By David Haggith:
North Korea may have launched the viral attack but the origins of the virus’s development go much deeper and do appear to come home to rest in the US…
The Wannacry malware that hit like a global mega-bomb, showed everyone how vulnerable we are to a global cyber attack. Billed as “one of the largest global ransomware attacks the cyber community has ever seen,” the infection started in London and then emerged almost instantly in Seattle, New York, and Tokyo. Within ten minutes, the coordinated attack became epidemic throughout the world, covering the better part of every continent but Antarctica. By the end of one day, the malware had infected over 200,000 computers in 150 nations, encrypting all their data and locking the users out.
While the attackers demanded a ransom in order to free hostage computers, the small number of companies that paid the ransom required for unlocking the encryption did not get their data back, raising a question of whether the primary goal was really money or mayhem. (If primary goal was making a lot of quick money, it would make more sense to quickly release data so that more companies would be inclined to pay the ransom, seeing that payment solved the problem.)
This was a cyber attack equal in scale to something Dr. Evil would create or some Bond villain would use to collect ransom from the entire world … or to control the world. This time, it didn’t win, but there are some interesting reasons why as you did deeper.
Top levels of governments ordered emergency meetings to try to quickly understand and stem the spread of this very destructive piece of warware. A solution emerged quickly because an anonymous British researcher discovered the virus was built with a kill switch. With each infection the virus would check to see if a particular website was running and issuing a kill command. If no command, the virus would begin its mission of destruction. The researcher discovered the website, which was dormant, and activated it, slamming the brakes on global destruction. This bought time for people to apply Microsoft’s patch before the attackers could launch a modified version of the virus. Furthermore, the destructive code was only able to infect computers that had not upgraded with the latest Microsoft patch; so damage was hugely mitigated.
Even so, ATM’s and gas pumps in China went dark, as did Chinese government and university computers. Hospitals in the UK shut down. Forty-five facilities were affected, forcing cancelation or delay of some medical treatments. Nissan’s plant in the UK got hit. French automaker, Renault, stopped production in order to stop spread of the virus. Spain’s Telefónica and Russia’s communications giant, Megafon, got hit. Russia’s central bank and government agencies received “massive” attacks, which Russia claimed were successfully overcome.
The latest data I saw showed 370,000 computers infected and locked up, but that didn’t appear to include less available information from China. The damage is still unfolding, though greatly slowed; but a second variant began spreading across the globe on Tuesday, and other variants may emerge.
Epidemiology of the viral attack — North Korea suspect
The New York Times reports that the ransomware hack appears to have originated from North Korean sleeper cells.
Since the 1980s, the reclusive North has been known to train cadres of digital soldiers to engage in electronic warfare and profiteering exploits against its perceived enemies, most notably South Korea and the United States…. When the instructions from Pyongyang come for a hacking assault, they are believed to split into groups of three or six, moving around to avoid detection…. Security officials in South Korea, the United States and elsewhere say it is a well-known fact that the North Korean authorities have long trained squads of hackers and programmers, both to sabotage computers of adversaries and make money for the government, including through the use of ransomware — malicious software that blackmails victims into paying to release seized files…. Choi Sang-myung, an adviser to South Korea’s cyberwar command and a security researcher at Hauri Inc., said that the arithmetic logic in the ransomware attacks … is similar to that used in previous attacks against Sony Pictures and the Swift international bank messaging system — both of them traced to North Korea. (NYT)
Of course, The New York Times has been saying for months that Russia hacked DNC emails and interfered with US election without yet coming up with a shred of solid evidence or producing sources willing to go on record. It’s also fairly simple to create a decoy to the actual origin of attack. If it’s true, however, it underscores North Korea’s desire to create random destruction and financial loss indiscriminately throughout the world and its ability to do so.
The NYT points out several other attacks around the world in recent years with similar signatures that pointed back to North Korea and to the fact that these attacks often happen at the same time as a North Korean missile or nuclear test. Unlike the tests, however, these attacks would be considered actual acts of war if they could be definitely pinned on some national government. They created financial destruction, in the very least, by setting companies back with lost data and lost time in recovery. They pillaged by collecting ransoms. In the past, they have stolen data and then used it to damage a company, as happened with Sony Pictures.
As Microsoft’s president and chief legal officer, Brad Smith, wrote on his blog …
An equivalent scenario with conventional weapons would be the US military having some of its Tomahawk missiles stolen.
I’d say that is an understatement because Microsoft has no desire to officially intensify concerns about the security of its operating systems.
China, North Korea’s neighbor, where it is believed many of the sleeper cells have been planted, got hit the hardest. China said 30,000 Chinese organizations were infected and hundreds of thousands of computers. That could be due to China taking sides with President Trump and pressuring North Korea on its nuclear weapons development, or the larger-scale assault in China could be far less nefarious. China is the motherland of pirated software, and pirated Microsoft software does not get security upgrades, making it more vulnerable to such attacks. China may have only been hit the hardest because such is the vulnerability of a sleazy economy built on pirating just about everything.
The fact that the lines connecting all the hacks to North Korea — or more importantly to the North Korea government — remain a little fuzzy may keep nations from retaliating against what would be acts of war if they were known to be government actions.
The fact that ransom seems to have played a very small roll in a very large “ransomware” attack begs the question as to whether this was a government operation masquerading as a ransom attack. Was it North Korean revenge for Trump’s tough stance and China’s capitulation, or was it a US false-flag test of the effectiveness of a global attack, designed to disparage North Korea at the same time and to be cut off before any great damage was done? The presence of a single kill switch that could shut the whole thing down is a fail-safe that implies an operation by a group or nation who wanted to make sure the virus could be stopped. Who of all highly computerized nations was damaged the least?
While the latter is more intriguing (in the most heinous sort of way), Occam’s Razor says the simplest answer is most likely the right one. I personally find it hard to believe the US government would be that reckless with its allies, but it is an outside possibility. The US is, regardless, seriously culpable, even if it did not launch the attack.
US Origin of the viral agents
While North Korea may have launched the viral attack, the origins of the virus’s development go much deeper and do appear to come home to rest in the US.
Microsoft sought to shift blame to the US government for “stockpiling code” that can be used by malicious attackers. What they didn’t say is what we have known since Edward Snowden’s revelation, which is that software corporations in cooperation with the US government, including Microsoft, have built hatch doors into their code for US intelligence agencies to use.
The Swiss-cheese-like holes built throughout software systems and networks for backdoor access by the US government allow the government to sniff through or shut down systems all over the world for the sake of national security. However, as was more recently revealed by Wikileaks, these security measures have a very insecure downside: once the hatch doors are known by hackers, there is nothing to stop ordinary hackers from sliding the bolt and getting in through those same doors, which gives ordinary hackers extraordinary powers.
The problem, however, lies even deeper in the machinations of the US government than just getting software manufacturers to build back doors into all your personal computing devices. The US government’s software designed to exploit those back hatches is now available to the entire world. What we have here is leaked warware:
The attacks on Friday appeared to be the first time a cyberweapon developed by the N.S.A., funded by American taxpayers and stolen by an adversary had been unleashed by cybercriminals against patients, hospitals, businesses, governments and ordinary citizens….
Former intelligence officials have said that the tools appeared to come from the N.S.A.’s “Tailored Access Operations” unit, which infiltrates foreign computer networks. (The unit has since been renamed.) The attacks on Friday are likely to raise significant questions about whether the growing number of countries developing and stockpiling cyberweapons can avoid having those same tools purloined and turned against their own citizens….
The attacks on Friday are likely to raise significant questions about whether the growing number of countries developing and stockpiling cyberweapons can avoid having those same tools purloined and turned against their own citizens. (The New York Times)
Snowden, seeing the grave danger posed by the NSA’s spying and irresponsible nature, tweeted, “Whoa: @NSAGov decision to build attack tools targeting US software now threatens the lives of hospital patients,” indicating it was a leaked NSA cyberwar tool, created by the NSA which attacked the UK’s hospital system…. “Despite warnings, @NSAGov built dangerous attack tools that could target Western software. Today we see the cost.” (The Free Thought Project)
I would suspect the deeper reality is that the hole in microsoft’s software was not one some government “found,” but was one of those hatches built in by government demand. When the government’s software for exploiting that patch became public domain, either the government or Microsoft decided to make the ready antidote (their patch) immediately available.
Russia, Snowden’s sanctuary, has blamed the United States’ National Security Agency, saying it is NSA software that was leaked out of US control via Wikileaks that was used to create the Wannacry attack. The NSA, in masterminding and then letting leak its own black software, has placed the power of cyberwar in an unquantifiable number of unknown hands with unknown intentions. It’s really no different than if the US let weapons-grade nuclear material slip into the hands of terrorists.
Here’s an even more apt comparison: The concern over government engineered computer viruses escaping and infecting the general population of computers is similar to the concern in past years over government-engineered living viruses, designed for germ warfare, escaping and infecting the general population.
Now, take this warware security risk one step further. What kind of international crisis might be created if a US biological weapons virus escaped containment and broadly infected the world? Turn the question a little: What kind of international crisis might be created if a US computer virus broadly infected the world?
We saw this kind of problem emerge from the Stuxnet virus that the United States and Israel developed jointly to destroy centrifuges in Iran in order to stall its nuclear development during negotiations. Later, elements of that virus appeared in destructive code use for lesser attacks all over the world.
“This is almost like the atom bomb of ransomware,” Mr. Belani [chief executive of PhishMe, an email security company] said, warning that the attack “may be a sign of things to come.” (NYT)
You see, this is really warware — powerful destructive government cyber weapons that can be used equally for spying or for infecting and destroying enemies — slipping into the hands of enemies around the world. When the US designs biological viruses for war, it also creates antidotes to its human-engineered destruction for its own population or to limit collateral damage to friendly nations. And THAT is most likely why the solution to this massive attack came so quick with patches already available and being distributed.
Thanks to the US government’s inept security of its darkest software in inadvertent partnership with Wikileaks, more than a dozen government spying and hacking programs have been made generally available to the entire world, and Apple, Microsoft and others have been rapidly issuing security updates.
If NSA builds a weapon to attack Windows XP—which Microsoft refuses to patches—and it falls into enemy hands, should NSA write a patch?
I ask a bigger question: “IF NSA builds such a weapon and it falls into enemy hands bringing death and financial destruction around the world, should the USA be held responsible to pay for all the damages? Should the entire world hold it guilty? This is the potential level of risk we’re talking about. If you create the destructive engine exploited by hacker’s viruses and let it get away, aren’t you as liable as you are if you engineer a viral disease and let it escape into the world, killing off millions of people? The hospital situation in the UK shows how people can actually die because of this kind of weaponry.
The NSA is clearly inept at policing its nuclear-size cyberweapon stash. It has allowed small and formerly insignificant people like Edward Snowden, hired through contracted services, to leak out vast amounts of information about its work. It has allowed large amounts warware to get to Wikileaks and from there to all evil hands in the world that want it. This is cyber-nuclear proliferation that all appears to have happened due to NSA security breaches. Imagine if it were actual nuclear material or highly contagious incurable germs. We’d be demanding that heads roll for such repeated loss of control.
Even the US is vulnerable to attacks by its own weaponized viruses
This was our shot over the bow. In this case, the weakness in the software that was exploited was already known and the patch had already been made and was even in place on most computers. Thus, the damage was limited. Think of how this attack — extensive as it was — would have been exponentially worse, had the vulnerability in Microsoft’s operating system and the solution not already been in place as well as readily available to those who were delinquent in upgrading.
The United States has known about this kind of vulnerability for years, and it has been reported for years but we are still built on infrastructure that is widely vulnerable to attack. While we may have antidotes that can be released as patches if we know a computer virus or software engine used to make a virus work has slipped out, our infrastructure remains vulnerable to all kinds of attack agents that other nations are making that we may know nothing about.
We can see that in the government’s response to last week’s cyber attack:
President Trump ordered the federal government to prepare for a devastating cyber attack against America’s electric grid amid growing fears foreign states are set to carry out attacks aimed at plunging the nation into darkness.
A presidential order signed Thursday directed key federal agencies to assess preparations for a prolonged power outage resulting from cyber attacks designed to disrupt the power grid.
An assessment of the danger must be carried out by the Energy Department, Homeland Security, DNI and state and local governments to examine the readiness of the United State to manage a shutdown of the power grid. The assessment will also identify gaps and shortcomings in efforts that would be used restore power.
New cyber security measures outlined in the executive order come as the commander of Cyber Command warned two days earlier that America’s critical infrastructure is vulnerable to disruption by foreign cyber attacks. (The Washington Free Beacon)
Now that it’s obvious that small malicious powers in foreign nations already have NSA/CIA-level malware that is already being used to shut down computers all over the world, do you really think the government is going to resolve the vulnerabilities of our energy systems, transportation systems, communications systems, financial systems, and government data systems, before some malicious group or nation (like North Korea or Iran) manages to create much more mayhem than was accomplished this time?
In 2015, China stole 22 million records of federal employees, including sensitive personal data. Therefore, we know the government has already had two years to prepare; so, why are we just seeing new orders go out to analyze our points of vulnerability to hacking and viral attacks? This year has become all about accusations that Russia created a cybercoup and overthrew the US election to install its own Manchurian candidate or just to mess us up with confusion.
Apparently, we’d rather pile up national debt on more desirable (as in fun or feel-good) things than cyber security or on more conventional weapons.
Wannacry is a sign of things to come
Wannacry is a warning shot over the bow. A much more extensive viral infection could shut down the world in one day tomorrow or next week if it exploits parts of Microsoft’s OS that Microsoft hasn’t yet patched, and if the back door is that allows the virus to be shut down is not as obvious as this one was or if it has now back door that is intended as a kill switch. Financial systems (both stock markets and banks) could be wiped out in a day, triggering the need for an immediate global financial reset.
Imagine if your bank got locked out by ransomware from all of your financial data, so they couldn’t even tell you are their customer and couldn’t even access their backup data. The bank would have no record of how much money you have in the bank. Then imagine no one really intended to collect any ransom at all — so there was no opportunity to retrieve the data. Instead, the virus simply destroyed it to wreak havoc in the world or to destroy the world’s superpower.
© Copyright by David Haggith, 2017. All rights reserved.