In the scale of its disruptive power, the cyberattack that crippled computer systems across the world on Friday must count as one of the most audacious attempted heists in history. The ransomware attack affected about 200,000 computers in more than 150 countries, mostly across Europe and Asia, putting most conventional larceny efforts in the shade.
And the attack is by no means over. "We're in the face of an escalating threat, the numbers are going up," Europol chief Rob Wainwright said on Sunday, with fears that the so-called WannaCry or Wanna Decryptor attack will spread further when computers and systems are turned on Monday morning.
WannaCry is a form of ransomware, a malware worm that encrypts the contents of a hard drive and holds the data hostage, and is demanding payment of between $300 and $600 to a Bitcoin account to unlock the encryption. So far, the payments to the named Bitcoin accounts have been relatively modest, in the region of €26,000, according to the BBC, but is expected to increase in the coming days. The costs of the attack, however, will far surpass the amounts paid in ransoms – cybersecurity firm Symantec puts the bill at cleaning up affected networks in the tens of millions of dollars.
Russian interior ministry
While the NHS in the UK was the highest-profile victim, it was by no means the only significant institution affected: Telefonica and utility group Iberdrola were hit in Spain, while FedEx, Renault and Deutsche Bahn also had to shut down systems. Some three-quarters of the victims appear to have been in Russia, including the Russian interior ministry.
For the NHS, a chronic lack of funding in IT infrastructure is certainly an issue – many of the trusts were still using Windows XP, which was released in 2001 – but large institutions across the world often suffer from a similar problem.
Dependent on mission critical systems, many organisations resist upgrading to avoid the inevitable inconvenience of software incompatibilities that arise with updates, only to make themselves vulnerable to the much larger disruption of a cyberattack.
However, the sequence of events in which WannaCry came about is perhaps even more alarming than the attack itself. It was based on a hack called EternalBlue that was among a suite of hacking tools belonging to the US National Security Agency (NSA) that was released into the wild on April 14th by a hacking collective called the Shadow Brokers.
The group first surfaced last August when they claimed to have a host of tools belonging to the NSA’s Tailored Access Operations programme, its elite hacking team, and were putting them up for auction.
Slowly releasing
But, having failed to find a buyer, they have been slowly releasing the material, the most recent release being the April dump that was used by the opportunistic cybercriminals behind Friday’s attack.
How and why those hacking tools came to be publicly leaked is part of a much larger struggle between international intelligence agencies, a struggle whose details are only faintly visible and come into focus only when incidents such as Friday’s attack occur.
Inevitably, most of the theories surrounding the leak are highly speculative, but educated guesses suggest the tools were initially obtained by an adversarial state actor, most likely Russia, in late 2013, months after Edward Snowden stunned the world with his revelations of extensive NSA surveillance programmes.
Theories as to how they were obtained range from an internal mole to some sloppy server security on the part of the NSA which allowed the tools to be stolen. Cybersecurity expert Bruce Schneier suggests the arrest last August of former NSA contractor Hal Martin for hoarding huge quantities of classified secrets points to the former theory as the most likely.
Whatever the details of the original expropriation from the NSA, the actions of the Shadow Brokers have changed the stakes.
Tormenting
Widely thought to be associated with Russian intelligence, the Shadow Brokers have been tormenting US intelligence agencies with their leaks – the April dump included details of how the NSA has been surveilling Middle East banks.
Cumulatively, the Shadow Brokers’ leaks have undermined the agency in a few key ways.
First of all, it is deeply embarrassing, seriously damaging the reputation of an agency tasked with protecting US citizens and firms from cyberattacks. If it isn’t capable of preserving its own secrets, how successful is it at defending the country at large?
Secondly, it has rocked the agency's relationship with Silicon Valley, already severely tested by the Snowden leaks. EternalBlue, the hacking tool WannaCry was built on, utilised a so-called "zero-day exploit" in Windows, the zero days referring to how long Microsoft has known about the vulnerability in its software.
The NSA has a huge arsenal of such exploits which it uses to hack foreign agencies, companies, banking systems and others. However, there is a tension between using these secret exploits for its own ends and alerting the software company to the vulnerability in order to patch them and defend US cybersecurity.
To resolve that tension, US intelligence agencies are supposed to engage in something called the Vulnerability Equities Process (VEP), in which they determine whether to use newly discovered exploits or whether to disclose them to the technology companies.
Belated heads-up
The VEP has plenty of critics, but fundamentally it requires a degree of trust between the intelligence agencies and Silicon Valley. The leak by Shadow Brokers gravely damages that trust: Microsoft was given a belated heads-up, allowing it to issue a patch in March, but Microsoft should be rightly furious it was not told of the vulnerability before now, and Silicon Valley will see it as evidence the VEP is broken.
Finally, the release of these tools by the Shadow Brokers sends an ominous signal: the agency which had obtained the NSA hacking tools is broadcasting to its rivals around the world that it no longer needs them. As Schneier puts it, “to publish now means that the intelligence value of the information is now lower than the embarrassment value to the NSA and CIA.” An obvious conclusion is that it now possesses even more sophisticated tools to access more recent operating systems.
While the disruption to hospitals, services and factories might get the headlines, Friday’s heist is just the most visible episode in a shadow game of cyberconflict that appears to be escalating.