MOD Cyber Security by Owen Cooban (Crown Copyright, 2015)

Europol Warns Global Cyber Attack May Grow

Cyber Attack Hits 100,000 Organizations

Europe’s police agency Europol says a global cyberattack has affected at least 100,000 organizations in 150 countries, with data networks infected by malware that locks computer files unless a ransom is paid.

“I’m worried about how the numbers will continue to grow when people go to work and turn on their machines on Monday,” Europol director Rob Wainwright told Britain’s ITV television.

So far there has been no progress reported in efforts to determine who launched the plot.

Computer security experts have assured individual computer users who have kept their PC operating systems updated that they are relatively safe.

They advised those whose networks have been effectively shut down by the ransomware attack not to make the payment demanded — the equivalent of $300, paid in the digital currency bitcoin, delivered to a likely untraceable destination that consists merely of a lengthy string of letters and numbers.

However, the authors of the “WannaCry” ransomware attack told their victims the amount they must pay would double if they did not comply within three days of the original infection — by Monday, in most cases. And the hackers warned that they would delete all files on infected systems if no payment was received within seven days.

Avast, an international security software firm that claims it has 400 million users worldwide, said the ransomware attacks rose rapidly Saturday to a peak of 57,000 detected intrusions. Avast, which was founded in 1988 by two Czech researchers, said the largest number of attacks appeared to be aimed at Russia, Ukraine and Taiwan, but that major institutions in many other countries were affected.

‘Kill Switch’ Found in WanaCryptor 2.0

Computer security experts said the current attack could have been much worse but for the quick action of a young researcher in Britain who discovered a vulnerability in the ransomware itself, known as WanaCryptor 2.0.

The researcher, identified only as “MalwareTech,” found a “kill switch” within the ransomware as he studied its structure.

The “kill” function halted WanaCryptor’s ability to copy itself rapidly to all terminals in an infected system — hastening its crippling effect on a large network — once it was in contact with a secret internet address, or URL, consisting of a lengthy alphanumeric string.

The “kill” function had not been activated by whoever unleashed the ransomware, and the researcher found that the secret URL had not been registered to anyone by international internet administrators. He immediately claimed the URL for himself, spending about $11 to secure his access, and that greatly slowed the pace of infections in Britain.

Expects cautioned, however, that the criminals who pushed the ransomware to the world might be able to disable the “kill” switch in future versions of their malware.

EternalBlue Points to Equation Group

WanaCryptor 2.0 is only part of the problem. It spread to so many computers so rapidly by using an exploit — software capable of burrowing unseen into Windows computer operating systems.

The exploit, known as “EternalBlue” or “MS17-010,” took advantage of a vulnerability in the Microsoft software that reportedly had been discovered and developed by the U.S. National Security Agency, which used it for surveillance activities.

NSA does not discuss its capabilities, and some computer experts say the MS17-010 exploit was developed by unknown parties using the name Equation Group (which may also be linked to NSA). Whatever its source, it was published on the internet last month by a hacker group called ShadowBrokers.

Microsoft distributed a “fix” for the software vulnerability two months ago, but not all computer users and networks worldwide had yet made that update and thus were highly vulnerable. And many computer networks, particularly those in less developed parts of the world, still use an older version of Microsoft software, Windows XP, that the company no longer updates.

The Finnish computer security firm F-Secure called the problem spreading around the world “the biggest ransomware outbreak in history.” The firm said it had warned about the exponential growth of ransomware, or crimeware, as well as the dangers of sophisticated surveillance tools used by governments.

Lesson: Update Programs

With WanaCryptor and MS17-010 both “unleashed into the wild,” F-Secure said the current problem seems to have combined and magnified the worst of the dangers those programs represent.

The security firm Kaspersky Lab, based in Russia, noted that Microsoft had repaired the software problem that allows backdoor entry into its operating systems weeks before hackers published the exploit linked to the NSA, but also said: “Unfortunately it appears that many users have not yet installed the patch.”

Britain’s National Health Services first sounded the ransomware alarm Friday.

The government held an emergency meeting Saturday of its crisis response committee, known as COBRA, to assess the damage. Late in the day, Home Secretary Amber Rudd said the NHS was again “working as normal,” with 97 percent of the system’s components now fully restored.

Spanish firm Telefonica, French automaker Renault, the U.S.-based delivery service FedEx and the German railway Deutsche Bahn were among those affected.

None of the firms targeted indicated whether they had paid or would pay the hackers’ ransom.

Russia Disproportionately Targeted

As countries across the globe scrambled to respond to a malicious “ransomware” virus, internet security watchdogs said the attack had disproportionately targeted Russia.

The Russian cyber security firm Kaspersky Labs was among the first to identify the so-called “Wanna Cry” malware — a viral worm that exploits a vulnerability in the Windows operating system to encrypt files without users permission.

A group of hackers known as “The Shadow Brokers” are widely believed to have stolen the program from the U.S. National Security Agency last April and deployed it as a means to ransom user data around the world for cash profits.

Kaspersky Labs initially reported 45,000 attacks by the malware in more than 70 countries, with Russia bearing the brunt of the onslaught. “The range of targets and victims is likely much, much higher,” warned the Kaspersky report.

Within hours, other internet security firms put the number of computers targeted at more than 75,000 computers in 100 countries. Those numbers are expected to grow.

Russian Railway and Telecoms Hit

Russia’s powerful Interior Ministry and national railway service both confirmed they had fallen victim to the malware. The Russian mobile telecom giant, Megafon, too, issued a statement saying its servers had been compromised.

But by mid-day Saturday, spokesmen from all three said they had successfully isolated the virus and were operating as usual.

The statements came as other key Russian ministries, and the country’s central bank, pushed back against claims state computer infrastructure had been compromised.

In statements to Russian media, all argued they had thwarted the virus using non-Windows operating systems while trumpeting the merits of data backups using a, notably, Russian-made server, Elbrus.

The claims have not been confirmed by outside experts.

Kremlin Suspicious of Western Tech Firms

The Kremlin has long been suspicious of Western technology firms, arguing they work in collusion with American intelligence agencies.

In 2014, Russia’s Duma passed a law requiring Western tech companies such as Facebook, Twitter, and Google to relocate servers to Russia in an effort to protect Russian user data. Though not yet fully implemented, Russian internet activists have argued the law gives Russian security services dangerous access to private data with little legal recourse.

Russian President Vladimir Putin has also pushed for digital independence from Western tech firms, partially in response to American and European sanctions introduced following Russia’s annexation of Crimea from Ukraine in 2014.

Sunday, the Kremlin’s advisor on internet strategy German Klimenko seized the latest cyber attack as a chance to praise those moves.

“The president’s order to create a Russian segment of the internet, [it created] a closed Internet solely for government bureaucrats,” said Klimenko in an interview with Russia’s Channel One television.

“The defense against attacks has been in place a long time,” he added. “It is doubtful our [government] data suffered.”

NSA Connection?

Meanwhile, Russia’s online community debated the disproportionate targeting of Russia, in particular allegations the virus had originated with the NSA.

But on the Russian-built secure messaging app Telegram, users traded theories the virus was a U.S. plot aimed at disrupting the country’s 2018 presidential elections, apparent payback for U.S. intelligence agencies’ conclusion Russian hackers had interfered in last year’s American presidential elections.

But Anton Nossik, a longtime leading internet voice in Russia, rejected those charges as “terribly funny” in a widely shared post to his Live Journal blog.

“That 74 countries were implicated in the virus is explained as Russia’s enemies desire to hide the real goal of their attack,” wrote Nossik, who notes that Russian governmental officials had been too lazy to install a Windows “patch” available since last March that resolved the security flaw.

“Really, how can you deceive our ever wakeful conspiracy theorists?” he added wryly, “To hack their computers is the simplest thing, but to destroy their vigilance? Never!”

Other Russian digerati, too, pushed back against the idea that Russia had been a target by design.

“There’s no politics or intention here. The virus is just spreading randomly,” says Ilya Sachkov, Director of the Moscow-based Group IB, a company that tracks internet fraud, in an interview with Moscow’s Business FM radio.

Sachkov notes ransomeware attacks have been growing in number and strength for years.

Snowden Blames the NSA for Cyber Attack

The unfolding crisis and alleged links to the NSA again thrust Edward Snowden, the former NSA contractor who was granted asylum in Russia after leaking classified NSA documents to the press in 2013, into the spotlight.

In a series of Twitter posts, Snowden argued the NSA bore moral responsibility for the leak.

“Despite warnings, the NSA built dangerous attack tools that could target Western software,” wrote Snowden. “Today we see the cost.”

Source: Voice of America

Image: MOD Cyber Security by Owen Cooban (Crown Copyright, 2015).

Leave a Reply