On 24 October, a strain of ransomware dubbed 'BadRabbit' infected computers in Russia and Ukraine – locking them down and demanding bitcoins. Days later, a number of questions still remain about who was responsible for the attack, and how NSA exploits came into play.
Upon analysis, multiple cybersecurity firms – including Cisco Talos, FSecure and Symantec – have now concluded that an exploit known as 'EternalRomance' helped the malware spread.
That tool was stolen from US spies and leaked online in April by a hacking unit known as The Shadow Brokers, a group with alleged, but unconfirmed, ties to Russia.
Crucially, researchers have also found that some of the code used in the BadRabbit attack shared key similarities to that spotted in a previous June outbreak – which involved malware known as "NotPetya".
Some experts are beginning to theorise that all roads may lead to the Kremlin. When it hit, NotPetya hit hard – originating from a hacked software update pushed out by a Ukrainian accounting firm called MeDoc.
Many experts quickly claimed that there was a very real chance hackers aligned to the Russian state, Ukraine's closest neighbour, were involved.
"I think this was directed at us," Roman Boyarchuk, the head of the Ukraine's state cyber police told Wired at the time. "This is definitely not criminal. It is more likely state-sponsored."
And he was not alone advancing this theory. John Watters, head of global cyber intelligence operations at FireEye, said his team was "reasonably confident" that the attack was launched by Russia.
Ukraine's security services, the SUB, said the NotPetya attack was orchestrated by the same group of Russian hackers (called "Telebots") who targeted its power grid back in December 2015.
The NotPetya attacks overwhelmingly infected computers in Ukraine with the help of a second NSA cyberweapon called 'EternalBlue', but that was not discovered in the latest outbreak.
But even without that tool, the links between BadRabbit and NotPetya are clear, experts say.
"It is highly likely that the same group of hackers were behind BadRabbit ransomware attack [...] and the epidemic of the NotPetya virus, which attacked the energy, telecommunications and financial sectors in Ukraine," said Rustam Mirkasymov, expert at Group-IB, a Russian cyber firm.
He added: "Research revealed that the BadRabbit code was compiled from NotPetya sources."
Mirkasymov said that the hackers "changed their tools" in order to appear like a conventional cybercrime group – but were caught out using the same internet domains as the previous attack.
The links were quickly backed up by researchers from other companies.
"We think there's good evidence that suggests the same person or group is responsible for both last June's NotPetya attacks and what we're seeing now with Bad Rabbit," wrote FSecure in a blog.
"Malware authors often learn from what works, so finding the same characteristics in different families is not uncommon. But the similarities we're seeing here are too much to be just one attacker copying another," it added.
Ultimately, it remains unclear if Russia was explicitly involved. Previously, Kremlin officials have brushed off accusations that it targeted Ukraine with ransomware.
And cybersecurity experts are always the first to warn that concrete attribution remains not only difficult, but often impossible. Then there is the little fact that BadRabbit hit a number of high-profile Russian targets – including state media outlets Interfax and Fontanka.
After all, why would the Russian hackers launch a cyberattack on themselves?
"There is a lot of speculation that Russia is the main target, which may be true, but does not rule out Russia as the attacker," Dr Andrea Limbago, scientist at cyber firm Endgame, told Ars Technica.
"BadRabbit hit Russian media companies and Putin has a history of cracking down on the media."
Now, as questions continue to mount, research continues to unmask the culprits.