Ghosts in the Ma­chine

How cy­ber­se­cu­rity is be­ing threat­ened by gov­ern­ments and hack­ers alike.

Virgin Australia Voyeur - - CONTENTS - Words JOHN E DUNN Il­lus­tra­tions IGOR MORSKI/ THE IL­LUS­TRA­TION ROOM

ALTHOUGH AUS­TRALIA LIKES to see it­self as a con­ti­nent perched serenely on the edge of the world, when it comes to de­struc­tive com­puter cy­ber at­tacks, it’s un­for­tu­nately smack in the mid­dle of the chaos with ev­ery­one else. We got a sharp re­minder of this on the evening of

27 June 2017, when alarm­ing mes­sages started flash­ing up on com­puter screens at sev­eral large Aus­tralian busi­nesses. “If you see this text, then your files are no longer ac­ces­si­ble be­cause they have been en­crypted,” the mes­sage be­gan, be­fore de­mand­ing a US$300 ($380) pay­ment in the Bit­coin vir­tual cur­rency to re­cover the files.

Out­wardly, the at­tack re­sem­bled what com­puter ex­perts term ‘ran­somware’, in which ma­li­cious code finds its way onto a vic­tim’s com­puter be­fore hold­ing its pre­cious data hostage — a com­mon form of mal­ware ex­tor­tion cy­ber­crime. In Tas­ma­nia, Cad­bury’s Ho­bart choco­late fac­tory ground to a halt as IT staff at­tempted to limit the de­struc­tive spread of what­ever had be­fallen it. In the Aus­tralian of­fices of law firm DLA Piper, things weren’t much bet­ter, with staff at sev­eral lo­ca­tions un­able to use their com­put­ers, while at Aus­tralia’s FedEx TNT, de­liv­ery ser­vice was in­ter­rupted. Within hours, com­puter se­cu­rity com­pa­nies had a name for the mal­ady: ‘NotPetya’, oth­er­wise known as ‘Gold­enEye’.

Aus­tralian com­pa­nies weren’t the only ones on the re­ceiv­ing end of an at­tack that seemed to tar­get large-scale or­gan­i­sa­tions. The vic­tim list started to read like a who’s who of in­ter­na­tional busi­ness, with Rus­sian oil pro­ducer Ros­neft, UK ad­ver­tis­ing gi­ant WPP, US-based pharma com­pany Merck and Ger­many’s Deutsche Post among those af­fected. Across the globe, com­puter ex­perts work­ing for the sprawl­ing in­dus­try of se­cu­rity com­pa­nies — the mak­ers of soft­ware that should, in the­ory, have spot­ted and stopped NotPetya — were alarmed and left ques­tion­ing what kind of ma­li­cious soft­ware could tear into the net­works of large com­pa­nies with such ease. Sure, se­cu­rity com­pa­nies see new ex­am­ples of what is gener­i­cally termed ‘mal­ware’ ev­ery day, but NotPetya was larger, more men­ac­ing and far more po­tent than your av­er­age ran­somware.

Weak Soft­ware

In the Bucharest of­fices of Ro­ma­nian soft­ware se­cu­rity com­pany BitDe­fender, qui­etly spo­ken se­nior threat an­a­lyst Bog­dan Botezatu had an idea of what might be up. NotPetya’s be­hav­iour and rapid spread re­minded him of one of the tough­est days of his pro­fes­sional life dur­ing an even more spec­tac­u­lar cy­ber at­tack, later dubbed ‘Wan­naCry’, which had caused global may­hem only six weeks ear­lier, on 12 May.

“It was 5.30 on a Fri­day evening and peo­ple were clos­ing down. I was about to go to the sea­side with my wife,” says Botezatu. His pack­ing was in­ter­rupted when the com­puter screens in­side the com­pany’s threat de­tec­tion cen­tre went into a spin and reports of

in­fec­tion on its cus­tomer’s com­put­ers flooded in. Botezatu then spent the next 72 hours holed up in­side BitDe­fender HQ try­ing to iso­late and stop what is now con­sid­ered one of the most sig­nif­i­cant mal­ware cy­ber at­tacks ever recorded. “I ob­vi­ously didn’t get to the beach,” he says.

As with NotPetya, the dam­age caused by Wan­naCry was im­mense, with thou­sands of or­gan­i­sa­tions badly hit in an at­tack that spread at light­ning speed. Pub­lic bod­ies fell vic­tim, too, in­clud­ing the Rus­sian postal ser­vice and Bri­tain’s mas­sive Na­tional Health Ser­vice, which was crip­pled when staff were forced to turn away pa­tients and re­vert to pen and pa­per.

Cy­ber at­tacks have been a re­cur­ring theme for the past cou­ple of decades, but for the world to ex­pe­ri­ence two such dis­rup­tive in­ci­dents on this scale within weeks was alarm­ing. What re­ally grabbed Botezatu and many of his peers in com­puter se­cu­rity was less what NotPetya and Wan­naCry did to com­put­ers — de­mand­ing mod­est ran­som pay­ments — and more how they had been able to slice through ev­ery layer of se­cu­rity in the first place. Both re­sem­bled ran­somware, but Botezatu and oth­ers sus­pected this was only the start of some­thing more wor­ri­some.

This hunch turned out to be cor­rect. Both at­tacks used a soft­ware weak­ness or ‘ex­ploit’ co­de­named ‘Eter­nalBlue’, be­lieved by many ex­perts to have been stolen from the US Gov­ern­ment's Na­tional Se­cu­rity Agency (NSA) in the sum­mer of 2016 by a hacker group call­ing it­self Shadow Bro­kers.

In April 2017, the group leaked Eter­nalBlue, along with a clutch of other ex­ploits, ef­fec­tively pub­lish­ing some of the most dan­ger­ous soft­ware code in ex­is­tence. In other words, it looked as though parts of the multi-mil­lion dol­lar US cy­ber weapons pro­gram were now po­ten­tially in the hands of cy­ber­crim­i­nals, ri­val na­tion states and any dis­grun­tled hacker look­ing to sow may­hem. To bor­row an anal­ogy, it was as if the US mil­i­tary had es­sen­tially al­lowed a bunch of mug­gers to break into one of its air­bases and steal a squadron of state-of-the-art F-35 fighter jets.

It’s no se­cret that na­tion states have been at­tack­ing each other covertly, or oth­er­wise, for decades, but never be­fore had such po­ten­tially dan­ger­ous soft­ware been let loose in an un­con­trolled way. Many be­lieve Wan­naCry and NotPetya are un­likely to be the last word on cy­ber at­tacks.

If NotPetya and Wan­naCry were partly cy­ber weapons-on-the-loose, that still didn’t ex­plain their true pur­pose or who was be­hind them. The mo­ti­va­tion isn’t thought to have been money. Rather, Botezatu be­lieves they were trial runs to ex­plore the pos­si­bil­i­ties and test the bound­aries. “I think they were toy­ing with us to see how quickly we could re­act,” he says. “Pandora’s box has fi­nally been opened.”

The In­ter­net of Things

In un­der two decades, com­put­ers have gone from be­ing ex­trav­a­gant nov­el­ties to tak­ing a sub­stan­tial place at the cen­tre of mod­ern civil­i­sa­tion. In Aus­tralia today, eight in 10 peo­ple own a mo­bile de­vice or smart­phone, and al­most 90 per cent are ac­tive in­ter­net users. Ac­cord­ing to Roy Mor­gan Re­search, Aussies spent about $41.3 bil­lion on­line in 2016.

Mean­while, soft­ware is in­creas­ingly be­ing em­bed­ded in­side ev­ery kind of item, from cars to new In­ter­net of Things (IoT) de­vices through­out the home — cof­fee mak­ers, air-qual­ity sen­sors and even clothes are now able to send and re­ceive data on­line. An­a­lyt­ics com­pany IHS Markit pre­dicts that by 2020 there will be 30 bil­lion con­nected de­vices as part of the global IoT base, up from 15.4 bil­lion in 2015.

Christie Ter­rill, of cy­ber­se­cu­rity con­sult­ing firm Bishop Fox, is con­cerned this could bring a pro­lif­er­a­tion of se­cu­rity risks. “The rate at which the In­ter­net of Things in­creases at­tack vec­tors is much higher than any­thing we’ve seen pre­vi­ously,” she says.

To bor­row an anal­ogy, it was as if the US mil­i­tary had al­lowed a bunch of mug­gers to break into one of its air­bases and steal a squadron of state-ofthe-art F-35 fighter jets.

This grow­ing soft­ware ubiq­uity — de­pen­dency, some would say — un­doubt­edly cre­ates an open­ing for the ‘bad guys’, in­clud­ing na­tion states, to cause trou­ble. There’s even the po­ten­tial to shut down power grids, dis­rupt traf­fic sys­tems and, pos­si­bly, warp com­pa­nies and even whole economies.

One of the fun­da­men­tal is­sues for cy­ber­se­cu­rity is that the de­fend­ers al­ways seem to be lag­ging be­hind the at­tack­ers; many ar­gue a new ap­proach is needed to break this cy­cle — and quickly. In June, prime min­is­ter Mal­colm Turn­bull an­nounced an ex­pan­sion of Aus­tralia’s cy­ber in­tel­li­gence agency, di­rect­ing the Aus­tralian Sig­nals Direc­torate to ‘dis­rupt, de­grade, deny and de­ter’ or­gan­ised off­shore crim­i­nals. “Our re­sponse to crim­i­nal cy­ber threats should not just be de­fen­sive. We must take the fight to the crim­i­nals,” he said, cit­ing that since 2014, more than 114,000 sus­pected cy­ber crimes have been re­ported in Aus­tralia — 23,700 in the past six months alone.

Af­ter spend­ing years de­fend­ing its Win­dows op­er­at­ing sys­tem from cease­less at­tacks, soft­ware gi­ant Mi­crosoft de­cided ear­lier this year it was time to adopt a free-think­ing ap­proach to the is­sue. The com­pany’s chief le­gal of­fi­cer, Brad Smith, used a high-pro­file speech to call for the dig­i­tal equiv­a­lent of the Fourth Geneva Con­ven­tion (which pro­tects civil­ians in times of war), ar­gu­ing na­tion states should be lim­ited from launch­ing cy­ber at­tacks that dis­rupt civil­ian ser­vices such as hos­pi­tals or the en­ergy grid. “We sud­denly find our­selves liv­ing in a world where noth­ing seems off lim­its,” he said.

Weeks later, a Mi­crosoft-spon­sored re­port sug­gested that a global NGO should be set up to name and shame per­pe­tra­tors be­hind big cy­ber at­tacks, es­pe­cially where they were sus­pected of be­ing car­ried out by rogue na­tions. (In­ter­est­ingly, Mi­crosoft had ap­plied a soft­ware fix in Win­dows to neu­tralise Shadow Bro­kers’ Eter­nalBlue ex­ploits back in March — be­fore they were leaked. This was un­usual enough for some to spec­u­late Mi­crosoft must have been fore­warned, pos­si­bly by the NSA.)

Com­men­ta­tors see merit in the NGO ini­tia­tive, con­tend­ing that it would cer­tainly pro­vide a feed­back mech­a­nism. Phil Jones, the chief op­er­at­ing of­fi­cer at Airbus Cy­ber­Se­cu­rity (an in­de­pen­dent divi­sion of Airbus), says, “Some sort of cy­ber-reg­u­la­tion would be a good idea, and it would be help­ful to de­fine the in­ter­na­tional rules of en­gage­ment within the cy­ber land­scape.”

The only hur­dle is that many na­tions have an in­ter­est in not al­low­ing this to hap­pen, as cy­ber at­tacks are a cheap way to even up eco­nomic and mil­i­tary im­bal­ances. “It would be a huge chal­lenge to bring this about, and so, in prac­tice, it is un­likely, un­less we can achieve it through a com­mon in­stance of pro­tec­tive tech­nol­ogy across cy­berspace,” says Jones.

While Jones is re­luc­tant to be drawn on the cul­prits be­hind NotPetya and Wan­naCry, he is in no doubt about their men­ace. “Com­plex cy­ber at­tacks, par­tic­u­larly those af­fect­ing crit­i­cal na­tional in­fra­struc­ture, have the po­ten­tial to dis­rupt en­tire economies,” he says.

For BitDe­fender’s Botezatu, the mys­tery of who was be­hind Wan­naCry and NotPetya, and what mo­ti­vated them, re­mains as trou­bling as the fact they were aided — how­ever in­ad­ver­tently — by soft­ware cre­ated for the US gov­ern­ment. For him, the main prob­lem is that noth­ing is se­cret any­more, although states cling tightly to that col­laps­ing idea. He ar­gues that the US gov­ern­ment should have gone pub­lic when it re­alised some of its cy­ber weapons code had leaked. “It’s the gov­ern­ment’s mess so they should help clean it up — and if we’d had warn­ing, it would have been eas­ier to clean up.”

The pic­ture Botezatu paints is of a cy­berspace de­void of moral­ity, in which the idea of sim­ple friends and foes has gone for good. “We must re­main one step ahead of the bad guys and two steps ahead of the good guys,” he says.

Since 2014, more than 114,000 sus­pected cy­ber­crimes have been re­ported in Aus­tralia — 23,700 dur­ing the past six months alone.

Newspapers in English

Newspapers from Australia

© PressReader. All rights reserved.