By Brian Santo, contributing writer
Cyberattacks are always disruptive at the least, and dangerous at their worst, but the two most recent large-scale attacks that we know about are galling in a brand new way: They are examples of Americans’ tax dollars at work.
The hack in May, widely known as WannaCry, and the one earlier this week, called Petya, both affected networks of PCs around the world. Both are also based on code developed by the U.S. National Security Agency (NSA).
Some entity known as Shadow Brokers says that it stole a trove of NSA hacking tools, and he/they/it began publishing some of them in April. One of those tools is called Eternal Blue, which targets a vulnerability in Microsoft’s Windows operating system. WannaCry was based on Eternal Blue, and Symantec verified that Petya was, too.
WannaCry and Petya are ransomware, which infects a computer, often by inducing the user to click on an infected email attachment. Upon activation, it encrypts stored files. The hackers who spread the malware then offer to decrypt the files after a ransom is paid.
WannaCry in May appears to have been widely distributed, though it hit Britain’s National Health Service particularly hard, seizing up many hospital systems. It also infected computers around the world, including in Spain (Telefonica was affected), Russia, and Taiwan.
Petya might have had a ground zero: Ukraine. Ukraine has been subject to what is almost certainly cyberwarfare, as many security experts are convinced that Russia is deliberately trying to debilitate and destabilize its former satellite. Symantec says that Petya specifically targeted a bit of accounting software used widely in Ukraine.
Petya’s ransom offer might have also been a ruse: It apparently simply wiped machines on some networks. Wired reports that this is consistent with the activities of a hacker group that’s launched cyberattacks against Ukraine in the past. Petya also happens to be a worm, in that it is self-propagating.
Ukraine might have been Petya’s main target, but Petya, like WannaCry before it, appears to have spread out of control: It has affected organizations all over the world, including a Danish shipping company, a Russian petrochemical corporation, and the U.S.-based pharmaceutical concern, Merck.
There are two problems that security experts have with the NSA in all this. The first is the obvious one: that it managed to lose its hacking tools somehow.
The NSA has not admitted whether it had been hacked, or if it experienced some other kind of security breach. Either way, that its hacking tools are out in the wild does not reflect well on the organization.
The second problem is that when the NSA finds vulnerabilities in computer products, it doesn’t always inform the vendors of those products that the flaws exist, presumably so that it can exploit those weaknesses itself.
There is government oversight, however: Following Edward Snowden’s leak, the Obama administration consented to mounting pressure from the tech sector to share zero-day vulnerabilities and, in doing so, established government channels for disclosing newly discovered vulnerabilities.
If an agency wished to maintain the secrecy of a zero-day bug to keep the channel open, it had to argue its case through the Vulnerabilities Equities Process(VEP) to an Equities Review Board under very limited circumstances.
Microsoft, for one, had enough when WannaCry was unleashed. At the time, Microsoft president and chief legal officer, Brad Smith, blasted the NSA and CIA for what he described as stockpiling computer vulnerabilities.
Microsoft created a patch that would be a barrier to Eternal Blue before the WannaCry attacks were launched. Many organizations and individuals were able to load the update, but many organizations did not — and still hadn’t by the time Petya rolled around.
Paradoxically, common enterprise security policy was what made many of the companies that got hit in either episode susceptible to attack. Many companies will not allow individual employees to update their machines, and sometimes even IT managers are barred from installing updates on their own initiative. Instead, updates at some companies need to be approved and scheduled by a chief information officer (CIO) or equivalent.
The NSA has not commented on the two recent large-scale attacks.
Advertisement
Learn more about Electronic Products Magazine
