WASHINGTON/LONDON - The White House on Thursday blamed Russia for the devastating NotPetya cyberattack last year, joining the British government in condemning Moscow for unleashing a virus that crippled parts of Ukraine’s infrastructure and damaged computers in countries across the globe.
The attack launched in June 2017 by the Russian military “spread worldwide, causing billions of dollars in damage across Europe, Asia and the Americas,” White House Press Secretary Sarah Sanders said in a statement.
“It was part of the Kremlin’s ongoing effort to destabilize Ukraine and demonstrates ever more clearly Russia’s involvement in the ongoing conflict,” Sanders said. “This was also a reckless and indiscriminate cyberattack that will be met with international consequences.”
The strongly worded but brief statement was the first time the U.S. government has blamed Russia for what is considered one of the worst cyberattacks on record. Many private sector security experts had fingered Moscow months ago.
Experts said the White House vow of a response needed to be met with clear action, especially because U.S. President Donald Trump has sought to improve relations with his Russian counterpart, Vladimir Putin, and has at times appeared dismissive of the cyberthreat posed by Russia.
The U.S. government is “reviewing a range of options,” a senior White House official said when asked what consequences Russia would face.
It was not clear what those options were, nor what was meant by “international consequences.”
Earlier on Thursday Russia denied being behind the attack, saying the accusations were part of a “Russophobic” campaign that it said was being waged by some Western countries.
The White House had intended to release a statement about NotPetya at the same time as London, but those plans were delayed due to a school shooting in Florida, according to three sources familiar with the matter.
The U.S. government has been quicker to blame other nations, most notably North Korea, for destructive cyberattacks, including the WannaCry ransomware attack in May 2017.
Some administration officials have worried that publicly blaming Russia without imposing some cost could raise questions about why the United States was not retaliating, said two sources familiar with the internal debate.
Others argued that because the United States also conducts covert cyberspace operations that could not be discussed in public, the statement attributing blame to Moscow required no elaboration, the sources said.
Trump has resisted the conclusion of U.S. intelligence agencies that Moscow also meddled in the 2016 U.S. presidential election. After he met Putin in Vietnam last November, Trump said he believed the Russian leader when he denied his government interfered in the election.
“With Russia, if we are promised consequences, people are going to be looking for tangible proof” of a response, said Kenneth Geers, a security researcher at the cyber firm Comodo and former U.S. intelligence official who works at NATO’s think tank on cyber defense.
“Otherwise it seems like a real empty promise.”
The NotPetya attack started in Ukraine, where it crippled government and business computers before spreading around Europe and the world, halting operations at ports, factories and offices.
Britain’s foreign ministry said in a statement released earlier in the day that the attack originated from the Russian military.
“The decision to publicly attribute this incident underlines the fact that the UK and its allies will not tolerate malicious cyber activity,” the ministry said in a statement.
“The attack masqueraded as a criminal enterprise but its purpose was principally to disrupt,” it said.
“Primary targets were Ukrainian financial, energy and government sectors. Its indiscriminate design caused it to spread further, affecting other European and Russian business.”