TLDR UpFront: In less than two days a wave of sophisticated ransomware attacks spread across Eastern and Western Europe, Britain and South East Asia. Distributed via phishing emails that when clicked, activated stolen NSA malware which froze access to the computer system until the user sends the equivalent of ~$300 in BitCoin currency to regain access. The malware was stolen months ago by a hacking group, the Shadow Brokers, but the vulnerability it exploits has since been patched by Microsoft. Although such ransomware attacks have been growing in frequency this may be the largest incident to date, and represents a shift from more traditional large-scale identity theft or denial-of-service attacks.
Obligatory virus pic. No, I don’t know what that code means in the background.
FullContext in the Back (see update at bottom):
Seven years ago prompted by the Stutnext virus I asked “Are we on the precipice of formless warfare?” It’s an interesting analysis with the benefit of historical perspective. Experts at the time would’ve laughed and said we were already over the cliff – the invasion of Georgia by Russia in 2008 arguably a conventional strike accompanied by formless warfare. But clearly by now we see formless warfare executed right alongside conventional more frequently – the Crimea and Ukraine, the interplay between terrorists and counter-terrorists on social media, our own actions in Israel, and of course the Russian actions in our past election.
What I speculated would be a stage largely held by state-actors has been crowded now by non-state actors. Anonymous takes down ISIS twitter accounts whenever it needs a dose of relevancy. Wikipedia was the means of disseminating the DNC hacked emails. Criminals – aided by the increasing power of technology are reaching that point where, much like terrorists and insurgents, they may reach a threshold where they pass the nuisance threat of a crime and become a national security threat.
A large ransomware wave of attacks in the last two days may raise that question, at least in the public debate? (It has already been going on in private for quite some time.) Up until now cybercrime has come in mainly two forms denial of service attacks or stealing identities with data theft. The first has struggled to achieve more than occasional short-lived wins, taking down a website here or there, occasionally hitting a node. The second is like white-collar crime – a painful, brutal crime with real victims – but often out of sight and out of mind. Ransomware however is more like extortion, a new play on an old hand. It’s a beefy street thug walking up to your desktop swinging a baseball bat and saying: “Nice computer ya got there, shame if something, ya know, were to happen to it.”
In a ransomware attack the hackers, or malware, gains control of the computers or data of the victim and demand some form of ransom to hand the access back over to the original owners. These ransomware attacks have been going on for some time, through cybercriminals have been careful to only target smaller to mid-size companies. Too small and the companies can’t pay, too large and the companies have the resources to fight back and/or get law enforcement involved. The typical asks have ranged from a few hundred to a few thousand dollars, and much of it has gone unreported.
This wave of attacks is of altogether different in scope. Rather than being targeted, this hack was delivered by virally spreading malware in the form of a phishing email. When users activate the malware it targets a Windows vulnerability allowing it to take control of the computer, and then it encrypts the computer and hands the encryption codes over to the remote user, effectively locking the local user out. A message asking for a sum of money payable in BitCoin is displayed on a window, and at that point the computer allegedly becomes a brick unless the money is paid. (1)(2) What makes the attack so effective is the malware it uses is allegedly one of the NSA tools stolen by a hacking group named “the Shadow Brokers” just a few months ago. It’s not clear if these attacks are by the Shadow Brokers or another group who has acquired the malware from them or stolen them from the NSA as well. This wouldn’t be the first time US weaponry ends up getting loose and end up being used against the US or our allies. The vulnerability the NSA malware exploited in Windows had been patched, but anyone who hadn’t, or couldn’t (see below) update to the new patch was left completely exposed.
Second obligatory tech pic. I believe these are wires.
What’s interesting is why this attack targeted so many companies. It’s possible that because of the viral nature, the attack “got away” from the original plan. Like a 21st Century version of the plot-device computer virus that steals half-pennies a few at a time on behalf of the plucky hacker and ends up raking in hundreds of thousands of dollars as seen first in Superman III (3) and later Office Space plotlines (4). Whether intended or not, by Friday evening the attack had spread “to more than 74 countries, according to security firms tracking the spread. Kaspersky Lab, a Russian cyber security firm, said Russia was the worst-hit, followed by Ukraine, India and Taiwan. Reports of attacks also came from Latin America and Africa.” (1)
Britain was especially hit hard because the National Health Service took it in the hard drive where the “attack caused some hospitals to stop accepting patients, doctor’s offices to shut down, emergency rooms to divert patients, and critical operations to be canceled as a decentralized system struggled to cope.” (5) The NHS was made more vulnerable because they were still running on Windows XP, which Microsoft stopped providing updates for in 2014. The NHS budget for cyber security in 2015 was $0. (5)
Although the US has not been hit as hard yet – the ransomware attacks take place alongside two key developments in terms of cyber security. First, is an Executive Order signed by President Trump to improve Executive Agencies cyber security preparedness. Second, his summary dismissal of the head of the FBI which is the lead agency for responding to criminal cyber attacks.
The executive order is of a “observe and report” variety, it doesn’t actually do anything other than ask executive agencies to review their cyber security stance and report back in 90 days. These are the easiest EO’s to write – because it gives the appearance of activity. Without follow-up however: leadership focus, funding, budget commitments and a supportive Congress – little will happen. (6) As for Comey, this is a topical reminder of why partisan politics should be confined to politicians and not spread to the independent leaders of key agencies – because they actually have jobs to do that aren’t political in nature. It reminds the InfoMullet of the dismissal of LTG Stanley McChrystal by President Obama for his ongoing, and public, disagreement on the size of the troop surge with the White House ending with a final straw of inappropriate comments his staff made in close proximity to a Rolling Stone reporter.
Neither Comey nor McChrystal are poster-children for apple-shiners to their respective Presidents. Then again, that’s not their job. Comey’s job was to lead an agency of investigators some of whom are asked to investigate cybercrime. McChrystal’s was to lead US Forces in Afghanistan in a counterinsurgency effort. This isn’t to say both didn’t need to eat some humble pie perhaps for obvious and clear missteps. But both President Obama, and now President Trump, should’ve put on the cowboy pants and realized that there are individuals in the government who’s jobs are more important – for “real world” reasons, than the ego of the current office holder. And absent clear violation or gross insubordination (such as with General McArthur and Eisenhower) alternate means of rebuke should be examined. For President Obama this could’ve been taking the apology-visit of McChrystal, hearing is offer of resignation – because McChrystal absolutely did wrong – but not accepting it. Likewise, President Trump would be within his rights to have the AG perhaps have a chat with Comey about the missteps the ex-Director had made if that was truly the case. And not Russia.
Because Comey’s actual job, the one he’s supposed to be doing when naked emperors aren’t forcing him into the political arena, is to lead an organization that’s supposed to respond to actions such as the recent overseas attacks should they come to the US. Cybercrime has been a big focus of Comey’s tenure as Director though with mixed reception depending on who one talks too – law enforcement or privacy advocates. (7) Any shakeup such as this is going to leave a leadership vacuum as positions move around as well as the morale hit discussed in the last post. (8) To his credit, President Obama had matured away from his first term political immaturity in this regard, as almost all Presidents do, by the end of his second term. When Comey delivered the now infamous letter to Congress, President Obama was perhaps the only major Democrat to do the right thing and stand behind him to forcibly defend the Director’s independence, record, and actions. One can only hope President Trump learns the same lesson at a faster pace. If the cybercriminals are going to escalate to, effectively, what amounts to high-seas digital piracy, then the agencies that are tasked with stopping them are going to need their Woodes Rogers. (See what I did there? Cue dénouement.)
Just like the golden age of piracy for which this post is named, there will always be transition periods in technology or modes and mediums of commerce which are exploitable by criminals. And during those times there will be an unintended, but natural leeway, given to the criminals as the state-actors “catch up” to obtaining the means to stop them or focus on other issues such as actual wars. But, just as the golden age came to an end once the conditions which allowed its rise ended and the civilized world finally turned their combined attention – so to will cybercriminals experience such a fate if they push the boundary too far. Shutting down several hospitals, major infrastructure, segments of the economy – that likely lies on the other side of that boundary.
Crossing that boundary, from cybercriminal to being labeled a terrorist would be a stark wakeup call. Cybercriminals can reside in a variety of countries accessing the latest technology and high-speed internet – largely unafraid of extradition or prosecution. It’s just too difficult, too time consuming and the crimes too small to apprehend them. Terrorists on the other hand tend to congregate within the boundaries or on the borders of failed states, shunning all technology even the cell phone for fear of a hellfire missile drone strike.
Like pirates cybercriminals can only harass a nominal amount of shipping and get away with it for so long. The TV series Black Sails premised that the pirates were in a war against the world. And in that show the voices of reason almost always came from the ex-slaves to the pirates. The recently freed Julius laughs at the thought of changing the world as an outlaw: “You cannot change the world that way. The world is just too strong.” Or Max who upon hearing the latest scheme to war with the world rebuts: “Civilization has been winning that war for 10,000 years…you cannot fight civilization from the outside in.” (9)
Whoever launched the ransomware attacks may have gained access to the malware stolen from the NSA, but it was the NSA who created it. And the NSA’s big brother the DoD also has acronyms available like the JDAM and the MOAB. It’s one thing to live with an assurance you lie on one side of the boundary where sovereign state actors just can’t be bothered sending someone to your door with a warrant. But it’s another bet altogether that having woken sleeping giants one lies on the other side of the boundary where a reaper drone is the one who knocks.
It’s not clear we’re at that point yet. Or even if we are, whether there is consensus for such a policy. It’s much like “how should we treat terrorism” pre 9/11. But if the cybercriminals, much like those pirates of Nassau, believe that they can wage war against civilization, they will find that contrary to popular belief, civilization is the most effective war-waging instrument ever invented.
Protip: civilization always wins against outlaws in the end.
My advice? Stick to identity theft and leave the hospitals alone.
Update 5/14/2017: Apparently, having learned from both Superman and Office Space, the hackers left a killswitch in the code. A way of turning off the virus before it spread too far too fast. Unfortunately for them this kill switch was discovered on accident by a security blogger who found that the code had all infected computers ping an unregistered website. When he decided to register it, the kill switch was activated, and the virus died. (10) Not quite the tense duel between elite programmers testing the mettle of their hacking skills in real-time cyber combat we’ve been led to expect from Hollywood. (11)
(2) Brick is a technical term for a non-function computer. I think. Any actual cyber security expert reading this article is probably pulling their hair out by now on my usage of terms, and for that I apologize. I’m writing for the general audience. But no one reads the footnotes anyways so I think I’m good. In the eternal words of John Calvin “They who would learn cyber security, and other recondite arts, let them go elsewhere.” http://biblehub.com/commentaries/calvin/genesis/1.htm
(4) https://www.youtube.com/watch?v=I80QQ1gbpX8 I am exercising maximum restraint not just to go to the 1995 movie “Hackers” for jokes just in case this escalates so I have something left in reserve.
(11) https://youtu.be/hTekDcdtVcg I tried, I really did.