The New York Times published a lengthy article yesterday that reported on researcher’s suspicions of North Korea’s involvement in last week’s ransomware attack.
In the news business, it is axiomatic that the shorter the time-span between an event and the story hitting the headlines, the more likely it is that at least some of the facts are wrong. We are still in early days yet and there are some important facts that are still very much unclear.
It is understood that the software used in the attack was based on vulnerabilities identified and developed by American intelligence agencies, including The National Security Agency (NSA). It is also known that the code used in last week’s attack was made available by an entity calling itself “Shadow Brokers”. According to online sources, Shadow Brokers has attributed the source of some materials to a group named the Equation Group which may have gotten the codes from the NSA’s cyber-warfare intelligence-gathering unit known as the Office of Tailored Access Operations.
It is known that in August of 2016, a posting on a Twitter account “@shadowbrokerss” announced the creation of a Pastebin page and a GitHub “repository containing references and instructions for obtaining and decrypting the content of a file supposedly containing tools and exploits used by the Equation Group.”
The post on Pastebin went on to say:
“!!! Attention government sponsors of cyber warfare and those who profit from it!!!!
How much you pay for enemies cyber weapons? Not malware you find in networks. Both sides, RAT + LP, full state sponsor tool set? We find cyber weapons made by creators of stuxnet, duqu, flame. Kaspersky calls Equation Group. We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy!!! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files.”
The big question is “how did the NSA’s software get stolen?” No one is absolutely certain right now, but speculation is rife that it was a contract employee. It really doesn’t matter at this point.
A number of State Actors, including the United States, Russia and others have been developing cyber weapons for at least a decade. There has been a great deal of noise in the media about North Korea’s intent to develop the capability of detonating a nuclear warhead above the United States, releasing an Electromagnetic Pulse (EMP) that would paralyze our infrastructure. Of course building and testing missiles as well as developing the right kind of warhead, is a complicated and expensive process, especially for an impoverished nation like North Korea.
By comparison, Cyber-weapons are a really good alternative.
Over the last two decades there was been a massive movement, in first-world countries, towards interconnectivity. Cloud-based computing is one example. In the past, if you wanted to use Microsoft’s Office suite (Word, Excel, PowerPoint, etc.) you went out and bought a box with manuals and a couple of disks and you were good to go. Now you buy a subscription, annually or month-to-month. It doesn’t really reside on your computer, instead it lives in the “cloud”.
If you want to wreak havoc on an economy, consider what would happen if you were able to knock out a country’s cloud-based software resources. That would be extremely difficult of course since companies like Microsoft expend enormous resources to protect their cloud-based assets.
On the other hand, supposing you attack the other end of the pipeline; the end-user. Commercial entities and small business are much less likely to focus on security. In contrast, private individuals and public resources like libraries and schools are much more likely to cut corners by continuing to run unsupported operating systems like Windows XP or Windows 7. That creates a vulnerability just waiting to be exploited.
The times article contains quotes from several knowledgeable and trusted sources who suggest that the North Koreans may have been responsible for the ramsomware attack, but acknowledges that the hard evidence isn’t in yet. There are temporal and coding similarities, but nothing conclusive, yet.
Microsoft’s President, Brad Smith, has suggested that the situation can be compared to the U.S. Military losing control of “some of its Tomahawk missiles”. That’s a very apt analogy.
In the end, it doesn’t matter how the software tools ended up for auction on the internet. The security protecting those tools was insufficient.
There are reports that the total ransom paid thus far, out of 200,000 infected machines in 150+ countries, is well under $70,000 USD. One reason that the ROI was so low is that the ransom had to be paid in BitCoin. How many of us would have even the vaguest idea of how to open a BitCoin account, fund it with $300 and transfer that money to pay the ransom?
That’s not much money for the risk involved. It hardly seems worth the effort.
It seems plausible that this may have been a “dry run” or probing effort.
Whatever the motivation may have been, our best defense may be to reduce our level of interconnectivity.
If your next door neighbor’s computer gets infected by a virus, that’s unfortunate, but you’re still able to function. If everyone on your block gets infected and can’t use their computer or access their data, then that’s going to be a very bad day for everyone. Sometimes less really IS more.