We were driving up the M6 in the UK on Friday last when news started trickling in of the WannaCry worm attack that was rapidly ossifying the operational abilities of the British National Health Service.
The disruption to NHS systems was mostly contained by early this week and, it turns out, much of what was widely postulated at the start of the outbreak ended up not being correct. The talk was that this was a sophisticated attack, perhaps from a state actor, hitting specific targets, using a leaked US National Security Agency exploit which was being spread by a phishing ransomware attack, where people were duped into opening an attached file which then executed malicious code that locked down their computer.
Yes, it was a ransomeware attack, in which individual computers are frozen and the contents encrypted, and a ransom demanded in return for a decryption key. And yes, the NSA exploit was structured in and enabled the attack to spread broadly and quickly. But now that experts have had a good look at the code, it appears WannaCry is a worm, not a phishing attack, and spreads not through an executable file but by manipulating each infected computer to send copies of itself out on the computer’s network.
That made it worse, really, as no human agent is needed to continue the spread once it has begun. And once WannaCry got into a single computer within a large organisation – such as the NHS – it could swiftly spread through that entire organisation’s network without the organisation ever having been specifically targeted.
Inept
Yet, the code is amateurish and while it had the NSA exploit [of a Windows vulnerability] bolted on, this was not a sophisticated use of the code. The coders didn’t seem to know quite what they were doing; even their ransom scheme was inept and, for all the millions of computers affected, only a few resulted in payment in bitcoin, to anonymised but viewable accounts, of just over $50,000.
By comparison, a more sophisticated ransomware attack, Angler, raked in an astonishing $60 million a year until 2015, a Cisco expert told tech magazine Wired.
Usually, the targets of ransomware attacks prefer not to disclose they’ve been hit and usually the payout is much larger than the the modest few hundred dollars demanded by WannaCry.
All of these curiosities have caused some to believe the attack might have been less a real ransomware attack in search of cash payouts, than an attempt to mock the NSA, perhaps by the presumed Russian state actors that hacked the NSA and stole these exploit tools in the first place, notes Wired.
Certainly, WannaCry’s use of the NSA tool codenamed EternalBlue enabled it to cause so much damage so quickly. Initially designed to enable surreptitious access to a specific targeted computer, EternalBlue was refashioned in WannaCry to instead target many computers by its new wormlike behaviour. Whether through the coders’ intent or through collateral damage, WannaCry has put the NSA under intense scrutiny.
Damage to civilians
Microsoft, which released a patch for the vulnerability in March for current operating systems (but not until now, for older, now-unsupported systems such as Windows XP), publicly lambasted the NSA in a lengthy blog post from president and chief legal officer Brad Smith (http://bit.ly/2qkt9Zw). He noted: "We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits."
On Twitter, whistleblower Edward Snowden emphasised how "extraordinary" it was for Microsoft to thus expose the NSA as the originator of such a dangerous tool. Perhaps, an indication that the technology industry is now willing to take government-embarrassing methods to resist the surveillance agencies' desire to exploit or insert vulnerabilities in industry products.
One might argue that the real problem here was failure by millions – including large organisations – to implement a patch issued by Microsoft two months ago, or move to a supported operating system. Anyone running XP is definitely low-hanging hacker fruit.
But patching systems, especially across large, complex networks, is tricky and often organisations delay doing so. Individuals postpone updates too. That’s real life. And the NSA doesn’t seem to have told Microsoft how serious the vulnerability was, as Microsoft did not highlight the patch as critical.
All of which went towards creating an infuriating, international mess. But the WannaCry affair has done some public service. It has exposing the chaos – limited, thankfully, this time, but potentially, life-threateningly worse – that results when governments allow the creation of devastating hacking tools without any coherent policy on informing companies of those exploited vulnerabilities or what to do if the tools fall into dangerous hands.
We now need an international, public debate. When do such tools enhance security, and when do they weaken it by exposing citizens, companies and national organisations to the very dangers they are supposed to protect against? Governments must do better than this.