When a ransomware outbreak exploded from Ukraine across Europe yesterday, disrupting companies, government agencies, and critical infrastructure, it at first appeared to be just another profit-focused cybercriminal scheme---albeit a particularly vicious and damaging one. But its origins in Ukraine raised deeper questions. After all, shadowy hackers have waged a cyberwar there for years, likely at Russia's bidding.

As more details come to light, Ukrainian cybersecurity firms and government agencies argue that the hackers behind the ransomware called Petya (also known as NotPetya or Nyetya) are no mere thieves. Rather, they pin the attacks on political operatives seeking to disrupt Ukrainian institutions yet again, using a massive ransom scheme to hide their true motive. And some Western cybersecurity analysts tracking the Petya plague have come to the same conclusion.

Targeted Approach

On Tuesday morning, Ukrainian media was the first to widely report the Petya infections, as it hit targets including Ukrainian banks, Kiev's Borispol airport, and energy firms Kyivenergo and Ukrenergo.

Plenty of others fell victim to Petya as well. It struck the Danish shipping firm Maersk, the Russian oil company Rosneft, and even the American pharmaceutical giant Merck. But Ukrainian cybersecurity analysts view Ukraine as the primary target, and the Petya outbreak as just another strike in their ongoing cyberwar with organized and relentless hackers that the Ukrainian government has publicly linked to Russian state actors. "I think this was directed at us," says Roman Boyarchuk, the head of the Center for Cyber Protection within Ukraine's State Service for Special Communications and Information Protection. "This is definitely not criminal. It is more likely state-sponsored."

As for whether that state sponsor was Russia, "It’s difficult to imagine anyone else would want to do this," Boyarchuk says.

Boyarchuk points to the timing of the attack, just before Ukraine's Constitution Day, which celebrates the country’s post-Soviet independence. Ukraine also suffered a targeted act of physical violence on Tuesday, when a car bomb assassinated a special forces official in Kiev.

More technical clues support that theory, some Ukrainian security researchers say. Kiev-based Information Systems Security Partners, which has acted as a first responder for several recent waves of cyberattacks on Ukrainian companies and government agencies, says it has found evidence that sophisticated hackers quietly infiltrated the networks of at least some Ukrainian targets two to three months before they triggered the ransomware that paralyzed those organizations.

"According to the obtained intermediate data of our analysis, our analysts concluded that the destructive effects in the infrastructures of the organizations studied were carried out with the help of [ransomware], but also with direct involvement of intruders who already had some time in the infrastructure," writes ISSP forensic analyst Oleksii Yasinsky in an email to WIRED. ISSP declined to provide more details about the evidence of those prolonged intrusions, but argues that the attackers' techniques match the "handwriting" of previous attacks from 2015 and 2016 that Ukrainian president Petro Poroshenko has called acts of "cyberwar," waged by Russia's intelligence and military services. Yasinsky declined to name the exact Petya victims whose networks had shown those fingerprints, but he notes that they include one major Ukrainian bank and a critical infrastructure company.

ISSP says it also found that Petya doesn't act solely as ransomware. Rather than just encrypting infected hard drives and demanding $300 in bitcoin for the decryption key, in some cases it simply wiped machines on the same network, deleting a victim computer's deep-seated master boot record, which tells it how to load its operating system. Other researchers at Comae Technologies and Kaspersky noted Wednesday that the ransomware's encryption appears to be irreversible, even if a victim pays the ransom. 1