Bri­tish re­searcher, US en­gi­neer kill global cy­ber­at­tack

New Straits Times - - World -

THE cy­ber­at­tack that spread ma­li­cious soft­ware around the world, shut­ting down net­works at hos­pi­tals, banks and gov­ern­ment agen­cies, was thwarted by a young Bri­tish re­searcher and an in­ex­pen­sive do­main regis­tra­tion, with help from another 20-some­thing se­cu­rity en­gi­neer in the United States.

Bri­tain’s Na­tional Cy­ber Se­cu­rity Cen­tre and oth­ers were hail­ing the cy­berse­cu­rity re­searcher, a 22-year-old iden­ti­fied on­line only as Mal­wareTech, who — un­in­ten­tion­ally at first — dis­cov­ered a so-called “kill switch” that halted the un­prece­dented out­break.

By then the ran­somware at­tack had crip­pled Bri­tain’s hospi­tal net­work and com­puter sys­tems in sev­eral coun­tries in an ef­fort to ex­tort money from com­puter users.

But, the re­searcher’s ac­tions may have saved com­pa­nies and gov­ern­ments mil­lions of dol­lars and slowed the out­break be­fore com­put­ers in the US were more widely af­fected.

Mal­wareTech is part of a large global cy­berse­cu­rity com­mu­nity, work­ing in­de­pen­dently or for se­cu­rity com­pa­nies, who are con­stantly watch­ing for at­tacks and work­ing to­gether to stop or pre­vent them, of­ten shar­ing in­for­ma­tion via Twit­ter.

It’s not un­com­mon for them to use aliases, ei­ther to pro­tect them­selves from re­tal­ia­tory at­tacks or for pri­vacy.

In a blog post on Satur­day, Mal­wareTech ex­plained that he had re­turned from lunch with a friend on Fri­day and learned that net­works across Bri­tain’s health sys­tem had been hit by ran­somware, tip­ping him off that “this was some­thing big”.

He be­gan analysing a sam­ple of the ma­li­cious soft­ware and no­ticed its code in­cluded a hidden web ad­dress that wasn’t reg­is­tered. He said he “promptly” reg­is­tered the do­main, some­thing he reg­u­larly did to try to dis­cover ways to track or stop ma­li­cious soft­ware.

Across an ocean, Darien Huss, a 28-year-old re­search en­gi­neer for the cy­berse­cu­rity firm Proof­point, was do­ing his own anal­y­sis.

The western Michi­gan res­i­dent said he no­ticed the au­thors of the mal­ware had left in a fea­ture known as a kill switch.

He took a screen­shot of his dis­cov­ery and shared it on Twit­ter.

Soon he and Mal­wareTech were com­mu­ni­cat­ing about what they’d found: That reg­is­ter­ing the do­main name and redi­rect­ing the at­tacks to Mal­wareTech’s server had ac­ti­vated the kill switch, halt­ing the ran­somware’s in­fec­tions.

Huss and oth­ers were call­ing Mal­wareTech a hero on Satur­day, with Huss adding that the global cy­berse­cu­rity com­mu­nity was work­ing “as a team” to stop the in­fec­tions from spread­ing.

“I think the se­cu­rity in­dus­try as a whole should be con­sid­ered he­roes,” he said.

But, he said he was con­cerned the au­thors of the mal­ware could re-re­lease it with­out a kill switch, or with a bet­ter one, or that copy­cats could mimic the at­tack.

“I think it is con­cern­ing that we could def­i­nitely see a sim­i­lar at­tack oc­cur, maybe in the next 24 to 48 hours, or maybe in the next week or two,” Huss said. “It could be very pos­si­ble.”

The per­pe­tra­tor of this wave of at­tacks re­mains un­known. Se­cu­rity firms Kasper­sky Lab and Avast said they iden­ti­fied the ma­li­cious soft­ware in more than 70 coun­tries. Both said Rus­sia was hit hard­est.

This is al­ready be­lieved to be the big­gest on­line ex­tor­tion at­tack ever recorded, dis­rupt­ing ser­vices in na­tions as di­verse as the US, Rus­sia, Ukraine, Brazil, Spain and In­dia.

Europol, the Euro­pean Union’s po­lice agency, said the on­slaught was at “an un­prece­dented level and would re­quire a com­plex in­ter­na­tional in­ves­ti­ga­tion to iden­tify the cul­prits”.

The Europol chief yes­ter­day said the cy­ber­at­tack hit 200,000 vic­tims in at least 150 coun­tries and that num­ber could grow when peo­ple re­turned to work to­day.

Cy­berse­cu­rity ex­perts said the spread of the virus Wan­naCry had slowed, but that any respite might be brief.

Europol di­rec­tor Rob Wain­wright told ITV’s Pe­ston on Sun­day that the at­tack was unique in that the ran­somware was used in com­bi­na­tion with “a worm func­tion­al­ity” so the in­fec­tion spread au­to­mat­i­cally.

“The global reach is un­prece­dented. The lat­est count is over 200,000 vic­tims in at least 150 coun­tries, and those vic­tims, many of those will be busi­nesses, in­clud­ing large cor­po­ra­tions.

“We are in the face of an es­ca­lat­ing threat. The num­bers are go­ing up.”

He said Europol and other agen­cies did not yet know who was be­hind the at­tack, but “nor­mally it is crim­i­nally minded and that is our first work­ing the­ory for ob­vi­ous rea­sons”.

The ran­somware ex­ploits a vul­ner­a­bil­ity in Mi­crosoft Win­dows that was pur­port­edly iden­ti­fied by the US Na­tional Se­cu­rity Agency for its in­tel­li­gence-gath­er­ing pur­poses.

Hack­ers said they stole the tools from the NSA and dumped them on the In­ter­net. AP

The global reach is un­prece­dented. The lat­est count is over 200,000 vic­tims in at least 150 coun­tries...


Europol di­rec­tor

Newspapers in English

Newspapers from Malaysia

© PressReader. All rights reserved.