The lessons of the WannaCry cyber attack
This week, Chelsea Manning walked free from a Kansas prison. The beneficiary of an act of clemency from president Barack Obama during his final days in office, Manning’s sentence was reduced from 35 years to seven. “Justice has been served,” Obama said. His intelligence services weren’t so sure.
Along with Edward Snowden, Manning has become synonymous with large-scale intelligence leaks. Then a private with the United States Army, Manning passed on hundreds of thousands of documents to WikiLeaks, and footage of a US Apache helicopter killing 12 civilians, which WikiLeaks would publish under the title “Collateral Murder”. In 2010, Manning was arrested and later charged with espionage.
But the person responsible for the largest breach of US secrets is a man you have probably never heard of. When Hal Martin III was arrested in August, investigators found his home stuffed with highly classified documents pilfered from the National Security Agency and Central Intelligence Agency. Like Snowden, Martin was a Booz Allen Hamilton contractor, and prosecutors now allege he had for years been illegally accumulating a massive trove of intelligence. Though his indictments do not include anything about the dissemination of the intelligence – and his lawyers argue that it was purely for his “obsessive” research – Martin may be a crucial link in determining the provenance of this week’s WannaCry cyber attacks.
It is as difficult to parse the origin of the global cyber contagion as it is to track its propagation. But WannaCry itself – the virus that infected hundreds of thousands of computers this week, encrypted their files, and demanded a ransom in exchange for their unlocking – is simple enough. According to security experts I spoke to, it’s commonplace.
Hitched to EternalBlue, a Windows vulnerability discovered by the National Security Agency, WannaCry spread quickly, damaging public institutions, businesses and private computers. Probably most affected was Britain’s National Health Service, which stores and shares patient data, and was temporarily crippled by the so-called ransomware. As a result, some emergency wards were closed and surgeries delayed. Cyberwarfare may once have been considered an esoteric fancy, but the damage to Britain’s public health system was an obvious reminder that software can be weaponised and cause global chaos.
WannaCry was unleashed by a discrete group, but it was the last actor in a chain beginning with US intelligence, its possible moles and mercantile hackers – who may or may not be state-sponsored agents masquerading as mercantile hackers. If this sounds confusing, it’s because it’s meant to be. A part of cyber espionage is technical obfuscation – the erasure of identifying elements, such as configuration data, or the planting of misleading elements. It’s a modern extension of the spy’s tradecraft, which is concerned with concealment and misdirection. But there are plenty of things we do know, and it’s worth sketching the actors involved in this attack before examining its consequences.
WannaCry was a sort of Frankenstein’s monster, an effective but inexpert assemblage of parts. The ransomware used what is known as an “exploit”, an insecure part of a computer’s operating system that can be maliciously infiltrated. In this case, the infected operating systems seem to be all versions of Windows prior to Windows 10 dating back to Windows XP, although there’s a dearth of data on the specific systems affected. This exploit was allegedly – in fact, almost certainly – discovered by a special cyber team within the National Security Agency, and might have been included in the trove of documents Hal Martin is alleged to have removed.
Whether the existence of EternalBlue was leaked or hacked is crucial – both the CIA and NSA have suffered, since Snowden, a series of compromises that have resulted in their hacking tools, developed by cyber op teams, being published online. Both agencies have a longstanding policy of refusing confirmation or denial of the authenticity of leaked documents, but there is consensus among security experts that these tools are legitimate. The question remains: Is there a mole, or have highly secured NSA and CIA servers been breached by an outside party?
A prevailing theory among security experts is that the answer is both: that the government’s cyber weapons being published online originated with Martin, who himself was hacked. For now, it is merely a theory, muddied by accusations and counteraccusations. But what we know is that a group calling itself the Shadow Brokers published the details of EternalBlue online. Every security expert I spoke with was convinced the group was Russian, and they pointed to something far more alarming than EternalBlue – a recent tweet claiming the group was in possession of information that could compromise the nuclear missile programs of China, Iran, Russia and North Korea.
There are a number of players in this story: the intelligence agencies that explore exploits and craft malware; the tech vendors whose products are subject to these secret plots; the adversarial states tasked with extracting them; the parasitic groups ready to exploit or sell whatever malicious code is published; and the consumers – institutional and individual – whose sprawling networks or personal laptops use the compromised systems.
There is cascading responsibility, but this week the president of Microsoft, Brad Smith, made it clear where much of it lay. “This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem,” he said. “This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the US military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation–state action and organised criminal action.
“The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.”
Fearing the malicious publication of EternalBlue – which, of course, happened – the NSA allegedly tipped off Microsoft about the vulnerability earlier this year. The spy agency says it does this – that is, advises the tech vendor of their product’s vulnerabilities – in approximately 90 per cent of cases. With EternalBlue, Microsoft issued a security patch for some of its operating systems, weeks before the ransomware was unleashed. But the security patch only works if networks – or individual computers – upgrade their software. In some instances, negligence or complacency meant this wasn’t done.
“This attack demonstrates the degree to which cybersecurity has become a shared responsibility between tech companies and customers. The fact that so many computers remained vulnerable two months after the release of a patch illustrates this aspect,” Smith said.
“As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems. Otherwise they’re literally fighting the problems of the present with tools from the past. This attack is a powerful reminder that information technology basics like keeping computers current and patched are a high responsibility for everyone, and it’s something every top executive should support.”
But in some circumstances, networks are simply too large, complicated and important to be taken offline.
“Who can be trusted?” one security adviser asked. “Inherent to all of this is spy craft. It’s modern-day warfare. There’s so many actors who have different agendas.”
There is a delirious absurdity here. While the origin of WannaCry is investigated, and the ethics and security of government cyber weapons debated, Trump is impetuously blurting secrets to adversaries in the Oval Office. If this were not enough, his authoritarian contempt for his own intelligence community is yielding a level of leaks we’ve not seen since Watergate – or perhaps ever. The weakest point in Western intelligence may no longer be contractors or insecure servers, but the president of the United States. Meanwhile, the Shadow Brokers promise more chaos and malice.
This article was first published in the print edition of The Saturday Paper on May 20, 2017 as "Ware games".
A free press is one you pay for. In the short term, the economic fallout from coronavirus has taken about a third of our revenue. We will survive this crisis, but we need the support of readers. Now is the time to subscribe.
Letters & Editorial