often used criminal operations as cover for special ops and not infrequently employs deception as a military tactic.

6. NotPetya exploited two vulnerabilities originally identified by the National Security Agency and made public by a group (nationality unknown) calling itself the Shadow Crew. Some people have speculated that the hackers who stole the NSA's tools for exploiting these vulnerabilities were agents of the Russian government.

7. Don't forget: The Russian government hates the Ukrainian government.


“What the UK Knows: Five Things That Link NotPetya to Russia”
Paul Roberts, The Security Ledger, February 15, 2018

(In case you're trying to link my seven-item list to the “five things” mentioned in the article title or to the five slides in the slideshow at the end of the article: the first slide corresponds to items 1, 2, and 3 on my list, the second to my item 4, the third to my item 5, the fourth to my item 6, and the fifth to my item 7.)

#NotPetya #attribution #Russia

Hashtag index

This work is licensed under a Creative Commons Attribution-ShareAlike License.

Atom feed

John David Stone (

created June 1, 2014 · last revised December 10, 2018