{ "id": "858e1c19-d0f6-457d-9231-379504db0d3f", "created_at": "2026-04-06T00:13:10.856148Z", "updated_at": "2026-04-10T03:23:38.794159Z", "deleted_at": null, "sha1_hash": "dc61a241279869db57acd48fe3316d8c92f9eda6", "title": "'NotPetya' malware attacks could warrant retaliation, says Nato affiliated-researcher", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 35545, "plain_text": "'NotPetya' malware attacks could warrant retaliation, says Nato\r\naffiliated-researcher\r\nBy Alex Hern\r\nPublished: 2017-07-03 · Archived: 2026-04-05 17:53:32 UTC\r\nThe NotPetya malware that wiped computers at organisations including Maersk, Merck and the Ukrainian\r\ngovernment in June “could count as a violation of sovereignty”, according to a legal researcher at a Nato-affiliated\r\ncybersecurity organisation.\r\nIf the malware outbreak was state-sponsored, the researcher says, it could open the possiblity of\r\n“countermeasures”. Those could come through retaliatory cyber--attacks, or more conventional means such as\r\nsanctions, but they must fall short of a military use of force.\r\nTomáš Minárik, a researcher at the Nato Cooperative Cyber Defence Centre of Excellence in Tallinn, Estonia,\r\nmade the comments after the Centre concluded that the malware outbreak, which overwhelmingly hit Ukraine but\r\nalso affected more than 60 other countries, can most likely be attributed to a state actor.\r\nWhile a cyber-attack can trigger an armed response from Nato, Minárik cautioned that the damage caused by\r\nNotPetya was not sufficient for such an escalation. The law of armed conflict applies only if a cyber-attack causes\r\ndamage “with consequences comparable to an armed attack”, during an ongoing international armed conflict, “but\r\nso far there are reports of neither,” he said.\r\nHowever, Minárik, added, “as important government systems have been targeted, then in case the operation is\r\nattributed to a state this could count as a violation of sovereignty. Consequently, this could be an internationally\r\nwrongful act, which might give the targeted states several options to respond with countermeasures.”\r\nA countermeasure is any state response which would be illegal in typical circumstances, but can be authorised as a\r\nreaction to an internationally wrongful act by another state. A “hack back” response, for instance, could be a\r\ncountermeasure, but Nato CCDCOE says that such responses “do not necessarily have to be conducted by cyber\r\nmeans”; they cannot, however, affect third countries, nor can they amount to a use of force.\r\nThe suspicion that NotPetya – so called because the malware is superficially similar to an earlier ransomware\r\nvariant called Petya – may be the work of a state sponsored actor arose shortly after the outbreak began in late\r\nJune.\r\nWhile the malware appears to be ransomware (a type of program which holds critical files hostage in exchange for\r\npayment), it contained several flaws that prevented it from ever being an effective moneymaker for its creators.\r\nAmong other things, the payment infrastructure was tied to one email address outside their control, which was\r\npromptly blocked by the webmail provider, preventing victims form ever receiving their decryption key and\r\nunlocking their files.\r\nhttps://www.theguardian.com/technology/2017/jul/03/notpetya-malware-attacks-ukraine-warrant-retaliation-nato-researcher-tomas-minarik\r\nPage 1 of 2\n\nBut the malware, which was overwhelmingly seeded to victims through a compromised Ukrainian accounting\r\nprogram, did function well as a “wiper”, designed simply to render systems unusable and cause economic damage.\r\nIt spread rapidly inside business networks, using a combination of exploits stolen from the NSA and more\r\ncommon weaknesses in older versions of Windows, ensuring that whole organisations found themselves unable to\r\noperate for days on end.\r\nUnlike WannaCry, an earlier piece of ransomware also suspected of being the work of state-sponsored attackers\r\n(in that case, explicitly linked to North Korea by intelligence agencies including the NSA and GCHQ), NotPetya\r\ndid not contain any functionality enabling it to spread unconstrained across the internet, limiting the vast majority\r\nof its damage to those organisations directly infected by the compromised accounting software.\r\nSource: https://www.theguardian.com/technology/2017/jul/03/notpetya-malware-attacks-ukraine-warrant-retaliation-nato-researcher-tomas-mi\r\nnarik\r\nhttps://www.theguardian.com/technology/2017/jul/03/notpetya-malware-attacks-ukraine-warrant-retaliation-nato-researcher-tomas-minarik\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.theguardian.com/technology/2017/jul/03/notpetya-malware-attacks-ukraine-warrant-retaliation-nato-researcher-tomas-minarik" ], "report_names": [ "notpetya-malware-attacks-ukraine-warrant-retaliation-nato-researcher-tomas-minarik" ], "threat_actors": [ { "id": "5d2bd376-fcdc-4c6a-bc2c-17ebbb5b81a4", "created_at": "2022-10-25T16:07:23.667223Z", "updated_at": "2026-04-10T02:00:04.705778Z", "deleted_at": null, "main_name": "GCHQ", "aliases": [ "Government Communications Headquarters", "Operation Socialist" ], "source_name": "ETDA:GCHQ", "tools": [ "Prax", "Regin", "WarriorPride" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434390, "ts_updated_at": 1775791418, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/dc61a241279869db57acd48fe3316d8c92f9eda6.pdf", "text": "https://archive.orkl.eu/dc61a241279869db57acd48fe3316d8c92f9eda6.txt", "img": "https://archive.orkl.eu/dc61a241279869db57acd48fe3316d8c92f9eda6.jpg" } }