[Iv]

The claim in the article is that the target was Ukraine, the attacker Russia, and Merck a collateral casualty at an attempt to disguise a state-sponsored cyber-attack as a criminal extortion attempt.

One would need to dig deeper to get a really informed opinion. I do believe Russia to be able and willing to do that, I do believe the so-called "Western intelligence agencies" to blame any malware on Russia or China on the flimsiest evidences.

There is also the possibility that the same tools were used both by the GRU and Russian criminals, leading to a misleading identification. Black hats would totally take someone else's malware and modify it for their purpose while still hiding their tracks.

Zero days are expensive to get but once they are exploits in the wild, they are anyone's to use.

[dvfjsdhgfv]

If you analyze the NotPetya attack, it differs from other ransomware attempts in two respects. First, it was specifically targetting Ukraine. Second, the attackers didn't actually take any money but rendered all systems defunct. If you are a criminal, you aim to make money, right? Why give up on that possibility? It makes no sense.

So, even if in the infosec world you can never say never, but just as Stuxnet is generally attributed to Israel/USA, in the same way NotPetya is attributed to Russia, even though none of these countries will ever admit they actually did it.

[pbhjpbhj]

>If you are a criminal, you aim to make money, right? //

I don't think that is right. You don't decide to be a criminal, you decide to perform an action, you get labelled then by others.

Some people want to destroy big businesses, they can possibly make as much money as they need already.

Of course you can make money through a side-channel that's less traceable too.

[Iv]

Oh I did not know that. The attack was behaving differently on Ukrainian targets? That's a pretty damning thing indeed and makes the question of the act of war very relevant.

Note that it could make sense to a pro-Russia Ukranian group to extort money abroad and to hurt economically on the target. That seems to be the Russian MO to not be directly implicated in the Ukrainian operations: help with tools, weapons and money the groups that are already in place.

They give up direct control over the actions in exchange of deniability.

[MattPalmer1086]

As far as I know, it didn't behave differently on Ukraine targets. The attack was on Ukrainian tax software M.E.Doc that businesses in the Ukraine are legally mandated to use.

So it was targeted at the Ukraine, but plenty of multinational companies also operate there, so they were collateral damage

[Buge]

> One would need to dig deeper to get a really informed opinion.

There are a ton of security experts who have indeed dug deeper, and came to the conclusion that it was Russia.

[Iv]

There just need to be one, with a good write up of the evidence and the evidence be better than "they used the same tools" or "their IP is in Russia". The linked article does not detail them.

I have seen US TLAs blame China on really laughable evidences (and fail to do it properly on the one undeniable attack they did on GitHub)

[qaq]

This is a bit simplistic my educated guess is in Russia, Ukraine and prob some other countries given pay structure in 3 letter agencies they simply can not afford hiring proper skills for the cyber sec especially for the offensive side. So they have a hybrid private/gov system where certain groups get some level of immunity for their "commercial" activities in exchange for deploying their skills for 3 letter agency use when needed. Alternatively people who are caught for some criminal activity get their sentence suspended in exchange for services.