Inside the hack: this is what cyberwar looks like
THE ransomware attack which hit infrastructure in dozens of countries around the world is “what global cyberwar” looks like, a computer security expert has warned. But Ian Trump added it was preventable and security teams which failed to stop it should “hang their heads in shame”.
The virus called WannaCry attacked Windows operating systems and caused a message to pop up on affected computers demanding $600 worth of Bitcoins within seven days or files would be lost forever. Trump, head of security at Edinburgh-based security software specialist ZoneFox, said it was “weaponised” and not a standard ransomware attack – which involves cybercriminals taking control of a system and demanding a ransom to unblock it. He said: “In the perspective of what just happened, this is what global cyberwar looks like. I truly believe this is a demonstration of either a nation state power or a cyber criminal group.
“The important thing is this was actually weaponised and was designed to move through the internet on its own. The most evil thing on the internet is [a virus] that just pounds on a vulnerability and then spreads like wildfire. That is exactly what we saw. What we are seeing is evolution in cyberwarfare that can do real kinetic damage to systems, can push them offline and can cripple national infrastructure. We just saw that revealed at a world scale.”
Trump said while a large number of infections were located in Russia – around 75,000 – it was possible the country was behind the attack, although he added he did not have any evidence to “point the finger”.
The way in which the virus worked was to exploit malicious software which the National Security Agency (NSA) in the USA had allegedly developed as an attack tool, and which was subsequently leaked.
Microsoft had developed a security “patch” for the problem, but as it no longer provides ongoing support for the oldest versions of its Windows system this was not automatically available for Windows XP or 2003 – leaving them “wide open” to attack.
Yesterday, shadow Labour health secretary Jonathan Ashworth said concerns were repeatedly flagged about the NHS’s outdated computer systems, which left it vulnerable to the virus.
In a letter to UK Health Secretary Jeremy Hunt, he wrote: “NHS Trusts [in England] have been running thousands of outdated and unsupported Windows XP machines despite the Government ending its annual £5.5 million deal with Microsoft, which provided ongoing security support for Windows XP, in May 2015.”
Trump said the fact malware was being built which can have this type of effect meant countries would have to re-evaluate how they defend their part of the internet. Another aspect which pointed to this being an unusual attack was that there was a “kill switch” built into the ransomware, he said.
Yesterday, a researcher who identified himself only as MalwareTech said he had accidentally activated this and stopped the attack by registering a very long nonsensical domain name which was hidden in the malware. Once the malware detected the domain name had become live the kill switch was activated. Trump said: “It was designed to be stopped – that is why I don’t think this is a run-of-the-mill ransom attack.
“That is odd – why would you do that, if you truly wanted to infect all the things, why would you put a kill switch into the programme?”
He added: “It is possible that kill switch was put in by the NSA and the hackers or cybercriminals didn’t know about it. But it is interesting there was a way of stopping it. That is why I tend to think we are not dealing with a runof-the mill cyber criminal gang, we are definitely talking about something that was devastating, but able to be turned off. That is why I tend to think this has more of a nation state ‘demonstration of power’ aspect to it.” But Trump said the attack was preventable and could have been blocked by properly configured security. “The security teams of places that did get infected need to hang their heads in shame.”