Support 100 years of independent journalism.

  1. Spotlight
  2. Cyber
28 February 2022

Could Russia use another NotPetya-style cyber weapon in Ukraine?

Security officials have warned that Russian cyber attacks on Ukraine could quickly spread to other nations.

By Oscar Williams

On 27 June 2017 Ukraine’s largest airport, its energy authority and national bank suffered a devastating cyber attack. Within hours the “NotPetya” virus used in the attack had spread around the world, bringing down several major businesses. NotPetya caused chaos within the advertising firm WPP, the pharmaceutical company Merck and the transportation giants Maersk and FedEx.

These companies were never the intended targets of the attack. They were merely collateral damage in a campaign launched by the Russian government with the aim of wreaking havoc in its neighbouring state. After Russian troops entered Ukraine last week, businesses and governments have been asking if a similar attack could spread beyond the country, and the Business Secretary, Kwasi Kwarteng, is expected to meet with the chair of the National Grid this week to discuss the risk to Britain’s infrastructure.

Russia has already conducted three rounds of cyber attacks on Ukrainian institutions since the beginning of this year. The latest and most intense wave began on Wednesday (23 February), when several Ukrainian banks and government organisations’ websites were rendered inaccessible by distributed denial of service (DDoS) attacks. The campaign coincided with the emergence of a new “wiper” virus, which was designed to destroy targets’ data, in a similar way to the NotPetya attack.

The UK’s National Cyber Security Centre (NCSC) has been warning for several weeks that attacks could “spill over”, unintentionally ensnaring British victims. Last week, the agency – a division of GCHQ – said that while it was “not aware of any current threats to UK organisations in relation to events in and around Ukraine, there has been a historical pattern of cyber attacks on Ukraine with international consequences”. The GCHQ director, Jeremy Fleming, met leaders representing Britain’s critical national infrastructure organisations on 17 February.

The NotPetya attack gained access to victims’ computers using a critical software vulnerability or “exploit” that was already widely known. Microsoft had already released an update to secure against the vulnerability, but millions of computers hadn’t been updated. Alan Woodward, a computer security professor at the University of Surrey, says no similar exploits have emerged into the public domain since – but that doesn’t mean they don’t exist. It is possible, he says, that Russia’s military intelligence unit, the GRU, could have developed new vulnerabilities (so-called “zero-day exploits”) which are not yet known to software vendors: “You don’t know what you don’t know.”

However, Woodward says Russia wouldn’t need to develop an entirely new exploit in order to cause chaos. It could simply adapt previous viruses – and NCSC warned on 23 February that a GRU unit, referred to as “Sandworm”, had done just that. In an advisory note security officials said: “The malware dubbed Cyclops Blink appears to be a replacement for the VPNFilter malware exposed in 2018, and its deployment could allow Sandworm to remotely access networks.”

It is possible, says Woodward, that Russia could respond to economic sanctions by carrying out retaliatory cyber attacks aimed at Western financial organisations. “Because cyber attacks are so difficult to attribute, are they going to launch something against the West anyway? Might they do something to harm Western economies as a reprisal?” This is considered a less likely scenario, however; the difficulty of carrying out such attacks makes a “spillover” attack the most likely cyber threat facing Western organisations.

Content from our partners
How do we secure the hybrid office?
How materials innovation can help achieve net zero and level-up the UK
Fantastic mental well-being strategies and where to find them

One consolation is that British organisations are likely to be better protected than those in some other European nations. NCSC is among the most advanced organisations of its kind in the world, and has been working for years to build up the country’s cyber resilience; Woodward says that Britain’s new offensive cyber force may also act as a deterrent to Russian aggression. The Defence Secretary, Ben Wallace, has already signalled that the government would be prepared to carry out retaliatory cyber attacks on Russia.

Nevertheless, while the risk of cyber attacks will be front of mind for some British security officials and business leaders, it will be of lesser concern to Ukrainian citizens. “When it gets to this stage, it becomes secondary to military action and reverts to what we’ve seen with electronic warfare for decades,” says Woodward. “It’s a way of disrupting things and the economy of somewhere, but primarily it’s a way of spreading misinformation and disinformation.”

[See also: Russia’s invasion of Ukraine changes everything]

Sign up for The New Statesman’s newsletters Tick the boxes of the newsletters you would like to receive. Quick and essential guide to domestic and global politics from the New Statesman's politics team. The New Statesman’s global affairs newsletter, every Monday and Friday. The best of the New Statesman, delivered to your inbox every weekday morning. The New Statesman’s weekly environment email on the politics, business and culture of the climate and nature crises - in your inbox every Thursday. A handy, three-minute glance at the week ahead in companies, markets, regulation and investment, landing in your inbox every Monday morning. Our weekly culture newsletter – from books and art to pop culture and memes – sent every Friday. A weekly round-up of some of the best articles featured in the most recent issue of the New Statesman, sent each Saturday. A newsletter showcasing the finest writing from the ideas section and the NS archive, covering political ideas, philosophy, criticism and intellectual history - sent every Wednesday. Sign up to receive information regarding NS events, subscription offers & product updates.