US spy chiefs’ bug stolen and unleashed on the world
A CYBER gang with possible links to Russia was being blamed last night for the extraordinary worldwide computer security breach – possibly in retaliation for US airstrikes on Syria.
The mysterious organisation, called Shadow Brokers, claimed last month it had stolen from an American spy agency a “cyber weapon” that gives unprecedented access to all computers using Microsoft Windows, the world’s most popular computer operating system.
The hacking tool had been developed by the National Security Agency (NSA), America’s powerful military intelligence unit. The NSA had developed its “Eternal Blue” weapon to gain access to computers used by terrorists and enemy states.
The Shadow Brokers gang in turn “dumped” the computer bug on an obscure website on April 14, just a week after President Donald Trump ordered the US bombing of Syria.
Some experts believe that timing is significant and indicates that Shadow Brokers has links to the Russian government.
In an internet posting, six days earlier on April 8 – a day after the first airstrikes – Shadow Brokers appeared to issue a warning to President Trump.
In a statement, the group said in broken English: “Respectfully, what the f--- are you doing? The Shadow Brokers voted for you. The Shadow Brokers supports you. The Shadow Brokers is losing faith in you. Mr Trump helping the Shadow Brokers, helping you. Is appearing you are abandoning ‘your base’, ‘the movement’, and the peoples who getting you elected.”
It is believed “Eternal Blue”, having been dumped by Shadow Brokers, was then picked up by a separate crime gang which used it to gain remote access to computers, including systems that brought parts of the NHS to a standstill.
The gang, having gained access to computers, then deployed a second software programme – using ransomware called Wanacrypt or Wannacry – which hijacks a computing system and encrypts all the files contained on it. The only way to unlock the files is to pay a ransom. In this case, the gang is demanding $300 for each computer it unlocks – paid in “bitcoins”, a virtual currency used on the internet.
Sean Sullivan, security adviser to F-secure, a cyber security company, said “Eternal Blue” was used as the “crowbar” that effectively opened the doors to computers, making them vulnerable – and the ransomwear was the “hand grenade” that followed. The results have been devastating.
It is thought the NSA warned Microsoft its hacking tool had been stolen earlier this year, prompting Microsoft to develop a “patch” in March allowing computer users to protect their systems from cyber attack. But operating systems older than 2009 are not thought to have been protected. This may have made the NHS more vulnerable because of outdated systems in some hospitals and GP surgeries due to lack of IT investment. Graham Cluley, a computer security expert, said: “Microsoft developed the patch after an exploit was taken from US intelligence.
“The US intelligence agency found a security hole in Microsoft software and rather than doing the decent thing and contacting Microsoft they kept it to themselves and exploited it for the purposes of spying. Then they themselves got hacked.
“And it was at that point Microsoft thought, ‘Jesus, we need to patch against this thing’. It’s likely that regular online criminals simply used the information that the Shadow Brokers put on the internet and thought ‘how can we monetise this’.”
Nobody knows who is behind Shadow Brokers but in a statement issued to a specialist technology website in December, the gang said: “The Shadow Brokers is not being irresponsible criminals. The Shadow Brokers is opportunists. The Shadow Brokers is giving ‘responsible parties’ opportunity to making things right.”
Edward Snowden, the NSA whistleblower now living in exile in Russia, claimed last year that Shadow Brokers was backed by the Kremlin. Snowden tweeted that “circumstantial evidence and conventional wisdom indicates Russian responsibility”.
Cyber security experts told The Daily Telegraph the ransomware was being quickly spread by a wave of “phishing” emails carrying bogus attachments that infected computers when unsuspecting users clicked on them.
By last night, the ruse appeared to be paying off handsomely.
Adam Meyers, vice president of intelligence at the cyber firm Crowdstrike, said thousands of dollars had been tracked rolling into internet accounts set up to receive the ransom payments.
However official government advice is not to pay criminals behind such attacks.
Mr Meyers said: “We advise people not to pay, because if people do pay, it emboldens these criminal actors.”
He instead urged organisations to make sure they had backed up their data and installed the latest software updates and security. Employees in the NHS also had to be warned how to spot the suspect emails, he said.
Eternal Blue is the crowbar to open the door. The ransomware is the hand grenade they throw through the door...