What we can learn from the most damaging cyberattack in history

By Richard A. Clarke and Robert K. Knake

Lorina Nash rushed her mother to the emergency room at Lister Hospital in Stevenage, England. The doctors said they needed tests to diagnose the problem. They gave Nash’s mother a blood test, but then the computers crashed and they could not complete the analysis. The doctors put the sample in the hands of a courier and sent him on a three-hour trip to a clinic whose computers were still working. Lorina and her mom waited in what became a largely empty ER, as most patients were sent away.

Ambulances racing to Essex Hospital were redirected elsewhere, as the Accident and Emergency department there had also stopped accepting patients. At North Hampshire Hospital, the CT and X-ray machines froze. Colchester Hospital canceled twenty-five operations. At Chesterfield Royal Hospital the problem was the reverse: without functioning computers, patients could not be released and had to spend another night in the hospital. It was May 12, 2017, and the British National Health Service had been hit by a ransomware cyberattack that was shutting down businesses all over Europe and North America, locking down computers and demanding payment in Bitcoin to unlock them.

The attack tool used became known as WannaCry, and seven months later the Australian, British, and American governments identified the culprit as one of the North Korean government’s hacking groups, sometimes called the Lazarus Group by Western analysts. While WannaCry captured the media’s attention in the United States and many other countries, the events in May were only a prelude to a much more devastating attack a month later by another state actor. Indeed, what was to come was the most devastating single cyberattack in history, so far costing companies more than $20 billion and, more importantly, shutting down key infrastructure.

While WannaCry got the public’s attention, corporate and government IT security professionals had already been aware of the growing risk of ransomware. A year earlier, a virus known as Petya (named after a Soviet weapon in a James Bond movie) had demonstrated significant success in attacking Windows-based systems and then spreading encryption throughout the infected network. Analysis of Petya by U.S. cybersecurity firms later revealed that it employed an attack technique based on the National Security Agency’s EternalBlue weapon.

Then in late June 2017, malware resembling Petya spread with unprecedented speed around the world, attacking Microsoft servers and then jumping to all connected devices on the affected corporate networks. In major companies seemingly selected at random, and at their facilities in scores of nations, computer screens froze and flashed messages demanding payment. It looked like ransomware again. It wasn’t.

Once analysts realized it was not the Petya attack again, they creatively labeled the new attack NotPetya. What cybersecurity experts quickly surmised was that the demand for ransom was fake, a diversion. The attacking software was actually what was known as a wiper, which erased all software on the infected devices. Any device connected on an infected network would be wiped: desktops, laptops, data storage servers, routers, IP phones, mobile phones, tablets, printers.

Operations at major global corporations suddenly ground to a halt. At the pharmaceutical firm Merck, which made more than $40 billion in revenue in 2017 and employed more than sixty thousand workers, production lines froze. Distribution of vaccinations, oncology drugs, and hundreds of other pharmaceuticals stopped. Later, the company would claim the damages cost them almost $900 million.

Maersk, a container ship and port giant, suddenly could not operate the cranes that move millions of shipping containers at its megaports around the world, including New York and New Jersey, Los Angeles, and Rotterdam. Moreover, it had no idea where any given container was, what was in any container, or where any container was supposed to go. Later, the company would publicly own up to $300 million in damages, but a company insider told us that when opportunity costs were accounted for, the true loss was triple that number.

Hundreds of corporations, some in almost every sector, were frozen, including the logistics firm TNT Express (a subsidiary of FedEx), Mondele?z, the snack company, and the DLA Piper law firm. If there had been any doubt that a cyberattack could be global in an instant, that it could disable physical systems, or that it could affect the machinery that keeps the global economy moving, that doubt evaporated on June 27, 2017. Was it cyberwar?

Whether NotPetya was an act of cyber war depends, of course, on your definition. Upon examination, NotPetya was an operation run by a military unit, specifically the Main Directorate of the General Staff of the Russian Federation’s military, often called the GRU or Russian military intelligence. (In the funny-name-game world of cyber wonks, the GRU’s hacking team is also known as Fancy Bear.)

The Russian military did not, we suspect, intend to indiscriminately attack global corporations. What it had intended was a crippling attack on Ukraine on the eve of its national holiday, Constitution Day. The GRU had figured out a truly creative attack vector, a channel that could be used to spread an attack.

What the GRU had noticed was that almost every company and government ministry in Ukraine used the same accounting software. Think of the prevalence of QuickBooks in the United States and you will get the picture. Only in Ukraine, the equivalent software was known as M.E.Doc, from the Ukrainian software company the Linkos Group. Like every other similar application, the M.E.Doc program was periodically updated. Updates were pushed out to licensed users from a server at Linkos. The updates were digitally signed by Linkos and recognized by users’ firewalls, thus allowing the M.E.Doc updates to pass freely into corporate networks.

So the GRU hacked into Linkos and planted a little something extra in the next update to M.E.Doc: an attack package that exploited a known vulnerability in Microsoft server software, combined with a password-hacking tool and instructions to spread to any connected device on the network, wiping them of all software.

The GRU attack worked almost flawlessly, destroying about 10 percent of all devices in Ukraine, including some in every government ministry, more than twenty financial institutions, and at least four hospitals.

Almost flawlessly. What the GRU had apparently not recognized (or maybe they did) was that global companies operating in Ukraine would also be hit, and from their Ukrainian offices the attack would spread over virtual private networks (VPNs) and rented corporate fiber connections back to corporate headquarters in England, Denmark, the United States, and elsewhere.

This kind of mistaken collateral damage is not unique to NotPetya or to the GRU. The software used in the so-called Stuxnet attack on the Iranian nuclear enrichment plant reportedly carried out by the United States in 2010 somehow got out into the world, even though the Natanz plant was not connected to the internet or any other network. Stuxnet quickly spread around the globe, was captured by cybersecurity teams in many countries, and was decompiled, with parts of it later reused in new attack tools.

Stuxnet, however, did not damage anything outside of Natanz, because it was written in a way that the only thing it could hurt was the Iranian nuclear enrichment processor. Nonetheless, the fact that the software spread way beyond its target was reportedly one of the motivations for President Obama’s subsequent directive, Presidential Policy Directive 20, which allegedly restricted further offensive use of cyber tools without his personal approval. (President Trump is reported to have removed those restrictions in 2018.)

Stuxnet revealed to the world, or at least to anyone who cared enough to bother to grab a copy, one of the most sophisticated attack tools ever, containing more than fifty thousand lines of computer code including numerous tricks never used before (so-called zero-day exploits). NotPetya revealed not a thing about Russian GRU attack tools. It exposed nothing of theirs because it was not their tool. It was America’s.

An obscure, important, and contentious debate among cybersecurity experts concerns whether it’s the responsibility of the U.S. government to tell software developers (say, Microsoft) when NSA hackers find a mistake in the company’s code that would permit someone to do something new and malicious, such as hack in and copy customer data, steal money, or wipe out all the software on a network. In the parlance of U.S. government cyber-policy makers, this debate is called the “equities issue” because it involves balancing the interests of intelligence agencies trying to attack with the concerns of government departments such as Treasury and Homeland Security that have an interest in more secure corporate networks.

If the government tells the software developer, then the company issues a “patch” that can fix the problem. If the government does not tell them, then it can hack into interesting foreign networks using the vulnerability in order to learn things to protect the country. (The government creates an “exploit,” a hacking tool that takes advantage of the poorly written computer code.)

After Edward Snowden stole sensitive NSA information and gave it to WikiLeaks (and the Russians), President Obama appointed a five-man group to investigate and make recommendations. Dick Clarke was one of the group that became known as the Five Guys, after the Washington hamburger chain.

Five Guys’ recommendations were all made public, every single word of them, by the Obama White House. One of those recommendations was that when the NSA finds a hole in widely used software, it should tell the manufacturer, with rare exceptions. Those exceptions would be approved at a high level in the government and should be valid for only a finite period. The Obama administration accepted that recommendation.

Microsoft has charged that the NSA knew about a big problem with Microsoft’s server software for five years and did not tell them. Instead, the NSA developed an attack tool, or zero-day exploit, and called it EternalBlue. Presumably, the NSA used EternalBlue to get into foreign networks. Only in March 2017 did Microsoft, having just been informed of its software’s deficiencies by the U.S. government, issue a patch for the problem.

As is always the case when a software company issues a patch, not every one of its users gets the message or believes the warning that it is a critical patch that has to be installed right away. So, despite the patch, the North Korean authors of WannaCry were successful in using the vulnerability two months later, in May 2017, and the Russian GRU used it again, in combination with other tricks, in creating the June 2017 NotPetya disaster.

Those devastating attacks would almost certainly have been avoided if the U.S. government had told Microsoft years earlier. At least, that is what Microsoft said publicly after it figured out what happened.

Why did the government finally tell Microsoft? Our guess, and it is just that, is that by March 2016 the government had figured out that Russia had stolen the U.S. attack kit, knew about the zero day, and was using it or was about to use it.

All of this might not constitute war according to the traditional definition, but it is fairly clear by now that the United States and its allies have been regularly attacked by the Russian military using cyber weapons. The Russian military has not only used cyber weapons to collect intelligence, but it has also deployed cyberweapons to damage, disrupt, and destroy physical objects in the real world, beyond the realm of 1s and 0s. And the Russians are not the only ones. To quote the British Foreign Office, the Russians are simply the most, “reckless and indiscriminate.”

Russia’s GRU successfully penetrated the Pentagon’s classified intranet, as well as the State Department and White House systems. According to the United Kingdom’s National Cybersecurity Center in October 2018, the GRU has engaged in a sustained campaign of low-level cyber war for several years, going back at least to its 2007 attack on Estonia and its 2008 attack on the nation of Georgia.

Famously, the Russian GRU penetrated the Democratic National Committee (which admittedly required little skill) as one part of a multifaceted campaign to affect the outcome of the U.S. presidential election. And of course, there was the most damaging cyberattack in history to date, Not-Petya, about which the White House issued a rare public statement of attribution regarding a cyberattack.

Whether or not you call all of that activity cyber war, it is objectively a lot of damage being done by a military organization. Most significant hacking used to be done by non-state actors, individuals, or clubs. Now, major attacks are usually the work of some nation’s military.

Nations are regularly using their militaries not only to steal secrets, but to damage, disrupt, and destroy sensitive systems inside potential enemy nations. Such operations could easily lead to escalation into broader war, intentionally or unintentionally. The U.S. military, for example, has said that it reserves the right to respond to cyberattacks with any weapon in its arsenal. To be clear, the recent and current levels, pace, and scope of disruptive activity in cyberspace by the military units of several nations is unprecedented, dangerous, and unsustainable in “peacetime.” It cannot continue like this. Either we control and deescalate tensions, or conditions will cease to have any resemblance to peacetime.

If we do not take concerted steps to reduce the risk of cyber war, if we do not engage in a multifaceted program to bring us closer to cyber peace, we risk highly destructive cyberattacks that could cripple modern societies and escalate into the kind of Great Power conflict we have not seen in more than seventy-five years. Thus, we need to make it a major national priority to find ways of defeating nation-state hackers. 

Richard A. Clarke and Robert K. Knake are the authors of "The Fifth Domain: Defending Our Country, Our Companies, and Ourselves in the Age of Cyber Threats," from which this article has been adapted.