Na­tions race to con­tain hacks

HOS­PI­TALS, FIRMS AMONG THOSE HIT Cul­prits in wide­spread ‘ran­som’ at­tack un­known

The Washington Post Sunday - - FRONT PAGE - BY EL­IZ­A­BETH DWOSKIN AND KARLA ADAM

Of­fi­cials in nearly 100 coun­tries raced Satur­day to con­tain one of the big­gest cy­ber­se­cu­rity at­tacks in re­cent his­tory, as Bri­tish doc­tors were forced to can­cel op­er­a­tions, Chi­nese stu­dents were blocked from ac­cess­ing their grad­u­a­tion the­ses, and pas­sen­gers at train sta­tions in Ger­many were greeted by hacked ar­rival and de­par­ture screens.

Com­pa­nies and or­ga­ni­za­tions around the world po­ten­tially faced sub­stan­tial costs af­ter hackers threat­ened to keep com­put­ers dis­abled un­less vic­tims paid $300 or more in ran­som, the lat­est and most brazen in a type of cyberattack known as “ran­somware.”

The mal­ware hit Bri­tain’s beloved but creaky Na­tional Health Ser­vice (NHS) par­tic­u­larly hard, caus­ing wide­spread dis­rup­tions and in­ter­rupt­ing med­i­cal pro­ce­dures across hos­pi­tals in Eng­land and Scot­land. The gov­ern­ment said that 48 of the NHS’s 248 or­ga­ni­za­tions were af­fected, but by Satur­day evening all but six were back to nor­mal.

When asked if the Bri­tish gov­ern­ment paid any ran­som in this sit­u­a­tion, a Down­ing Street spokesman said Satur­day that it had not. Am­ber Rudd, Bri­tain’s home sec­re­tary, also ad­vised against oth­ers pay­ing ran­som.

In Ger­many, peo­ple posted pic­tures on so­cial me­dia of sched­ul­ing screens at train sta­tions dis­play­ing the ran­somware mes­sage. Deutsche Bahn, Ger­many’s na­tional rail­way ser­vice, tweeted that its train ser­vice had not been com­pro­mised and that it was work­ing full speed to solve the prob­lems. Ac­cord­ing to DPA news agency, Deutsche Bahn’s video sur­veil­lance tech­nol­ogy also was hit.

Other tar­gets in Europe in­cluded Tele­fónica, the Span­ish tele­com

gi­ant; the French car­maker Re­nault; and a lo­cal au­thor­ity in Swe­den, which said about 70 com­put­ers were in­fected.

It was still un­clear Satur­day who was be­hind the so­phis­ti­cated at­tack.

“We’re not able to tell you who is be­hind that at­tack. That work is still on­go­ing,” Rudd told the BBC. She said that it has af­fected “up to 100 coun­tries” and that it wasn’t specif­i­cally tar­geted at Bri­tain’s NHS.

The at­tack was no­table be­cause it took ad­van­tage of a se­cu­rity flaw in Mi­crosoft soft­ware found by the Na­tional Se­cu­rity Agency for its sur­veil­lance tool kit. Files de­tail­ing the ca­pa­bil­ity were leaked on­line last month, though af­ter Mi­crosoft, alerted by the NSA to the vul­ner­a­bil­ity, had sent up­dates to com­put­ers to patch the hole.

Still, count­less sys­tems were left vul­ner­a­ble, ei­ther be­cause sys­tem ad­min­is­tra­tors failed to ap­ply the patch or be­cause they used out­dated soft­ware.

It was a jar­ring re­minder of a stub­born re­al­ity fac­ing se­cu­rity ex­perts: Com­pa­nies and other or­ga­ni­za­tions col­lec­tively spent $73 bil­lion on cy­ber­se­cu­rity mea­sures in 2016, ac­cord­ing to the re­search firm IDC. Yet sys­tems around the world were crip­pled by hu­man er­ror — fail­ure to do rou­tine soft­ware up­dates and em­ploy­ees un­know­ingly click­ing on email at­tach­ments that con­tained the mal­ware.

“This was a com­pletely pre­ventable at­tack — to the ex­tent that or­ga­ni­za­tions have com­pre­hen­sive patch­ing sys­tems in place,” said Paul Lip­man, chief ex­ec­u­tive of the cy­ber­se­cu­rity firm Bul­lGuard. “How­ever, life is never that sim­ple.”

On Fri­day, Mi­crosoft re­leased ad­di­tional se­cu­rity up­dates to Win­dows and guide­lines for con­sumers and busi­nesses to pro­tect them­selves.

It’s pos­si­ble that the mal­ware didn’t spread fur­ther be­cause of the en­ter­pris­ing work of a 22-yearold Bri­tish cy­ber­se­cu­rity re­searcher.

The re­searcher, whose Twit­ter han­dle is @Mal­wareTechBlog, re­al­ized the hackers had de­signed a “kill switch,” which in­volved a do­main name that en­abled them to stop the at­tack from spread­ing if the vic­tims paid the ransoms. The re­searcher bought the do­main name of the kill switch, and when the site went live, the at­tack stopped spread­ing.

The move didn’t help or­ga­ni­za­tions that were al­ready af­fected by the at­tack, but ex­perts said that it lim­ited the spread of the virus. The re­searcher, how­ever, warned in a blog post that the hackers could al­ter the code and try again.

Hos­pi­tals called ideal tar­gets

Health-care IT ex­perts said it was no sur­prise that hos­pi­tals so eas­ily fell vic­tim to the ran­somware at­tack. Health sys­tems have faced hun­dreds of ran­somware at­tacks in the past two years.

They are the ideal tar­get for this type of mal­ware due to a “per­fect storm” of fac­tors, said Avi Ru­bin, tech­ni­cal direc­tor of the In­for­ma­tion Se­cu­rity In­sti­tute at Johns Hop­kins Univer­sity. For one, Ru­bin said, the data that they have is in­cred­i­bly time-sen­si­tive, mak­ing them most sus­cep­ti­ble to ran­somware.

“If no one ever paid these ransoms, the hackers would have no rea­son to launch these at­tacks,” Ru­bin said. “But I’m not the one sit­ting in a hos­pi­tal in need of im­me­di­ate med­i­cal at­ten­tion.”

Hos­pi­tals also lag far be­hind other in­dus­tries in up­grad­ing their se­cu­rity and do­ing ba­sic soft­ware up­dates. Health-care or­ga­ni­za­tions in gen­eral spend 2 to 4 per­cent of their op­er­at­ing bud­gets on in­for­ma­tion tech­nol­ogy, com­pared with 25 to 35 per­cent for fi­nan­cial ser­vices, said John D. Halamka, chief in­for­ma­tion of­fi­cer of the Beth Is­rael Dea­coness Med­i­cal Cen­ter and Har­vard Med­i­cal School.

“We spend bil­lions on new tech­nol­ogy,” he said. “Yet the re­al­ity is that we’re still as vul­ner­a­ble as our most gullible em­ployee.”

Health-care or­ga­ni­za­tions in the United States are also sub­ject to ad­di­tional reg­u­la­tions, which con­strain their abil­ity to do up­dates. Many up­dates re­quire sys­tems to go dark for some pe­riod of time, and many hos­pi­tals are not al­lowed to put crit­i­cal sys­tems out of use.

Poorer hos­pi­tals are par­tic­u­larly vul­ner­a­ble. While wealthy hos­pi­tals have ef­fec­tively built cy­ber­se­cu­rity war rooms over the past two years, some smaller hos­pi­tals “don’t have enough bud­get to keep the lights on,” said Ru­bin. They of­ten can­not af­ford to back up data, per­haps the most crit­i­cal tool in fight­ing ran­somware.

Rus­sia hit hard

The mal­ware, known as WanaCryp­t0r 2.0, or Wan­naCry, also af­fected sys­tems for FedEx, ma­jor telecom­mu­ni­ca­tions firms, Brazil’s so­cial se­cu­rity ad­min­is­tra­tion, and many oth­ers around the world.

TMT post, a Chi­nese on­line news out­let fo­cus­ing on the In­ter­net in­dus­try, re­ported that a num­ber of Chi­nese uni­ver­si­ties had been af­fected by the at­tack.

Sev­eral schools — in­clud­ing Nan­chang Univer­sity, Shan­dong Univer­sity and Univer­sity of Elec­tronic Sci­ence and Tech­nol­ogy of China — is­sued alerts on their Weibo so­cial-me­dia feeds, warn­ing staff and stu­dents to back up im­por­tant files and not to open sus­pi­cious emails.

Ac­cord­ing to Chi­nese mag­a­zine Cai­jing, some stu­dents’ grad­u­a­tion the­ses and projects have re­port­edly been en­crypted.

In Rus­sia, hack­ing at­tacks were con­firmed Satur­day at the Health Min­istry, the state-run Rus­sian Rail­ways and the telecom­mu­ni­ca­tions com­pany Me­gafon, along with the In­te­rior Min­istry, which man­ages the po­lice force. There were also re­ports that the pow­er­ful In­ves­tiga­tive Com­mit­tee, which in­ves­ti­gates high-level crime, and sev­eral other telecom­mu­ni­ca­tions com­pa­nies had been tar­geted.

The In­te­rior Min­istry said that 1,000 of its com­put­ers had been blocked by prompts de­mand­ing pay­ment. By Fri­day evening, the min­istry said it had “con­tained” the at­tack and de­nied that any of its in­for­ma­tion had been stolen.

Jakub Kroustek, a mal­ware re­searcher with Avast, a se­cu­rity soft­ware com­pany in the Czech Repub­lic, said in a blog post that Rus­sia was the most-af­fected coun­try so far. “We are now see­ing more than 75,000 de­tec­tions of WanaCryp­t0r 2.0 in 99 coun­tries,” he wrote Fri­day night.

Kasper­sky Lab, a Moscow­based In­ter­net se­cu­rity firm, also said that the at­tacks were mostly in Rus­sia.

“Rus­sia has a very rick­ety, outof-date in­fras­truc­ture, us­ing not just out­dated soft­ware but pi­rated out-of-date soft­ware,” said Mark Ga­le­otti, a se­nior re­searcher at the In­sti­tute of In­ter­na­tional Re­la­tions Prague.

Ac­cord­ing to Ga­le­otti, one In­te­rior Min­istry of­fi­cial in 2013 es­ti­mated that 40 per­cent of the min­istry’s com­put­ers could be us­ing pi­rated Win­dows soft­ware, which is widely avail­able in Rus­sia for down­load or at lo­cal com­puter mar­kets.

In Brazil, the at­tack struck at the heart of the gov­ern­ment — em­ployee com­put­ers at the Jus­tice Min­istry and Brazil’s so­cial se­cu­rity ad­min­is­tra­tion were in­fected. The lo­cal me­dia also re­ported that the at­tack locked up com­put­ers in the coun­try’s la­bor courts and the pub­lic pros­e­cu­tor’s of­fice.

In Bri­tain, which is in the mid­dle of an elec­tion cam­paign, the cyberattack trig­gered crit­i­cism of the NHS’s aging com­puter sys­tems, par­tic­u­larly the use of Win­dows XP, an out­dated ver­sion of the Mi­crosoft op­er­at­ing sys­tem that doesn’t have the same level of de­fense against cy­ber­at­tacks as newer op­er­at­ing sys­tems.

The op­po­si­tion Labour Party’s Jonathan Ash­worth tweeted that the gov­ern­ment had been com­pla­cent over cy­ber­se­cu­rity. “We need an­swers on whether fund­ing squeeze com­pro­mised se­cu­rity,” he wrote.

Rudd, the home sec­re­tary, stressed that there was no ev­i­dence that pa­tient data had been com­pro­mised but said that there were lessons to learn.

She told the BBC that Win­dows XP was “not a good plat­form for keep­ing your data as se­cure as the mod­ern ones be­cause you can’t down­load the ef­fec­tive patches and anti-virus soft­ware.”

“I would ex­pect NHS trusts to learn from this and to make sure that they do up­grade,” she said.

Adam re­ported from London. Andrew Roth in Moscow; Luna Lin in Bei­jing; Griff Witte and Stephanie Kirch­ner in Ber­lin; Ma­rina Lopes in Sao Paulo; and Michael Birn­baum in Tallinn, Estonia, con­trib­uted to this re­port.

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.