Cyberwar's new front: What we know about latest global attacks

With two major 'ransomware' outbreaks in as many months, WannaCry and Petya represent a new breed of attacks: malware drawing on NSA-developed cyber weapons let loose by an antagonistic and formidable hacking group. 

Vadim Ghirda/AP
A woman looks at a computer monitor back dropped by a real time cyber-attacks world map, at the headquarters of Bitdefender in Bucharest, Romania, June 28. A new, highly virulent strain of malicious ransom software that is crippling computers globally appears to have been sown in Ukraine, where it badly hobbled much of the government and private sector on the eve of a holiday celebrating a post-Soviet constitution.

What makes up the recent wave of attacks?

Ransomware program WannaCry swept the world May 12, holding victims’ computer files hostage and asking a ransom of $300 to $600 worth of digital currency bitcoin to release them. In what may be the largest cyberattack to date, WannaCry took control of at least 200,000 computers running older versions of the Windows operating system in 150 countries, locking up their files. The attack hit companies and institutions hardest, including British hospitals, German train stations, a Portuguese telecommunications company, and FedEx in the United States. Microsoft had released a security update about two months before the attack, but large institutions, where installing updates can mean costly downtime or even corrupted software, often lag behind individual users in upgrading their software.

Just a month later, on June 27, a new attack borrowing and improving WannaCry’s lethal method of leaping automatically from device to device on the same network broke out in Ukraine, shutting down ATMs and Chernobyl nuclear power plant computers before spreading to more than 65 other countries. Nicknamed Petya, for its superficial similarities to a 2016 attack of the same name, this new malware also encrypts files before demanding a bitcoin ransom. 

Are the attacks over? 

No. Both are still out there, but waning. WannaCry has been declawed, thanks to the creators’ sloppy coding and a timely move by a British security researcher who goes by the pseudonym MalwareTech. 

While examining a WannaCry sample in a computer isolated from the internet, MalwareTech noticed that, before locking up files, the program searched for a nonexistent domain. He immediately registered the website as a way to track the attack’s spread, but what he didn’t realize at first was that he’d also halted the attack worldwide. Further testing showed that when WannaCry successfully connected to the domain, it went dormant. Some say this feature was a “kill switch” to allow the malware’s creators to stop the attack, but MalwareTech suspects it was a poorly thought out defense against anti-virus analysis.

Petya’s Achilles’ heel, if there is one, was still undiscovered at press time. More sophisticated than its predecessor, Petya is equipped with multiple ways to spread, including stealing administrator credentials. Unlike WannaCry’s indiscriminate propagation, however, Petya prioritizes fully penetrating a single network rather than spreading to others. This narrower focus leads security experts to believe the new infection rate will continue to taper off. 

Who’s to blame for the attacks? 

Both attacks used hacking tools designed by the US National Security Agency (NSA), tools that exploited weaknesses in the way older Windows computers communicate. The aim was to spy on the SWIFT banking network, probably to track cash flows in the Middle East. 

The NSA malware tool kit was stolen by a mysterious group known as The Shadow Brokers. After failing to auction off its goody bag of NSA-engineered spyware, the group leaked a portion in April, including what would become the heart of the new ransomware attacks. Microsoft’s March update closed a fatal flaw (perhaps thanks to a tip from the NSA), but anyone still clicking “remind me later” remains vulnerable. Members of The Shadow Brokers are thought to be Russian – or NSA insiders. 

As for the actual architects, the ease with which anyone can copy-and-paste public code makes attribution challenging, but British intelligence and an internal NSA memo blame WannaCry on the North Korea-linked Lazarus Group. Research on Petya continues to unfold.

How much will the ransomware creators rake in? 

These crimes may not pay. Bitcoin “wallets” are anonymous, but public, and investigators are watching the payment addresses WannaCry and Petya specified. At press time, no withdrawals had been made.

But the amateur way both attacks handle payments leads security experts to doubt that money is the motivation. Many suspect Petya, which spread stealthily for five days before being triggered just before Ukraine’s Constitution Day, uses ransom to mask a political blow. Some point to Russia, although the attack hit Russian networks, too.

Are we safe from future attacks? 

These particular attacks may be ebbing, but with The Shadow Brokers taking advantage of the publicity to advertise its new $65,000 NSA-hack-of-the-month subscription service, experts expect the threat to grow. The attacks have renewed debate in the security community as to how the NSA should balance its offensive and defensive missions. 

To stay safe, keep devices updated and backed up. If you do become a victim, experts say don’t pay up. Rewarding hackers encourages more attacks, and there’s no guarantee you’ll get your data back.

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Cyberwar's new front: What we know about latest global attacks
Read this article in
https://www.csmonitor.com/Technology/2017/0628/Cyberwar-s-new-front-What-we-know-about-latest-global-attacks
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe