Ukraine has blamed Russian security services for a massive cyberattack that started in the last week in Ukraine and eventually spread to computers across the world.
Ukraine’s security agency, the SBU, said in a statement Saturday the attack bore resemblances to past hacks of Ukrainian infrastructure by the Russian security services.
“The available data, including those obtained in cooperation with international antivirus companies, give us reason to believe that the same hacking groups are involved in the attacks, which in December 2016 attacked the financial system, transport and energy facilities of Ukraine, using TeleBots and BlackEnergy,” the statement said.
Russia has denied involvement in the recent attack that halted operations at large companies and government agencies in more than 60 countries around the world. The hackers encrypted data on infected machines and demanded a ransom to give it back to its owner.
Europol Director Rob Wainwright called Tuesday’s hack “another serious ransomware attack.” He said it bore resemblances to the previous “WannaCry” hack, but it also showed indications of a “more sophisticated attack capability intended to exploit a range of vulnerabilities.”
The WannaCry hack sent a wave of crippling ransomware to hospitals across Britain in May, causing the hospitals to divert ambulances and cancel surgeries. The program demanded a ransom to unlock access to files stored on infected machines.
Researchers eventually found a way to thwart the hack, but only after about 300 people had already paid the ransom.
The most recent hack has been largely contained, but now some researchers are questioning the motivation behind the attack. They say it may not have been designed to collect a ransom, but instead to simply destroy data.
“There may be a more nefarious motive behind the attack,” Gavin O’Gorman, an investigator with U.S. antivirus firm Symantec, said in a blog post. “Perhaps this attack was never intended to make money [but] rather to simply disrupt a large number of Ukrainian organizations.”
Russian anti-virus firm Kaspersky Lab similarly noted that the code used in the hacking software wouldn’t have allowed its authors to decrypt the stolen data after a ransom had been paid.
“It appears it was designed as a wiper pretending to be ransomware,” Kapersky researchers Anton Ivanov and Orkhan Mamedov wrote in a blog post. “This is the worst case news for the victims – even if they pay the ransom they will not get their data back.”
The computer virus used in the attack includes code known as Eternal Blue, a tool developed by the NSA that exploited Microsoft’s Windows operating system, and which was published on the internet in April by a group called Shadowbrokers. Microsoft released a patch in March to protect systems from that vulnerability.
Tim Rawlins, director of the Britain-based cybersecurity consultancy NCC Group, says the attacks continue to happen because people have not been keeping up with effectively patching their computers.
“This is a repeat WannaCry type of outbreak and it really comes down to the fact that people are not focusing on what they should be focusing on, the very simple premise of patching your systems,” Rawlins told VOA.