On Friday the 12th of May 2017 Britain’s NHS was among the worldwide organisations thrown into chaos by a Russian-linked cyber attack on infrastructure.
Media reports began to surface that the culprit was North Korea, according to Russian cyber security firm Kaspersky Lab – who are thought by the US security services to pose a risk to government agencies through their Kremlin links.
In addition, Russian disinformation network Wikileaks and former NSA operative Edward Snowden both attributed blame for the attacks to software stolen from the National Security Agency in the US, which was auctioned by a group of hackers known as the Shadow Brokers.
It is now thought North Korea are not responsible for the attacks and it is confirmed that Russian intelligence services have their own “zero day” hacking capabilities which exploit defects in Microsoft Windows.
“It is now thought North Korea are not responsible for the attacks and it
is confirmed that Russian intelligence services have their own “zero
day” hacking capabilities which exploit defects in Microsoft Windows.”
With the assistance of expert Richard Hummel, Principal Analyst,
Production & Analysis at FireEye – a company who have been tracking
the hacking activity of Russian intelligence services – the truth paints
a very different picture.
“At this time, multiple potential attribution scenarios for the WannaCry activity are viable. We are continuing to investigate all potential attribution scenarios,” Hummel exclusively told me.
According to FireEye, financially-motivated cybercriminals are typically responsible for ransomware operations, with many such actors operating independently worldwide. “However,” Hummel says, “as of yet, none of these actors have been identified as a strong candidate for attributing the WannaCry operation.”
Numerous open-source reports allege potential North Korean involvement in this campaign but, based on FireEye’s initial analysis, the code similarities cited between allegedly North Korea-linked malware and WannaCry “are not unique enough independent of other evidence to be clearly indicative of common operators.”
The link to North Korea appears, at best, tenuous, arising from lines of code in a version of Wannacry which pre-dates the one used in the worldwide attack.
Asked more specifically if the DPRK theory stands up to scrutiny, Hummel says “we often encounter cases in which malicious actors have reused code taken from publicly-available tools or other actors’ tools. Based on our reverse engineering thus far, the similarities that are being cited between WannaCry and tools associated with the “Lazarus group” are not unique or significant enough to strongly suggest a common operator.”
“For both these reasons, we consider the possibility that WannaCry is attributable to the Lazarus group to be unproven at this time and not necessarily stronger than other attribution scenarios. The primary alternative explanation is that non-state, financially-motivated hackers are responsible for the attackers. However, we are continuing to investigate all possible attribution explanations for these attacks,” he added.
“we consider the possibility that WannaCry is attributable to the Lazarus group to be unproven at this time and not necessarily stronger than other attribution scenarios”
“Russia and China appeared to be the two of the more heavily infected regions based on sinkhole data that can be obtained publicly,” Hummel said.
“The sinkhole data essentially identifies machines that have been infected and beaconing out to what the community has deemed the “kill switch”. If the malware successfully reaches this domain and there is an HTTP web server response, the malware will not encrypt files. If, however, the malware is unable to make a connection then it will proceed with encrypting machines.”
Hummel notes a lack of sophistication in the operation and is clear it’s a possibility the culprits “may not have anticipated the malware would spread as widely as it has. One of these aspects is the kill switch functionality.” (The attack was halted when a young British IT blogger found a way to stop the malware communicating, though a third generation of the malware has since removed this flaw).
Vladimir Putin, the Russian President, curiously told a world forum in China that “Malware created by intelligence agencies can backfire on its creators,” in the wake of the attack.
The impact in Russia, despite the spread, was largely non-disruptive, with infections localised relatively quickly.
“Another aspect is that identified ransom payments have been reported to be relatively low thus far, suggesting the operators’ payment system may not have been equipped to handle the outcome,” Hummel added.
Across the technical and intelligence community, the low ‘ransom’ demand and lack of withdrawal activity in the Bitcoin wallets receiving payments has raised suspicions of the financial element being little more than a ruse.
“Vladimir Putin, the Russian President, curiously told a world forum “Malware created by intelligence agencies can backfire on its creators,” in the wake of the attack.”
Following the attack using a series of publicly available cyber threat mapping tools and botnet trackers, this investigation identified a correlation between the locations of computers infected with a peer-to-peer (P2P) worm virus called Sality and the distribution of Wannacry.
Hummel reviewed the possibility of the Ransomware using an existing virus network to piggy-back and spread. “At this point, we haven’t ruled out any attack vector as we are still researching initial entry into networks. Sality is a worm and has the ability to download additional payloads but we have not found any evidence to suggest that it is being used as a vehicle to distribute WannaCry at this time.”
“Sality and other worms like it are heavily distributed and often very difficult to remove as it infects every binary on an infected machine and then auto-propagates. Thus, seeing similarities in distribution or infection patterns isn’t out of the question, but doesn’t mean it is the vehicle being used,” he said.
As with any virus, there are two ways for it to contaminate a first computer before it spreads – essentially a patient zero must exist. One way to enter a network would be through an infected email document, through a technique known as ‘spear-phishing’, or another would be through the exploitation of a “zero-day” defect which allows a computer to be infected through its operating system by hackers.
“Zero day” defects are unknown to software developers until the attack happens, and are so named because they provide no time for a software patch to be released addressing the weakness.
The Wannacry hack also uses a network weakness in Windows software, developed as an espionage tool by the NSA, to spread once it gets into a single networked machine.
“We are still investigating the original entry point, but some theories that have been circulating include email, RDP, and direct SMB exploitation. The only spreading technique we have confirmed is that SMB was used to compromise some machines. We believe the particular incidents we have observed are lateral movement or a pivot from a previously compromised device and as such are still searching for the initial intrusion vector,” Hummel said.
In the days preceding the attack, there was no apparent clue in data traffic which could identify a likely source. Hummel is clear that “based on the evidence and inclusive research into the original entry point, characterising a “potential” distribution vector would likely be misleading.”
“We are still investigating the original entry point, but some theories that have been circulating include email, RDP, and direct SMB exploitation.”
Prior to the worldwide attack, FireEye was instrumental in stopping a spear-phishing threat targeted at NATO, along with other European Defence and Security Agencies. One of the victims was the Romanian Foreign Ministry and the country was one of the worst affected in the subsequent worldwide attack.
This spear-phishing incident, which attempted to infect these key infrastructure networks with malware came from a group known as APT28 – who are widely believed to be the GRU, a Russian Intelligence Service.
FireEye’s technical documents coincide with Micorsoft’s – who released two patches to shut down the “zero day” defects exploited by the GRU. “The two recently patched APT28 0-days were used to target European Defense and Security entities. The vulnerabilities were in Microsoft Office and Microsoft Windows,” Hummel confirmed.
“The APT28 vulnerabilities were not related to ShadowBrokers,” he added, making clear that the NSA are not the only intelligence service to have developed and deployed cyber attack weapons.
Investigations and disruptions across the world continue.