HACKERS HIT NEARLY 100 COUNTRIES
Cyberattacks underscore the vulnerabilities of the digital age
HACKERS using malicious software stolen from the United States National Security Agency (NSA) executed damaging cyberattacks on Friday that hit almost 100 countries, forcing Britain’s National Health Service to send patients away and freezing computers at Russia’s Interior Ministry.
The attacks amounted to an audacious global blackmail attempt spread by the Internet and underscored the vulnerabilities of the digital age.
Transmitted via email, the software locked British hospitals out of their computer systems and demanded ransom before users could be let back in — with a threat that data would be destroyed if the demands were not met.
Kaspersky Lab, a Russian cyber security firm, said Russia was the worst-hit, followed by Ukraine, India and Taiwan. Reports of attacks also came from Latin America and Africa.
The attacks appeared to be the largest ransomware assault on record, but the scope of the damage was hard to measure. It was not clear if victims were paying the ransom, which began at about US$300 (RM1,300) to unlock individual computers, or even if those who did pay would regain access to their data.
Security experts described the attacks as the digital equivalent of a perfect storm. The connection to the NSA was particularly chilling. Last summer, a group calling itself the Shadow Brokers began to post software tools that came from the US government’s stockpile of hacking weapons.
The attacks on Friday appeared to be the first time a cyberweapon developed by the NSA and stolen by an adversary had been unleashed by cybercriminals against patients, hospitals, businesses, governments and ordinary citizens.
The US has never confirmed that the tools posted by the Shadow Brokers belonged to the NSA or other intelligence agencies, but former intelligence officials have said that the tools appeared to come from the NSA’s Tailored Access Operations unit, which infiltrates foreign computer networks. The attacks showed how easily a cyberweapon can wreak havoc, without shutting off a country’s power grid or its cellphone network.
In Britain, hospitals were locked out of their systems and doctors could not call up patient files. Emergency rooms were forced to divert people seeking urgent care.
Russia’s Interior Ministry confirmed that “around 1,000 computers were infected”.
It could take months to find who was behind the attacks — a mystery that may go unsolved.
“When people ask what keeps you up at night, it’s this,” said Chris Camacho, the chief strategy officer at Flashpoint, a New York security firm.
Rohyt Belani, the chief executive of PhishMe, an email security company, said the wormlike capability of the malware was a significant shift from previous ransom attacks.
“This is almost like the atom bomb of ransomware,” Belani said, warning that the attack “may be a sign of things to come.”
The hackers’ weapon of choice was Wanna Decryptor, a new variant of the WannaCry ransomware.
Hours after the Shadow Brokers released the tool last month, Microsoft assured users it had included a patch for the underlying vulnerability in a software update in March.
But Microsoft would not say who had tipped it off. Many suspected that the US government had told Microsoft, after the NSA realised that its hacking method exploiting the vulnerability had been stolen.
Privacy activists said if that were the case, Washington would be to blame for the fact that so many companies were left vulnerable to Friday’s attacks.
“It would be deeply troubling if the NSA knew about this vulnerability but failed to disclose it to Microsoft until after it was stolen,” Patrick Toomey, a lawyer at the American Civil Liberties Union, said.
“These attacks underscore the fact that vulnerabilities will be exploited not just by our security agencies, but by hackers and criminals around the world.”
During the Obama administration, the White House created a process to review software vulnerabilities discovered by intelligence agencies, and to determine which should be “stockpiled” for future offensive or defensive cyber operations and which should be reported to the companies so that they could be fixed.
Last year, the administration said only a small fraction were retained by the government.
But, this vulnerability appeared to be one of them, and it was patched only recently, suggesting that the NSA may have concluded the tool had been stolen and therefore warned Microsoft.
But that was clearly too little, and far too late.
Hackers took advantage of the fact that vulnerable targets — particularly hospitals — had yet to patch their systems, either because they had ignored advisories from Microsoft or because they were using outdated software that Microsoft no longer supported or updated.
The malware was circulated by email. Targets were sent an encrypted, compressed file that, once loaded, allowed the ransomware to infiltrate its targets.
The fact that the files were encrypted ensured that the ransomware would not be detected by security systems until employees opened them, inadvertently allowing the ransomware to replicate across their employers’ networks.
Employees at Britain’s National Health Service had been warned about the ransomware threat earlier on Friday. But it was too late.
As the disruptions rippled through at least 36 hospitals, doctors’ offices and ambulance companies across Britain, the health service declared the attack a “major incident”, warning that local health services could be overwhelmed.
Britain’s Health Secretary Jeremy Hunt was briefed by cyber security experts, while Prime Minister Theresa May’s office said on television that “we’re not aware of any evidence that patient data has been compromised”.
As the day wore on, companies across Europe, Asia and the US discovered that they had been hit with the ransomware when they saw messages on their computer screens demanding US$300 to unlock their data.
The criminals had designed their ransomware to increase the ransom amount on a set schedule and threatened to erase the data after a predetermined cutoff time, raising the urgency of the attack and increasing the likelihood that victims would pay.
Without the ability to decrypt their data on their own, security experts said victims who had not backed up their data were faced with a choice: Either live without their data or pay. It was not clear how many victims ultimately paid. They advised companies to immediately update their systems with the Microsoft patch.
“We’ll see copycats, and not just for ransomware, but other attacks,” Camacho said. Agencies
It would be deeply troubling if the NSA knew about this vulnerability but failed to disclose it to Microsoft until after it was stolen.
PATRICK TOOMEY Lawyer, American Civil Liberties Union