Photo: Getty

On Saturday, Kevin Scheid, a Department of Defense veteran, was placed in charge of NATO’s cyber operations. The appointment wouldn’t be big news if it weren’t for the fact that he’s joining the organization at a hair-raising point in history. The vicious malware triggered the NATO Cooperative Cyber Defence Centre of Excellence (NATO CCD COE) to announce on Friday that the attack is believed to be the work of a state actor and is a potential act of war.


There was a lot of ruckus back in May when Donald Trump met with the leaders of NATO and failed to confirm that the US is committed to Article 5 of the North Atlantic Treaty. That’s the clause of the agreement that pledges the members of NATO to mutual defense. Legally speaking, if Article 5 is triggered by an attack on one member, the other members are required to join in retaliation. NATO’s Secretary General confirmed this week that a cyber operation with “consequences comparable to an armed attack can trigger Article 5 of the North Atlantic Treaty and responses might be with military means.” But Friday’s press release emphasizes that we don’t know enough about the origin of NotPetya or the intentions behind its release at this time.


NATO CCD COE is part of the NATO Allied Command Transformation’s Centers of Excellence and is classified as an International Military Organisation. It functions in an advisory capacity and helps member nations cooperate in the realm of cyber security. CCD COE researchers have concluded that the malware “can most likely be attributed to a state actor,” and if a nation is determined to be responsible, “this could be an internationally wrongful act, which might give the targeted states several options to respond with countermeasures.” What sort of countermeasures? Well, pretty much anything. Independently, the UK’s defense secretary announced this week that his country was prepared to respond to cyber attacks “from any domain - air, land, sea or cyber.”

If our unhinged president in the US wants to start a war for the hell of it, he pretty much has the power to do that. But NATO functions on strict rules. Tomáš Minárik, a researcher at NATO CCD COE writes:

If the operation could be linked to an ongoing international armed conflict, then law of armed conflict would apply, at least to the extent that injury or physical damage was caused by it, and with respect to possible direct participation in hostilities by civilian hackers, but so far there are reports of neither.

Minárik is outlining what would justify full on IRL military conflict. That doesn’t, necessarily, mean that NATO couldn’t respond in the cyber-realm if it determined that a government was responsible for NotPetya. He continues:

As important government systems have been targeted, then in case the operation is attributed to a state this could count as a violation of sovereignty. Consequently, this could be an internationally wrongful act, which might give the targeted states several options to respond with countermeasures.


NATO doesn’t know who’s responsible for NotPetya, and no experts have attributed the attack to one actor with certainty.

It’s one of the most fascinating pieces of malware to ever wreak havoc on a large scale. At first, people thought it was ransomware, then it was more likely to be a wiper with some ransomware code. It’s become clear that it uses the EternalBlue and EternalRomance exploits that were pilfered from the NSA and released by the hacking group the Shadow Brokers in April. But intriguingly, it appears that whoever created NotPetya had access to those exploits two weeks before they were given to the public.


Another puzzling factor is the motive for releasing this malware that doesn’t seem to benefit anyone. No one is getting paid. It’s just a really destructive worm that locks up systems. It was first released in Ukraine, and that country’s security services are blaming Russia. But Russians were victims of the attack as well. It’s such a pointless and nasty worm that the crime group behind the original Petya actually jumped in and volunteered to help victims. Lauri Lindström, a researcher at NATO says, “it seems likely that the more sophisticated and expensive NotPetya campaign is a declaration of power - a demonstration of the acquired disruptive capability and readiness to use it.”

According to Bloomberg, attacks on NATO’s electronic infrastructure increased by 60 percent last year. If it’s true that a state actor is responsible for NotPetya, it’s possible that NATO taking notice and talking up Article 5 could make the perpetrator think twice. Then again, if the responsible party gets away without a trace, they’ll know that they’re untouchable.


Correction: This post has been updated to clarify that NATO’s CCD COE is accredited by the Alliance and serves to give advice, conduct research, and facilitate cooperation among the nations on issues of cyber security.

[CCDCOE via Security Affairs, Bloomberg]