An assessment by the National Cyber Security Centre, part of GCHQ, has found that the Russian military was almost certainly responsible for the ‘NotPetya’ cyber attack of June 2017.

According to a press release, the UK Government has made the judgement that the Russian government was responsible for the attack, which particularly affected Ukraine’s financial, energy and government institutions but its indiscriminate design caused it to spread further, affecting other European and Russian business.

“The destructive attack masqueraded as ransomware, but its purpose was principally to disrupt. Several indicators seen by the NCSC demonstrated a high level of planning, research and technical capability.

The decision to publicly attribute this incident reiterates the position of the UK and its allies that malicious cyber activity will not be tolerated.”

Foreign Office Minister of State with responsibility for Cyber, Lord (Tariq) Ahmad of Wimbledon, said:

“The UK Government judges that the Russian Government, specifically the Russian military, was responsible for the destructive NotPetya cyber-attack of June 2017. The attack showed a continued disregard for Ukrainian sovereignty. Its reckless release disrupted organisations across Europe costing hundreds of millions of pounds.

The Kremlin has positioned Russia in direct opposition to the West: it doesn’t have to be that way. We call upon Russia to be the responsible member of the international community it claims to be rather then secretly trying to undermine it.

The United Kingdom is identifying, pursuing and responding to malicious cyber activity regardless of where it originates, imposing costs on those who would seek to do us harm. We are committed to strengthening coordinated international efforts to uphold a free, open, peaceful and secure cyberspace.”

Once an organisation’s machine was infected, the highly crafted tool was designed to spread rapidly, in some cases overriding the Master Boot Record on infected computers and displaying a ransom note asking for payment in Bitcoins. The malware spread via trusted networks, rather than widely over the internet. Therefore, it effectively bypassed the processes put in place to prevent ransomware attacks say GCHQ.

The malware was not designed to be decrypted. This meant that there was no means for victims to recover data once it had been encrypted. Therefore they say it is more accurate to describe this attack as destructive than as ransomware.