Al­ready a global hero at the ten­der age of 23

The Star Early Edition - - INTERNATIONAL - Gavin Finch

THE 23-YEAR-OLD who saved the world from a dev­as­tat­ing cy­ber­at­tack in May was asleep in his bed in the English sea­side town of Il­fra­combe last week after a night of par­ty­ing when an­other on­line ex­tor­tion cam­paign spread across the globe.

Around 6pm on June 27, Mar­cus Hutchins, a self-taught com­puter-se­cu­rity re­searcher and avid surfer, was awak­ened by a phone call from a col­league telling him an­other at­tack was un­der way.

Dread­ing a re­turn of the vir­u­lent Wan­naCry mal­ware that he stopped in its tracks the pre­vi­ous month, Hutchins logged on to his com­puter in the house he shares with his par­ents and younger brother to scan the lat­est re­ports.

By then, more than 80 Ukrainian banks, govern­ment agen­cies and multi­na­tional firms in­clud­ing ship­ping gi­ant AP Moller-Maersk and Rus­sia’s big­gest oil com­pany Ros­neft had been hit by a ran­somware at­tack spread­ing like an elec­tronic plague across their net­works.

Within 20 min­utes, Hutchins later re­counted, he got hold of a sam­ple of the mal­ware and was re­lieved to see it wasn’t an­other Wan­naCry, which in­fected hun­dreds of thou­sands of com­put­ers in more than 150 coun­tries, but some­thing more tar­geted and less vir­u­lent.

Though both at­tacks took ad­van­tage of flaws in Mi­crosoft Cor­po­ra­tion’s Win­dows op­er­at­ing sys­tem to spread their pay­loads, Wan­naCry used the in­ter­net to prop­a­gate it­self – each com­pro­mised com­puter would scan and in­fect an­other, cre­at­ing a snow­ball ef­fect – while the so-called Petya at­tack was con­fined to lo­cal net­works.

Petya ap­peared big­ger at first, be­cause hack­ers hit Ukrainian soft­ware com­pany M.E.Doc and used an au­to­matic up­date fea­ture to down­load its mal­ware on to the com­put­ers of all users of the soft­ware, Hutchins said.

Un­likely Hero

Re­searchers like Hutchins and his col­leagues at Los Angeles-based threat-in­tel­li­gence firm Kryp­tos Logic are akin to seis­mol­o­gists, scan­ning the in­ter­net for elec­tronic tremors that could sig­nal the next at­tack. This time he was only an ob­server, but on May 12 Hutchins stopped the Wan­naCry at­tack that crip­pled or­gan­i­sa­tions from Bri­tain’s Na­tional Health Ser­vice to Deutsche Bahn in Ger­many and Re­nault fac­to­ries across Europe.

With a mop of curly hair, baggy jeans, T-shirt and sneak­ers, Hutchins is an un­likely hero. He rarely leaves ru­ral north Devon, where he has lived since he was 8, and hadn’t trav­elled abroad un­til last year. He learned to pro­gram com­put­ers at 12 and was track­ing and dis­rupt­ing bot­net at­tacks for his own en­joy­ment be­fore any­one paid him to do so.

Within 20 min­utes Hutchins got hold of a sam­ple of the mal­ware.

Hutchins started a blog un­der the pseu­do­nym Mal­wareTech while still a teenager and was hired by Kryp­tos in 2015. He said his par­ents and friends didn’t even know he had a job un­til the Wan­naCry at­tack.

Hutchins was sup­posed to be en­joy­ing a week’s hol­i­day, but re­turn­ing home after a lunch of burg­ers and cheesy chips with a friend and see­ing the car­nage Wan­naCry was in­flict­ing, he couldn’t re­sist jump­ing in.

“The fact that so many NHS trusts were be­ing hit at the same time was pretty much un­prece­dented,” Hutchins said in an in­ter­view a few weeks after the at­tack. “That for me was a mas­sive red flag, which showed that this thing was spread­ing on its own.”

Most ran­somware, which en­crypts files on a tar­get ma­chine to force its owner to make a pay­ment in ex­change for de­cryp­tion, is spread via e-mail at­tach­ments from rogue senders that in­fect host com­put­ers when they’re opened.

Hutchins said he’d ex­pect a hand­ful of people to click on a mass e-mail over a few days, not thou­sands of em­ploy­ees at scores of med­i­cal fa­cil­i­ties at the same time.

After analysing a sam­ple of the mal­ware and see­ing it spread by ex­ploit­ing vul­ner­a­bil­i­ties in Mi­crosoft’s net­work file-shar­ing pro­to­cols, he re­alised it was us­ing a cy­ber weapon al­legedly stolen from the US Na­tional Se­cu­rity Agency (NSA).

Known as “Eter­nalBlue,” it was part of a cache of so­phis­ti­cated NSA hack­ing tools tar­get­ing Mi­crosoft soft­ware that were ob­tained by the Shadow Bro­kers crim­i­nal gang last year and leaked on to the in­ter­net in April.

Hutchins also no­ticed a quirk buried deep in the mal­ware code. It tested for the ex­is­tence of an un­reg­is­tered non­sen­si­cal do­main name.

He promptly reg­is­tered the do­main for £8.5 (R146) and redi­rected all traf­fic to a server de­signed to cap­ture ma­li­cious data, known as a sink­hole, which would al­low him to mon­i­tor the progress of the at­tack.

Kill switch

Although he didn’t re­alise it at the time, Hutchins had in­ad­ver­tently trig­gered the mal­ware’s kill switch. Be­fore in­fect­ing and en­crypt­ing a com­puter’s hard drive, Wan­naCry would query the do­main, and as long as it re­mained un­reg­is­tered would pro­ceed with the at­tack.

Now, when the mal­ware checked the do­main and found it ac­tive, it im­me­di­ately shut down. About 100 mil­lion at­tempts to in­fect com­put­ers, in­clud­ing more than 7 mil­lion in the US, have been mit­i­gated since then, ac­cord­ing to Kryp­tos data.

“At the time, we were just like ‘Yay, we can track it now,’ we didn’t know that we’d stopped it,” Hutchins said. “The minute we reg­is­tered the do­main we were look­ing at like 5 000 or 6 000 unique sys­tems all con­nect­ing, and it went up to 200 000 within an hour. I re­mem­ber think­ing: Holy shit, this is re­ally big.” – Bloomberg

Mar­cus Hutchins, dig­i­tal se­cu­rity re­searcher for Kryp­tos Logic, on a com­puter in Il­fra­combe, UK. PHOTO: BLOOMBERG

Newspapers in English

Newspapers from South Africa

© PressReader. All rights reserved.