This is why they think it is a state actor, NotPetya was crippled to *not* attempt to spread via the internet, and only propagate itself to machines in the same private network. The initial infection vector for the private networks was via a dodgy update of MeDoc, which is mainly/solely used within Ukraine. The intention was (probably) to cripple Ukrainian companies.
Multinationals who have offices in Ukraine, and are required to use MeDoc, got infected in their Ukraine offices, which then spread outside the couuntry via internal network links.
Biting the hand that feeds IT
