By Dustin Volz and Sarah Young
WASHINGTON/LONDON (Reuters) – The White House on Thursday blamed Russia for the devastating ‘NotPetya’ cyber attack last year, joining the British government in condemning Moscow for unleashing a virus that crippled parts of Ukraine’s infrastructure and damaged computers in countries across the globe.
The attack launched in June 2017 by the Russian military “spread worldwide, causing billions of dollars in damage across Europe, Asia and the Americas,” White House Press Secretary Sarah Sanders said in a statement.
“It was part of the Kremlin’s ongoing effort to destabilize Ukraine and demonstrates ever more clearly Russia’s involvement in the ongoing conflict,” Sanders said. “This was also a reckless and indiscriminate cyber attack that will be met with international consequences.”
The strongly worded but brief statement was the first time the U.S. government has blamed Russia for what is considered one of the worst cyber attacks on record. Many private sector security experts had fingered Moscow months ago.
The statement came days after leaders of U.S. intelligence agencies again warned that Russia, and potentially other adversaries, were likely to attempt to use cyber means to meddle in the U.S. midterm elections in November.
Experts said the White House vow of a response needed to be met with clear action, especially because U.S. President Donald Trump has sought to improve relations with his Russian counterpart, Vladimir Putin, and has at times appeared dismissive of the cyber threat posed by Russia.
The U.S. government is “reviewing a range of options,” a senior White House official said when asked what consequences Russia would face.
It was not clear what those options were, nor what was meant by “international consequences.”
Earlier on Thursday Russia denied being behind the attack, saying the accusations were part of a “Russophobic” campaign that it said was being waged by some Western countries.
The White House had intended to release a statement about ‘NotPetya’ at the same time as London, but those plans were delayed due to a school shooting in Florida, according to three sources familiar with the matter.
The U.S. government has been quicker to blame other nations, most notably North Korea, for destructive cyber attacks, including the WannaCry ransomware attack in May 2017.
Some administration officials have worried that publicly blaming Russia without imposing some cost could raise questions about why the United States was not retaliating, said two sources familiar with the internal debate.
Others argued that because the United States also conducts covert cyberspace operations that could not be discussed in public, the statement attributing blame to Moscow required no elaboration, the sources said.
In addition to covert operations, retaliation could take the form of further sanctions on Russia or other diplomatic penalties.
Trump has resisted the conclusion of U.S. intelligence agencies that Moscow also meddled in the 2016 U.S. presidential election. After he met Putin in Vietnam last November, Trump said he believed the Russian leader when he denied his government interfered in the election.
Democrats and some Republicans have criticized the Trump administration for not imposing sanctions that were passed unanimously by Congress last summer and were intended to punish Moscow for meddling in the 2016 election.
“With Russia, if we are promised consequences, people are going to be looking for tangible proof” of a response, said Kenneth Geers, a security researcher at the cyber firm Comodo and former U.S. intelligence official who works at NATO’s think tank on cyber defense.
“Otherwise it seems like a real empty promise.”
The NotPetya attack started in Ukraine, where it crippled government and business computers before spreading around Europe and the world, halting operations at ports, factories and offices.
Britain’s foreign ministry said in a statement released earlier in the day that the attack originated from the Russian military.
“The decision to publicly attribute this incident underlines the fact that the UK and its allies will not tolerate malicious cyber activity,” the ministry said in a statement.
“The attack masqueraded as a criminal enterprise but its purpose was principally to disrupt,” it said.
“Primary targets were Ukrainian financial, energy and government sectors. Its indiscriminate design caused it to spread further, affecting other European and Russian business.”
(Reporting by Dustin Volz in WASHINGTON and Sarah Young in LONDON; Additional reporting by Katya Golubkova in MOSCOW, Andrea Shalal in MUNICH, Teis Jensen in COPENHAGEN, and Steve Holland and John Walcott in WASHINGTON; Editing by Mary Milliken, Bill Rigby and Daniel Wallis)