Posts Tagged ‘cyberattack’

WannaCry & NotPetya

July 19, 2018

This post is based on “THE PERFECT WEAPON: War, Sabotage, & Fear in the Cyber Age,” by David E. Sanger. The North Koreans got software stolen from the NSA by the Shadow Brokers group. So, the NSA lost its weapons and the North Koreans shot them back.

The North Korean hackers married NSA’s tool to a new form of ransomware, which locks computers and makes their data inaccessible—unless the user pays for an electronic key. The attack was spread via a phishing email similar to the one used by Russian hackers in the attacks on the Democratic National Committee and other targets in 2016. It contained an encrypted, compressed file that evaded most virus-detection software. Once it burst alive inside a computer or network, users received a demand for $300 to unlock their data. It is not known how many paid, but those who did never got the key, if there ever was one—to unlock their documents and databases.

WannaCry, like the Russian attackers on the Ukraine power grid, was among a new generation of attacks that put civilians in the crosshairs. Jared Cohen, a former State Department official said, “If you’re wondering why you’re getting hacked—or attempted hacked—with greater frequency, it is because you are getting hit with the digital equivalent of shrapnel in an escalating state-against-state war, way out there in cyberspace.”

WannaCry shut down the computer systems of several major British hospital systems, diverting ambulances and delaying non-emergency surgeries. Banks and transportation systems across dozens of counties were affected. WannaCry hit seventy-four countries. After Britain, the hardest hit was Russia (Russia’s Interior Ministry was among the most prominent victims). The Ukraine and Taiwan were also hit.

It was not until December 2017, three years to the day after Obama accused North Korea of the Sony attacks, for the United States and Britain to formally declare that Kim Jong-un’s government was responsible for WannaCry. President Trump’s homeland security adviser Thomas Bossert said he was “comfortable” asserting that the hackers were “directed by the government of North Korea,” but said that conclusion came from looking at “not only the operational infrastructure, but also the tradecraft and the routine and the behaviors that we’ve seen demonstrated in past attacks. And so you have to apply some gumshoe work here, and not just some code analysis.”

“The gumshoe work stopped short of reporting about how Shadow Brokers allowed the North Koreans to get their hands on tools developed for the American cyber arsenal. Describing how the NSA enabled North Korean hackers was either too sensitive, too embarrassing or both. Bossert was honest about the fact that having identified the North Koreans, he couldn’t do much else to them. “President Trump has used just about every level you can use, short of starving the people of North Korea to death, to change their behavior,” Bossert acknowledged. “And so we don’t have a lot of room left here.”
The Ukraine was victim to multiple cyberattacks. One of the worst was NotPetya. NotPetya was nicknamed by the Kaspersky Lab, which is itself suspected by the US government of providing back doors to the Russian government via its profitable security products. This cyberattack on the Ukrainians seemed targeted at virtually every business in the country, both large and small—from the television stations to the software houses to any mom-and-pop shops that used credit cards. Throughout the country computer users saw the same broken-English message pop onto their screens. It announced that everything on the hard drives of their computers had been encrypted: “Oops, your important files have been encrypted…Perhaps you are busy looking to recover your files, but don’t waste your time.” Then the false claim was made that if $300 was paid in bitcoin the files would be restored.

NotPetya was similar to WannaCry. In early 2017 the Trump administration said that NotPetya was the work of the Russians. It was clear that the Russians had learned from the North Koreans. They made sure that no patch of Microsoft software would slow the spread of their code, and no “kill switch’ could be activated. NotPetya struck two thousand targets around the world, in more than 65 countries. Maersk, the Danish shipping company, was among the worst hit. They reported losing $300 million in revenues and had to replace four thousand servers and thousands of computers.

From Russia, With Love

July 17, 2018

The title of this post is identical to the title of the Prologue from “The Perfect Weapon: War, Sabotage, & Fear in the Cyber Age.” Andy Ozment was in charge of the National Cybersecurity & Communications Integration Center, located in Arlington, VA. He had a queasy feeling as the lights went out the day before Christmas Eve, 2015. The screens at his center indicated that something more nefarious than a winter storm or a blown-up substation had triggered the sudden darkness across a remote corner of the embattled former Soviet republic. The event had the marking of a sophisticated cyberattack, remote-controlled from someplace far from Ukraine.

This was less than two years since Putin had annexed Crimea and declared it would once again be part of Mother Russia. Putin had his troops trade in their uniforms for civilian clothing and became known as the “little green men.” These men with their tanks were sowing chaos in the Russian-speaking southeast of Ukraine and doing what they could to destabilize a new, pro-Western government in Kiev, the capital.

Ozment realized that this was the ideal time for a Russian cyberattack against the Ukrainians in the middle of the holidays. The electric utility providers were operating with skeleton crews. To Putin’s patriotic hackers, Ukraine was a playground and testing ground. Ozment told his staff that this was a prelude to what might well happen in the United States. He regularly reminded his staff, that the world of cyber conflict, attackers came in five distinct varieties: “vandals, burglars, thugs, spies, and saboteurs. He said he was not worried about the thugs, vandals, and burglars. It was the spies, and particularly the saboteurs who keep him up at night.

In the old days, they could know who launched the missiles, where they came from and how to retaliate. This clarity created a framework for deterrence. Unfortunately, in the digital age, deterrence stops at the keyboard. The chaos of the modern Internet plays out in an incomprehensible jumble. There are innocent service outages and outrageous attacks, but it is almost impossible to see where any given attack came from. Spoofing the system comes naturally to hackers, and masking their location was pretty simple. Even in the case of a big attack, it would take weeks, or months, before a formal intelligence “attribution” would emerge from American intelligence agencies and even then there might be no certainty about who instigated the attack. So this is nothing like the nuclear age. Analysts can warn the president about what was happening, but they could not specify, in real time and with certainty, where an attack was coming from or against whom to retaliate.

In the Ukraine the attackers systematically disconnected circuits, deleted backup systems, and shut down substations, all by remote control. The hackers planted a cheap program—malware named “KillDisk”—to wipe out the systems that would otherwise allow the operators to regain control. Then the hackers delivered the finishing touch: they disconnected the backup electrical system in the control room, so that not only were the operators now helpless, but they were sitting in darkness.

For two decades experts had warned the hackers might switch off a nation’s power grid, the first step in taking down an entire country.

Sanger writes, “while Ozment struggled to understand the implications of the cyber attack unfolding half a world away in Ukraine, the Russians were already deep into a three-pronged cyberattack on the very ground beneath his feet. The first phase had targeted American nuclear power plants as well as water and electric systems, with the insertion of malicious code that would give Russia the opportunity to sabotage the plants or shut them off at will. The second was focused on the Democratic National Committee, an early victim of a series of escalating attacks ordered, American intelligence agencies later concluded, by Vladimir V. Putin himself. And the third was aimed at the heart of American innovation, Silicon Valley. For a decade the executives of Facebook, Apple and Google were convinced that the technology that made them billions of dollars would hasten the spread of democracy around the world. Putin was out to disprove that thesis and show that he could use the same tools to break democracy and enhance his own power.”