When Ransomware Becomes the Smoke Screen for Real Disruption: Picks of the Week
“Ransomware Remixed: The Song Remains the Same” | Lawfare
“Hacks Raise Fear Over N.S.A.’s Hold on Cyberweapons” | The New York Times
“Global Cyber Attack Likely Cover for Malware Installation in Ukraine” | Reuters
In the past month, malicious actors have twice used cyberweapons stolen from the National Security Agency (NSA) against countries around the world in a series of escalating cyber attacks that have targeted hospitals, banks, transportation systems, and even nuclear sites. The latest wave of attacks featured a similar hacking tool – Eternal Blue – that was used in the WannaCry attacks that crippled tens of thousands of machines worldwide in May. The outbreak was the latest and perhaps the most sophisticated in a series of attacks making use of dozens of hacking tools that were stolen from the NSA and leaked online in April by a group called the Shadow Brokers.
As The New York Times reported, “the NSA has kept quiet, not acknowledging its role in developing the weapons [but that] the calls for the agency to address its role in the latest attacks has grown louder, as victims and technology companies cried foul.” White House officials have also deflected questions on the issue, arguing that the focus should be on the attackers themselves, not the manufacturer of their weapons. The growing concern is whether US intelligence agencies have rushed to create digital weapons that they cannot keep safe from adversaries or disable once they fall into the wrong hands, and there have been numerous calls for the NSA to help halt the attacks and to stop hoarding knowledge of the computer vulnerabilities upon which these weapons rely.
While the US intelligence agencies do have the largest stockpile of so-called cyberweapons that have become the weapon of choice against the Iranian nuclear program, North Korea’s missile launches, and Islamic State militants, they have also developed an interagency decision-making process to disclose known software vulnerabilities directly to vendors (like Microsoft, in the case of WannaCry). This so-called Vulnerability Equities Process (VEP), however, is not codified into law and continues to be biased in favor of intelligence and law enforcement practitioners, thus leaving products and consumers vulnerable to attacks and affecting users on a massive scale.
Although there is evidence to suggest that North Korea was responsible for the WannaCry ransomware attacks and that the attacks this week against targets in Ukraine were the work of Russian hackers, in both cases the attackers used tools stolen from the NSA to exploit vulnerabilities in Microsoft software. Officials now fear that the potential damage from the theft of these cyberweapons could go much further, and that the NSA’s own weaponry could be used to destroy critical infrastructure in the United States or in allied nations. Indeed, attackers and cyber criminals have already retrofitted these tools to steal credentials from American companies, pilfer digital currency, disrupt services, and even destroy property.
The latest wave of ransomware attacks are now believed to have been a smoke screen for a deeper assault aimed at destroying victims’ computers entirely or installing new malware intended for future sabotage. And while WannaCry had a kill switch that was used to contain it, the attackers that hit Ukraine this week made sure there was no such mechanism. They also ensured that their code could infect computers that had received software patches intended to protect them.
Unfortunately, as long as software manufacturers continue to develop poorly engineered products full of flaws in their computer code, opportunities will abound to create openings for digital weapons and spy tools, and the NSA is not likely to stop hoarding software vulnerabilities any time soon. And as long as people and companies fail to properly patch their systems and adopt cybersecurity best practices, more sophisticated and damaging attacks of this kind will be likely.