The world was plunged into chaos on Friday the 12th of May by a massive cyber attack which crippled the United Kingdom’s National Health Service – as well as a number of other large infrastructure organisations across most nations, including Spain’s Telefonica, Fedex in the US, and reportedly some Russian organisations.
The source of the attack is clear and its timing is no coincidence, yet a bewildered media, unequipped to report on the complexities of cyber terrorism, scrambled to push focus on the impact of the hack while adding base level explainers on Ransomware to a confused and scared public.
Extraordinarily, the British Home Secretary, Amber Rudd, was quick to make a statement the attack wasn’t targeted and across the British parties – now all electioneering – the focus shifted immediately to arguments about spending.
In short order, both Wikileaks and infamous former NSA IT contractor Edward Snowden began to lay the blame at the door of the United State’s National Security Agency as the attack involved the use of Eternal Blue – a spying tool which was designed to exploit a weakness in Microsoft Windows remote access capabilities.
Amidst all the noise, the culprit was sitting in plain sight.
“The source of the attack is clear and its timing is no coincidence, yet a bewildered media, unequipped to report on the complexities of cyber terrorism, scrambled to push focus on the impact of the hack while adding base level explainers on Ransomware to a confused and scared public.”
Ransomware is a type of virus or malware which, when activated, encrypts the contents of a computer (or computers) so the user or owner can’t access anything. It’s called Ransomware because it offers the opportunity to have the data restored in exchange for a payment – normally in the cryptocurrency Bitcoin.
Ransomware is an effective Denial of Service (DoS) attack and there are no guarantees systems will be restored even if the payment is made.
This attack used a version of the software called Wanacryptor 2 or “Wannacry” which would normally infect a computer through the standard route of opening an attachment in an email.
However, the software also integrated a previously stolen tool from the NSA called Eternal Blue, which allows an infected computer to search for and infect other vulnerable computers on internal or external networks. The tool exploited a mechanism within Windows which Microsoft released a patch for after the theft had occurred.
The attack was hindered when a young computer blogger discovered the software communicating with an unregistered domain name (http://iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com).
By registering the domain name himself – sinkholing it – the software stopped interacting. It appears the lack of ability to communicate with the domain made the software decide it was in ‘sandpit’ mode – meaning “not actively deployed.”
Vehicle manufacturing plants, power plants, and rail services were among the other institutions and companies shut down as a result of the attack and experts believe the software will continue to attack vulnerabilities over the coming days.
The domain itself is human generated keyboard garbage and was sinkholed on the day of the attack. The original registration details are not accessible at this time.
“The software also integrated a previously stolen tool from the NSA called Eternal Blue, which allows an infected computer to search for and infect other vulnerable computers on internal or external networks.”
While the Ransomware itself is freely available on the internet and is not traceable in any useful sense, Eternal Blue is a different matter.
On the 8th of April 2017, a group of hackers known as The Shadow Brokers released a lengthy, rambling statement in seemingly deliberately broken English, which commenced with “Dear President Trump, Respectfully, what the fuck are you doing? TheShadowBrokers voted for you. TheShadowBrokers supports you. TheShadowBrokers is losing faith in you. Mr. Trump helping theshadowbrokers, helping you. Is appearing you are abandoning “your base”, “the movement”, and the peoples who getting you elected.”
The group’s reappearance came only days after Trump’s unexpected intervention in Syria with airstrikes targeting a Russian-Syrian airbase.
A spokesman for Vladimir Putin responded to the strikes stating the US had violated international law “under a false pretext”, and the country’s UN deputy ambassador, Vladimir Safronkov, warned “extremely serious” consequences could follow the strike. The prime minister, Dmitry Medvedev, said the action had “completely ruined relations”.
The shadow brokers statement mentioned Syria repeatedly and also cited disgruntlement at the rumoured removal of Steve Bannon from the National Security Council.
They went on to make further statements about Trump’s supporters, saying they “Don’t care if you swapped wives with Mr Putin, double down on it, “Putin is not just my firend he is my BFF”. Don’t care if the election was hacked or rigged, celebrate it “so what if I did, what are you going to do about it,”” and that they do “support the ideologies and policies of Steve Bannon, Anti-Globalism, Anti-Socialism, Nationalism, Isolationism.”
On the topic of Russia, they openly align themselves, saying “for peoples still being confused about TheShadowBrokers and Russia. If theshadowbrokers being Russian don’t you think we’d be in all those U.S. government reports on Russian hacking? TheShadowBrokers isn’t not fans of Russia or Putin but “The enemy of my enemy is my friend.” We recognize Americans’ having more in common with Russians than Chinese or Globalist or Socialist. Russia and Putin are nationalist and enemies of the Globalist, examples: NATO encroachment and Ukraine conflict. Therefore Russia and Putin are being best allies until the common enemies are defeated and America is great again.”
At the end of the statement, the core message of which is an echo of almost all alt-right narrative which has been linked directly to Russia its disinformation by this investigation already, they gave a password to an auction site where the NSA tools were freely available.
The original NSA hack took place in August 2016 and drew significant commentary, including from Edward Snowden who tweeted “circumstantial evidence and conventional wisdom indicates Russian responsibility” which he interpreted – according to the New York Times – “as a warning shot to the American government in case it was thinking of imposing sanctions against Russia in the cyber theft of documents from the Democratic National Committee.”
“No one knows, but I suspect this is more diplomacy than intelligence, related to the escalation around the DNC hack,” Snowden said.
This was around the time Julian Assange’s Russian outfit Wikileaks stated they had files to release.
In January 2017 a report jointly compiled by the NSA, CIA and FBI concluded Russia’s intelligence services had conducted hacking attacks against organisations involved with the 2016 US presidential election, with the most high-profile target being the Democratic National Committee (DNC).
James A. Lewis, a computer expert at the Center for Strategic and International Studies, has previously mirrored this investigation’s concerns about the group’s use of English, saying “this is probably some Russian mind game, down to the bogus accent…some of the messages sent to media organizations by the Shadow Brokers group [were] delivered in broken English that seemed right out of a bad spy movie.”
“We recognize Americans’ having more in common with Russians than Chinese or Globalist or Socialist. Russia and Putin are nationalist and enemies of the Globalist, examples: NATO encroachment and Ukraine conflict. Therefore Russia and Putin are being best allies until the common enemies are defeated and America is great again.”
This investigation has previously identified a hacking group known as APT28 as being directly linked to the Russian intelligence services and to hacking operations which also involve significant elements of disinformation.
They have previously claimed to be ISIS, again using flawed language patterns.
Russia’s military intelligence, the GRU, is known to operate under the name APT 28 – also known as Fancy Bears. It is rumoured that a second group with strong links to the FSB, the modern version of the KGB, exists under the name APT 29, or Cozy Bear.
Security experts believe the groups have been supporting operations to influence the domestic politics of foreign nations, including by leaking stolen information, since 2014. Attacks on the World Anti-Doping Agency, the DNC, the Ukrainian Central Election Commission are among those attributed to them.
Security company FireEye has previously documented that APT 28’s software is Russian made, saying “the malware is built during the working day of the GMT + 4 time zone, which includes Moscow and St. Petersburg, and the developers used Russian language settings until 2013.”
They also highlight the group has extensive “zero day” attack capabilities – meaning they have deep pockets and have shown they can take on multiple targets at the same time, which is indicative of state-backing.
“For example, operations might involve setting up thousands of web domains, and dealing with the massive amount of information they are stealing likely involves the use of trained linguists to understand and evaluate it. All of this means that ATP 28 is likely to involve hundreds of staff directly, if not thousands indirectly,” said Jonathan Wrolstad, a senior threat intelligence analyst working at FireEye.
On the 11th of May, the day before the worldwide cyber attack began, Cyberscoop reported the interception of a spear phishing attack by Romanian security services.
The attack was attributed to APT28.
The attack involved the sending of a barrage of emails, including some purporting to be from a NATO representative, to diplomatic organisations in Europe, including Romania’s Foreign Ministry of Affairs. The message came from a fake address at the hq.nato.intl domain currently used by NATO employees.
The emails carried APT28 malware which exploits “zero day” capabilities also thought to have been stolen from the NSA. In the case of the Romanian Foreign Ministry the infected code was hidden in a word document entitled “Trump’s_Attack_on_Syria_English.docx”
A NATO spokesman said “As is common practice, whenever we detect spoofed email addresses, NATO alerts the responsible authorities in Allied countries to prevent attacks from spreading. The hacker group APT 28 – which is also called Fancy Bear or Pawn Storm – is well known to the cyber defense community and we track its activities closely.”
According to Russian cyber security company Kaspersky Lab, Romania was one of the worst countries affected in the 12th of May ransomware attack.
“The emails carried APT28 malware which exploits “zero day” capabilities also thought to have been stolen from the NSA. In the case of the Romanian Foreign Ministry, the infected code was hidden in a word document entitled “Trump’s_Attack_on_Syria_English.docx””
The 11th of May was the same day US spy bosses and the acting FBI chief told the Senate intelligence committee they do not trust software from Kaspersky and as a result were reviewing its use across government.
The officials cited concerns the Russian-made Kaspersky system could be used by the Kremlin to attack and sabotage computers used in American government institutions.
The unanimous agreement on this, as well as a consensus Putin interfered in the US election, came from Daniel Coats, the Director of National Intelligence, Michael Pompeo, Director of the CIA, Michael Rogers, Director of the NSA, Andrew McCabe, Acting Director of the FBI, Vincent Stewart, Director of the Defense Intelligence Agency, and Robert Cardillo, Director of the National Geospatial-Intelligence Agency.
“Only Russia’s senior-most officials could have authorized the 2016 US election-focused data thefts and disclosures, based on the scope and sensitivity of the targets,” said Coats, adding “Russia has also leveraged cyberspace to seek to influence public opinion across Europe and Eurasia. We assess that Russian cyber operations will continue to target the United States and its allies.”
While Kaspersky’s CEO denied any wrongdoing in an open forum, one Redditor asked him why Kaspersky had paid Michael Flynn – Trump’s disgraced National Security Advisor, fired for his Russian ties.
Eugene Kaspersky said it was “a standard fee for a speech Flynn gave in Washington, DC,” and added, “I would be very happy to testify in front of the Senate, to participate in the hearings and to answer any questions they would decide to ask me.”
“Russia has also leveraged cyberspace to seek to influence public opinion across Europe and Eurasia. We assess that Russian cyber operations will continue to target the United States and its allies.”
Also on the same day, President Trump signed an executive order commanding a review of the United States’ cyber security capabilities.
The President was initially set to sign the order shortly after his inauguration in January and held a press conference on the issue, but this was delayed.
Scott Vernick, a data security lawyer in Philadelphia, said at the time the draft made “no mention of the role that FBI, CIA and other major law enforcement agencies have in protecting the nation from hackers.”
The version of the document signed just before the worldwide cyber attack contained significant changes, placing responsibility for cybersecurity risk on the heads of federal agencies rather than the White House, and a stated full report on cyber security concerns regarding critical infrastructure is mandated within six months. The FBI were excluded from the original draft.
Greater responsibility for federal cybersecurity is also given to the military – a move which was rejected by the Obama administration. White House homeland security advisor Tom Bossert said: “a lot of progress was made in the last administration, but not nearly enough.”
“The Russians are not our only adversary on the internet,” he told Reuters.
The change of tack in respect of the FBI came only days after Trump’s controversial dismissal of its Director James Comey confirmed the scale of his conflict with the agency.
Former Director of National Intelligence, James Clapper, told reporters over the weekend “what’s unfolded now, here, the leader…of the investigation about potential collusion between Russia and the Trump campaign has been removed. So the Russians have to consider this as a, you know, another victory on the scoreboard for them.”
“I think in many ways our institutions are under assault,” Clapper told CNN, adding “Both externally, and that’s the big news here, is Russian interference in our election system. And I think as well our institutions are under assault internally.”
On the topic of Comey, Trump himself said “when I decided to just do it I said to myself, I said, “You know, this Russia thing with Trump and Russia is a made-up story, it’s an excuse by the Democrats for having lost an election that they should’ve won.”
“I think in many ways our institutions are under assault,” Clapper told CNN, adding “Both externally, and that’s the big news here, is Russian interference in our election system. And I think as well our institutions are under assault internally.”
The cyber attack was not random as Amber Rudd so carelessly suggested. It can easily be directly traced to Russia in two ways, and in less immediately obvious ones too.
The accompanying Russian narrative, backed externally by public figures with close ties to the country, is to blame the US Intelligence Services, which will cause (and has already caused) international distrust and discord.
Meanwhile, the Trump administration is desperately seeking to cover up its own clear Russia links, and, in doing so, is lashing out at the same security services and law enforcement agencies investigating it. All of whom are damaged by the attack and affected by the burdens and provisions of his order on cyber security.
The cyber attack, somewhat suspiciously, hit Russia more times on the first day than elsewhere but caused the least disruption. In a country well known for false flag attacks and disinformation, this is hardly surprising to anyone who has been paying attention, these tactics are old as the Tsars.
Curiously, Putin has told the media “Malware created by intelligence agencies can backfire on its creators.”
Meanwhile, NATO has convened a five day summit under extraordinary circumstances, to discuss response options to Russia’s mass efforts to destabilise its member nations by attacking democratic processes and spreading disinformation.
It’s apparent the world has received a very pointed warning shot, apparently coming from two of the most powerful men in it, and the cyber attack’s usefulness to both Donald Trump and Vladimir Putin is impossible to disregard as a coincidence – especially in the broader context of this investigation.
Working together, Putin and Trump – along with others – have already spear-phished democracy but the Ransomware they’ve installed worldwide cannot be fixed by a software patch…