Malware Outbreak Attributable to State Actor, NATO Researchers Say
The global outbreak of what is now being called the NotPetya malware on June 27, hitting multiple organizations in Ukraine, Europe, the United States, and possibly Russia can most likely be attributed to a state actor, concluded a group of researchers at the NATO Cooperative Cyber Defense Center of Excellence (CCD COE).
Ukraine has reportedly accused Russia of being behind the attack.
Analysis of both recent large-scale campaigns WannaCry and NotPetya raises questions about possible response options of affected states and the international community, according to a CCD COE report.
“NotPetya was probably launched by a state actor or a non-state actor with support or approval from a state,” says the NATO report. “Other options are unlikely,” raising the question whether there is a required response under the NATO treat.
NATO’s Secretary General reaffirmed on June 28 that a cyber operation with consequences comparable to an armed attack can trigger Article 5 of the North Atlantic Treaty—requiring a response from NATO allies—and that responses could be with military means. However, since there are no reports of those types of effects, the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations says collective defense of victim states are not available options.
“If the operation could be linked to an ongoing international armed conflict, then the law of armed conflict would apply, at least to the extent that injury or physical damage was caused by it…but so far there are reports of neither,” said Tomáš Minárik, a researcher at NATO CCD COE Law Branch.
However, government systems have been targeted, in which case, if the operation is attributed to a state, the attack would count as a violation of sovereignty, allowing targeted states options to respond, according to Minárik. “A countermeasure is a state response that would otherwise be unlawful but for the fact that the state is responding to an internationally wrongful act attributable to another state,” he explained. “A countermeasure could be, for example, a cyber operation sabotaging the offending state’s government IT systems, but it does not necessarily have to be conducted by cyber means. In any case, the effects of a countermeasure must not amount to a use of force or affect third countries.”