78 comments

[ 783 ms ] story [ 1373 ms ] thread
I posted this same suspicion yesterday. (https://news.ycombinator.com/item?id=14646881)

Russia is "range testing" its weapons in Ukraine.

The West and particularly the US should be very worried about this. The sanctions against Russia are dictating its policy and they have shown a willingness to escalate beyond what's been considered "appropriate" in the past.

I'll say it again here, a country will be made to surrender its policy due to crippling cyber-attacks. As has been shown in the past a western country will only fight a war as long as the citizens support it. When people are harmed and dying due to hospital shut downs, inaccessible banks, power companies offline, airplanes grounded and food shipping stalled - politicians will feel their arms have been twisted horribly but will concede. How well would Washington, DC function for weeks or longer without electrical power?

What Russia is preparing for is the equivalent of bombing cities until surrender (not the direct death, but the punish the population to cause surrender method). As far as I know, there are no international laws around it.

Best case is all sides escalate cyber-weapon "strength" to unthinkable levels and we enter a new cold-war standoff. But again, the nuke mutually assured destruction only could happen after nukes had been proven to be crippling...

The West needs to take this threat very seriously, or we'll soon find ourselves at the wrong end of the barrel of a new weapon.

This seems alarmist to me. In principle we can make computers much more secure and in practice some groups actually do.

If we get some decent information out there and stop enabling people with the mentality that computer security is an add-on product I think we can make it pretty far. I doubt google or microsoft will be significantly harmed by a "cyber-weapon", and I don't think most end-user devices with automatic updates enabled will either.

This is a solvable problem.

> This is a solvable problem.

If only security wasn't last on the budget ...

It's not about harming Google or Microsoft. It's about attacking vulnerabilities in infrastructure. No one cares if your webapp that's instantly reporting on the current length of a celebrity's hair is still capable of serving traffic if traffic lights have been disabled or if your ISP has been knocked completely off line or if the cellular network has been severely crippled.
> In principle we can make computers much more secure and in practice some groups actually do.

In principle we could, and yet in the 20-30 years of common interconnected computers we haven't.

> If we get some decent information out there and stop enabling people with the mentality that computer security is an add-on product

This isn't just about getting "information" out, and if it were only information people would've fixed it decades ago. The problem is that there are no incentives. The cost of making products actually secure, dwarfs the cost of getting a product out that makes money. The cost of being found out with a massive security breach pales in comparison to the amount of money to be made on being first to market, or having dominant share.

> I doubt google or microsoft will be significantly harmed by a "cyber-weapon", and I don't think most end-user devices with automatic updates enabled will either.

Linux based Android and Microsoft Windows are currently full of holes and have been exploited now for years. And this is happening by small groups of people who do it for a few dollars or to spy on a company - none of them have the full backing and resources of a nation state.

To think that this problem will suddenly be solved by doing more of the same "educating people" to me comes across as a bit naive. It hasn't worked this long, it won't suddenly work now. Incentives need to change.

Punishment for a security hole needs to increase significantly, entirely new tooling needs to be enforced or some other solution needs to be created.

This is one of those cases where the solution is seen as so drastic that people will want to just ignore or dismiss it. Thinking to themselves, no-one can really be advocating for that it'd impact everything. It will - making our digital systems secure will be hugely expensive. I see a Y2K x 10 style concerted effort as the only way to get things to change - but hopefully someone out there has an idea more likely to be implemented.

I don't think you understand... there's literally 0 chance that hospitals and power plants are going to just universally enable windows update on their critical systems. Any patch that gets applied to life or death systems has to go through significant regression testing before going live.

I guess you could suggest they just get universally redundant systems and take rolling outages, but I'm guessing nobody would be willing to pay for the cost of implementing such a scheme.

Perhaps there should be a 0% chance that those things are on networks and a 0% chance they run a normal consumer grade OS.

If the software in power plants were treated like their hardware it wouldn't be a problem.

A custom OS would have an attack surface larger than one widely used. For high value targets, it'd be easier to attack.
A minimalistic OS intended for high security ought to be much smaller and should lack almost everything a general purposed OS has. This should make the attack surface pretty minimal.

If that OS gets reused by many people so it gets vetted by time I think that would be best. Perhaps a very stripped down Linux or BSD could fill the role. There is absolutely no reason to have things network configuration wizards, wobbly windows or other fluff. I think there are already systems and tools to help someone construct a custom minimal Linux OS (Yocto) and perhaps people already use these to construct appliances for highly sensitive systems.

I don't think we are that far away, at least some industries are pretty well covered already.

The exploits in question haven't been from "network configuration wizards" or "wobbly windows" - they're literally from backwards compatibility. And medical devices are one of the EXACT reasons there's so much cruft in Windows. They rely on ancient code becaues getting things re-approved via the FDA can take YEARS and millions of dollars. Those manufacturers won't change unless they have a gun to their head.

So what... we switch to a stripped down version of Linux that won't ever have the kernel updated and will need to continue supporting version 1.0 of samba because of some arbitrary codepath to load new versions of firmware.

It's easy to sit back and cast judgement when you don't deal with that industry... but they aren't doing it this way because it's fun.

If the certification disallowed extra garbage that would do it without a gun.

> It's easy to sit back and cast judgement when you don't deal with that industry

I work making special purpose appliances right now, well maybe not right this second, clearly I am posting on HN, but I am at my desk where I should be writing software for one of these appliances. I am only describing exactly what my team is doing. We have a certification process too. I know exactly how painful it is. Bitching about the current and acting like it is immutable law won't fix it. Deciding on what "fixed" looks like then trying to change conditions to get there is one possible way to fix it. There are surely others but throwing our hands up and giving while making excuses isn't one of them.

>If the certification disallowed extra garbage that would do it without a gun.

So someone who has a device in them and lives for another 30 years is forced to undergo surgery in order to update to a newer version? And you SERIOUSLY think that's going to fly?

I guess we can just agree to disagree.

We were talking about hospital infrastructure (but your example is worth discusing), I was not advocating re-certifying already deployed implants. Things like the software that runs MRI machines or stores medical records is buggy bloated crapware for the most part, and generally in need of whole replacement to stand a chance of resistant an actual attack.

But your notion of how implants work is interesting.

At present pacemaker batteries need to be replaced every 5 years (sometimes sooner if they stop responding by radio). Most pacemakers are only certified for 2 battery replacements. The situation you describe is actually much better than reality right now.

Did you know there is a count of people who die to pacemaker bugs each year? Did you know that most pacemaker recipients have no right to see the software or pay to have an expert review the software in their pacemaker? I don't know what you think is going on in medicine now, but there is much that is deeply fucked up with it.

Also your point is pretty ridiculous when you consider two points. We can do some updates to implants wirelessly and without surgery. Then consider that when regulations change there is often a subset of things that are grandfathered in from the old rules. There are still cars driving around with no seat belts and it is legal (in most places) because they were manufactured before seatbelt laws and maintained.

The odds of getting it right are no better than any other OS with similar goals. We are not talking about a simple firmware, but something that'll run the software that controls a complicated machine, be it an MRI scanner or a nuclear power plant and that has to communicate with a myriad of sensors, actuators and other devices.

Will you build it with virtual memory? Will processes have separate memory maps? Will they communicate via shared blocks? What kind of protocol and connections will be used for peripherals?

I don't see that happening.

I agree with your assessment that one minimal is fundamentally better than a another newer one. I fail to see how replacing windows XP with a minimal can do anything other than result in an improvement.
If someone is attacking our infrastructure often they will do SOMETHING. I don't know what, but they have no choice. There has been enough ransomware this year that anyone who fell victim is criminally negligent. There are lots of ways to prevent this attack: more frequent backups, more frequent updates, and physical disconnection of the systems (probably more). All of the above should be there in some form anyway.

This will probably mean hospitals and the FDA get much stricter about what is allowed on medical devices. You cannot update because of risk: that means you can only have certified software. Microsoft will not like being told they are not allowed in hospitals and in turn will be more secure.

It is a race, and whoever is doing this is showing their cards early which gives everybody time to fix things. (I will not claim this there is enough time)

Microsoft can't get "more secure". The issue isn't Microsoft, it's the fact that we now live in a world where exploits get publicly released in a time frame that no device manufacturer can possibly keep up with while adhering to fda regulations. Do you want stable or fast? You aren't getting both.
Perfection is impossible, but OpenBSD shows that you can get close: only two exploitable holes is a good track record. Now granted there is a lot of fine print in there (the big one being you need to be up to date - many of the holes people are falling victim to Microsoft has already fixed). OpenBSD puts a large amount of effort into their code audits to achieve that, which is expensive. Microsoft probably will be willing to give devices completely instead of going that far.
And how many third party devices are supported under OpenBSD? What does their ecosystem look like?

It's easy to have a "secure track record" when you say no to 90% of the outside code contributions and support a minimal amount of hardware. There's basically 0 chance that OpenBSD would ever be the source of medical devices.

How much has OpenBSD been used and deployed in the real world compared to other systems in heck of a long time? It is simply not worth anyone's time to try and break it.
(comment deleted)
Those big expensive power surely need software to run the reactors/generators. If there only there were project experts could use to make minimalistic attack resistant operating systems with only the stuff they need. If only we could build Linux From Scratch or a Yocto sized Linux, but alas we may need to settle for small full feature operating systems like a BSD and install only the minimal software we need.

Easy practices like these will keep getting easier. Security is the default position of computers when they are not assembled haphazardly, because secure is a subset of correct. As we fix bugs we increase security. Combine this with half a clue about operational security and defending against "cyber-weapons" is something your organization does without noticing.

We are even now getting to the point were Journalist know to ask questions like "Did your organization fuzz this piece of software?" (Did you read the article yesterday about the windows defender bug). The market is applying more pressure on security and we will figure out how to make the market happy, because that is how it works.

When you're up against a hostile organized adversary, especially a superpower nation-state's government and intelligence agencies, it's very very hard to just rely on better training and education and secure development practices.

Everyone still needs to be doing these things, but the fight here is very asymmetric. If NSA or FSB or equivalent decides they want to disrupt or damage your company in a cyberattack, it's going to happen.

There are lots of reasons to not (fully) trust the NSA (and related agencies). They've done (and likely still do) some things I don't approve of -- I think most of us could write a lengthy post about the details.

At the same time though, we need to collaborate with things like the Information Assurance Directorate (IAD)[0] to secure national systems. There are dangerous weaknesses in the US computer systems, and while a lot of the research on securing systems is done by private groups, government agencies are really the only ones that can sustain the funding and act as coordinators between private and public interests (eg, it's costly to secure the electrical grid, but there's a public interest in having one secure against attack).

So hopefully the past few years have scared the NSA on to a saner course of supporting national defense instead of undermining it. And hopefully we can meaningfully collaborate with them on defense while fighting them on issues of privacy.

[0] - https://www.iad.gov/iad/index.cfm

Again with the evidence-free Russian attribution hypothesis.
Regardless of attribution, do you not find it worrying?
Attribution would appear central. I'd find it worrying if Voldemort was behind this, but I don't see how I could be worried about that possibility without attribution.
Interesting approach.

If you had a disease, would you not be worried until you figured out what specifically caused your disease?

Sure would. But if you told me chemtrails was behind it, I might ask you to show your working before focusing my worries on that.
It seems to be a good match for the observed events.
What events? The fact that Russia is the second most targeted country?

Come on, this is the same old and tiring fake news from the "famous" hungarian oligarch's mass media.

Even CNN has admitted to have produced fake news on Russia and Trump http://www.abovetopsecret.com/forum/thread1176663/pg1

Seriously, this bullshit about the russian is starting to become irritating.

My dog died yesterday. I am sure, it was Putin who did it!

Dude your handle is pabloski

Come on comrade.

For one: if you're using Above Top Secret as a source...

But anyway: there's a lot of sensationalizing and outright falsehoods when it comes to attributing things to the Russian government, no doubt, but we do know they leaked the DNC emails and have a very powerful and aggressive cyber intelligence department.

No, there's no evidence Russia is behind this, but they're starting off as the prime suspect for a lot of good reasons.

It's one day before Ukraine's day of independence from the Soviet Union. Ukrainian tax software, 1 of 2 mandated to be used by all companies in Ukraine, was used to spread it. A high-ranking Ukrainian intelligence official was assassinated the same day. Ukrainian government and companies have been very disproportionately affected. The ransomware was a cover for a data wiper; clearly it has a political rather than a monetary goal. Russia has been caught red-handed in cyberattacks against Ukrainian infrastructure for several years.

It's the Russian government or someone trying to frame the Russian government; I think we can agree on that. We just don't know which it is yet.

> For one: if you're using Above Top Secret as a source...

I presume the original source is this Project Veritas video where they covertly recorded some CNN employee talking that the stories about Russian interference are mostly empty talk without evidence produced because their viewers want to hear them.

> we do know they leaked the DNC emails

We don't, we know they hacked the DNC if we take CrowdStrike's word for it but there is no proof that Russia contacted WikiLeaks and WikiLeaks claims the documents came from an insider. Though it's another question how well they verified that this insider wasn't a Russian agent.

> Russia has been caught red-handed in cyberattacks against Ukrainian infrastructure for several years.

Any examples of that? I can believe that Russia is screwing with Ukraine but I would like to see some links.

>I presume the original source is this Project Veritas video where they covertly recorded some CNN employee talking that the stories about Russian interference are mostly empty talk without evidence produced because their viewers want to hear them.

No, the recordings were out-of-context clips saying that their Russia reporting was sensationalized. I believe they were likely referring to their constant reporting alleging or implying that Trump or his campaign colluded with Russia - this is a very, very different statement from the nigh-proven allegation that the Russian government tried to influence the election by hacking the DNC. (Side note: they allegedly hacked the RNC too, but did not publicly release any of their data.) That was reported on 7+ months ago, while the recorded clips cover recent events.

Don't get me wrong, CNN is a shitty and very biased organization seeking ratings above all else, but the Russia story is much bigger and more complex than some soundbites.

Countries like the US and Russia do this to other countries all the time: this is not new by any means. What would be new is if Trump's staffers were plotting this influencing with the Russian government ahead of time: that is what there is no strong evidence of, so far, and what CNN and some other outlets have been boosting their ratings with.

>We don't, we know they hacked the DNC if we take CrowdStrike's word for it

Far more than just CrowdStrike. Try all of these private firms, in the US and worldwide, including Kaspersky half-confirming it, plus the entire US intelligence community on every level: https://www.reddit.com/r/NeutralPolitics/comments/52uj5c/do_...

And a few more sources, if you want:

https://www.secureworks.com/blog/russian-threat-group-target...

https://www.secureworks.com/research/threat-group-4127-targe...

http://www.cnn.com/2017/06/27/politics/russia-dnc-hacking-cs... (I know it's CNN, but the pertinent quote is from a FireEye analyst: "We have high confidence that this is a Russian intelligence organization," Hultquist said. "Because we've been tracking this actor for so long and we've seen so many artifacts, forensic and otherwise, that suggests that this actor is carrying out Russian intelligence missions.")

I'll gladly dig up 10+ more if you want to argue about what the private sector says about this. (Disclaimer: I do work in infosec, so I could have a slight bias.)

So maybe you don't trust the CIA, FBI, NSA, DIA, etc. all agreeing... but do you also distrust CrowdStrike, Kaspersky, ThreatConnect, FireEye, and Dell SecureWorks all independently investigating and agreeing that CrowdStrike's initial analysis was not only correct, but even missed other indicators. These are all competing firms. Admittedly, all but one are in the US so you could allege they're all being paid off by the government... but Occam's razor and all.

>Any examples of that? I can believe that Russia is screwing with Ukraine but I would like to see some links.

There are many examples but I CBA to find sources right now. Check the references in these articles:

https://en.wikipedia.org/wiki...

> Far more than just CrowdStrike. Try all of these private firms, in the US and worldwide, including Kaspersky half-confirming it

ACK

> plus the entire US intelligence community

For the record, AFAIK these based their report on data from the above companies. IIRC there was a story that the FBI was denied access to DNC machines but they still signed this report attributing the hack to Russia. That's why I said it's pretty much CrowdStrike's word.

> I do work in infosec

OK, so I'd like to use this as an opportunity to ask another question - is it normal to let such intrusions last for so long? CrowdStrike blog claims that they identified Cozy Bear and Fancy Bear immediately after the DNC hired them, which per the WaPo article they link happened in late April. WL emails run until May 25th and cleanup had been finished on June 14th, shortly after WL announced that they received the material. Does that make sense? I would naively expect that they were supposed to prevent such exfiltration.

>For the record, AFAIK these based their report on data from the above companies.

Perhaps in small part, but it's already leaked repeatedly (see the recent NSA leak from Reality Winner) that the NSA, perhaps along with other agencies, has classified intelligence linking this group directly to their cyberintelligence divisions, along with evidence supposedly showing Putin explicitly ordered it.

>OK, so I'd like to use this as an opportunity to ask another question - is it normal to let such intrusions last for so long? CrowdStrike blog claims that they identified Cozy Bear and Fancy Bear immediately after the DNC hired them, which per the WaPo article they link happened in late April. WL emails run until May 25th and cleanup had been finished on June 14th, shortly after WL announced that they received the material. Does that make sense? I would naively expect that they were supposed to prevent such exfiltration.

I think if it's true that they were hired in April and emails dated May 25th were leaked, then yes, it's unusual they'd be unable to remediate the compromise after so much time. It's possible there's more to that story I'm not aware of (perhaps they intentionally let them stay on the network so they could better monitor them; this is not unheard of at all), or it's possible the group was just really good and hard to evict from the network. Or their incident response team did a bad job securing the network.

The connection between these APTs and DNC and determination of the scope of each group's activities seems to be dependent on CrowdStrike investigation. That they are likely Russian is another thing.
I'm not going to go over all the evidence again, but no, that is not the case. There is much more than just CrowdStrike's findings here.
> The West needs to take this threat very seriously, or we'll soon find ourselves at the wrong end of the barrel of a new weapon.

I agree with your assessment.

But with US politics as they are, it is hard to imagine anything being taken seriously.

(comment deleted)
> The West needs to take this threat very seriously, or we'll soon find ourselves at the wrong end of the barrel of a new weapon.

Our geopolitical opponents should be cautious as well - Public knowledge of weapons technology is often decades behind the reality and I doubt the US and it's allies are unable to defend and respond to any large scale attack.

I doubt anyone failed to draw the intended meaning from the government messaging around Stuxnet.
I'm surprised to see even people on this site downplaying how worrisome these attacks are.

The ability to shut down an enemy's computer systems remotely is an awesome power, and will only become more impactful as we rely more and more on computer systems in our everyday lives.

Forget space: the internet is the next frontier. A group of enemy soldiers shutting down a hospital would be met with outrage and military backlash. A group of hackers shutting down fifty hospitals is met with jokes about outdated operating systems and derision towards IT directors.

At what point do we stop treating these like annoyances of a strange new world and start treating them like what they are: targeted, military-grade attacks. The whole world can see how woefully unprepared the West is for attacks of this nature and the attackers are only going to grow more bold.

The more intertwined tech is with the military, the more powerful the cyber-warfare paradigm becomes.

A thing you two aren't considering is the that US and the UK are the world leaders on the offensive side of this same technology, "we" just do a (slightly) better job of keeping this stuff contained. Raytheon, BAE, etc. all have cyber weapons development divisions and obviously GCHQ and NSA do their own internal development. The west's policy of "proportional response" will apply to cyber attacks as well.

Not that this is an excuse for having unpatched systems or not designing for the catastrophe scenario, but we should remember that this is a two-way street.

>A thing you two aren't considering is the that US and the UK are the world leaders on the offensive side of this same technology

Exactly, on the offensive side. I'm not particularly concerned about our ability to retaliate proportionally.

But what good is a deterrent if it fails to deter attackers? Our defensive capabilities are clearly lacking, as these past few attacks have shown.

> A group of enemy soldiers shutting down a hospital would be met with outrage and military backlash. A group of hackers shutting down fifty hospitals is met with jokes about outdated operating systems and derision towards IT directors.

The problem with this analogy is that, while an attack by a group of enemy soldiers is easily attributable to a specific nation, cyberattacks can be carried out by pretty much anyone; and it's not easy to say with confidence that a specific government organization orchestrated the attack.

I'd be more inclined to compare this to a terrorist attack at an airport carried out by someone who managed to get a homemade bomb past security by simply slipping by while no one was looking. Outrageous, sure, but not necessarily easy to attribute to a specific nation, and probably preventable had security measures not been wholly inadequate.

"Outrageous, sure, but not necessarily easy to attribute to a specific nation"

That won't stop governments, "security experts", and the media from attributing it to specific nations anyway.

The sad thing is that such consequences have been foreseen for decades, but few people or companies have taken them very seriously.
> A group of enemy soldiers shutting down a hospital would be met with outrage and military backlash. A group of hackers shutting down fifty hospitals is met with jokes about outdated operating systems and derision towards IT directors.

If only stopping soldiers with assault rifles would be as easy as keeping the doors closed.

I get a lot of equipment can't be updated because of certification, but it's been obvious since the early 2000s these things should operate on hardened and isolated networks.

> A group of enemy soldiers shutting down a hospital would be met with outrage and military backlash. A group of hackers shutting down fifty hospitals is met with jokes about outdated operating systems and derision towards IT directors.

If only stopping soldiers with assault rifles would be as easy as keeping the doors closed.

I get a lot of equipment can't be updated because of certification, but it's been obvious since the early 2000s these things should operate on hardened and isolated networks.

> Russia

Accusations without evidence are irresponsible; incorrect attribution erodes trust and justifies resentment that lasts far longer than the current situation.

The article discusses evidence suggesting that Ukraine was the target, but that's only circumstantially suggests that Russia may be responsible. Proper attribution of anything on the internet is already incredibly difficult. The history of false flags and other deception-based motives makes the problem even harder.

> Best case is all sides escalate cyber-weapon "strength" to unthinkable levels and we enter a new cold-war standoff.

No, the best case is for software authors to be held liable for the safety problems in the infrastructure they create. MAD isn't going to stop other parties - even script kiddies - from exploiting the same bugs. Yes, it will cost a lot of time and money, but we've known how to build secure systems for a long time[1].

Escalating another conflict between the two largest nuclear powers is a plan that has a very good chance of getting a lot of people killed.

From the article:

>> The Kremlin spokesman Dmitry Peskov said: “[The attack] again proves the Russian thesis that such a threat requires cooperation on the global level.”

I have a lot of issues with the current administration of Russia, but this is how we will survive the brave new technological world. MAD relies on the fear of retaliation; a far more reliable method of deterring hostilities is to create the situation where each side no longer wants a conflict, which can be accomplished with economic interdependencies. You don't bomb - conventionally, atomically, or with a weaponized computer virus - the business partners you rely on.

[1] https://en.wikipedia.org/wiki/Trusted_Computer_System_Evalua...

> The history of false flags

Ukraine has a history of false flags? Do tell.

That's not a false flag, it's just a refusal to accept responsibility.
Might be mixing it up with MH 17, which each side claimed the other downed.
I assumed as much. And well, it was downed by Russian backed separatists(maybe even "off duty" Russian soldiers) using Russian equipment. I think the Russians just wanted spread a false narrative to sow distrust in factual reporting about the conflict. That is really more of a disinformation campaign than a false flag.
How is that an example of false flag? They shot it down (16 years ago, mind you), and eventually owned up to it.
History (in general) has numerous examples of false flags. It doesn't matter who the current players are, spies and disinformation exist, and intentionally misleading signaling happens. Accusations therefor requires at least some evidence connecting the accused to an action (or excluding everyone else).
Are you familiar with Cui bono? Quite a number of things that Russia does these days fall under that category and are generally accepted as Russia's doing despite any concrete evidence. I.e. killing Putin's critics, sponsorship of far right parties in Europe, supporting an uprising in Eastern Ukraine, etc.
> Are you familiar with Cui bono?

Of course. It's a very good heuristic for where to start an investigation; the guilty party is often found among the people that benefit. It can also be a plausible motive.

However, as evidence it's only circummstanti8al. I shouldn't accuse you of robbing your local bank simply because you could have benefited from the stolen cash.

> are generally accepted as Russia's doing despite any concrete evidence

A lot of people have been making fallacious claims about Russia (and other places). I suspect that Putin is responsible for some of tho9se claims, but that doesn't mean they all are. Argumentum ad populum is still a fallacy,

We should be concerned with evidence, cold hard truth, before premature escalation.
You should stop posting your useless suspicions everywhere.
Please don't do this here, even if another comment seems useless or wrong.

Instead, if you have a substantive point to make, make it thoughtfully; otherwise please don't comment until you do.

You would think that in such dire times, the Five Eyes would want adopt a stronger policy towards security and less towards leaving every PC and smartphone vulnerable to attacks to make surveillance easier. Instead, they're now getting ready to discuss how to backdoor devices and encryption at the upcoming Five Eyes and G20 meetings.
Citizens are more likely to support a war if the affects are felt at home. Every child that dies in a hospital that is under attack will be a rallying cry for the masses.
Maybe this was retaliation for Wannacry which exploit (EternalBlue) was developed by the west and causing havoc through a ransomware. It would follow a tit-for-tat escalation strategy in cold-war style. The NSA did not intended to have wannacry but I can easily see if an other nation do not care about the distinction.

International laws would be nice. Few'er hospitals would be crippled by tax supported malware development. Focus could be spent on improving security and patching fault rather than hording and exploiting.

East vs West, Cold War, Politicians, "Cyber".

Does anyone else find it foreboding that attacks like these are still being primarily framed within the terminology of a legacy 50+ year old threat model?

"World War III is a guerrilla information war with no division between military and civilian participation."

-Marshall McLuhan (1970)

Yes tech sites are now advising people not to pay because their mail provider has already shut down their account.

But how many average users read tech sites?

I wouldn't discount monetary motives just because their method of handling payments is dodgy. As long as that bitcoin ID is up it will be used.

It's not exactly in their interest to be honest here.

https://blockchain.info/address/1Mz7153HMuxXTuR2R1t78mGSdzaA...

If I where to bother committing a crime I'd want a lot more than that.
It's a numbers game. Looking for volume over one whale.
I equate these guys with spammers so from that perspective I'm not surprised. Simplest explanation is often the right one.
The single point of failure was the posteo.de[1] account. Surely doing business over this kind of channel was doomed to fail. Infosec Twitter is alight with conspiracy theories that receiving money was the least of the attacker's concerns. I too believe that they just wanted to cause damage and piss people off in Ukraine, using the ransom functionality of the software as a front. BTW: Instead of using email, what should they be using to offer support and arrange payment? Some sort of encrypted instant messenger system?

[1]: https://posteo.de/en/blog/info-on-the-petrwrappetya-ransomwa...

The article provides no evidence for the claim made in the title. Even if it were to do so, the article leaves the dangling question of why bother to include the ransom component at all.
You need to do something destructive to study the scale of real world disruption resulting from such offensive and to motivate victims to report infections. They could probably go with the old-school format c:, but ransomware seems to be all the rage nowadays.
It made maybe $10,000, from the Bitcoin tracker.

As for damage, Maersk container terminals worldwide are still shut down on the truck side, not accepting containers for shipment. Maersk is so down that their web sites with status info aren't being updated to show that they're down.[1] Their Twitter feed has general statements.[2] The only good info seems to come from the Port Authority of New York and New Jersey, which is telling truckers not to come to Maersk's terminal today, Wednesday.[3]

Understand what this means. The biggest container ports in the US and Europe have been down for two days. There's no announced re-opening date yet.

Nobody else seems to have been visibly hit as hard as Maersk, other than the Kiev subway fare collection system.

[1] http://www.apmterminals.com/en/operations/north-america/port... [2] https://twitter.com/Maersk [3] http://btt.paalerts.com/recentmessages.aspx

Hopefully this will lead to less complacency, and an increased interest in and more funding for security. In the long run, hopefully infrastructure like this will become more hardened and less susceptible to such attacks.