British spies join global hunt for gang who hit NHS
The hackers who used the tools stolen from the NSA may not have realised the power they were unleashing
BRITISH intelligence agencies were last night drawn into the international hunt for the masterminds behind the biggest cyber attack in history.
Security services said analysts from the three main spy agencies – MI5, MI6 and GCHQ – were being deployed to investigate “the full spectrum of what happened” in the search for those responsible.
“They are looking at this cyber hack end to end,” said the Whitehall source.
Crime agencies are understood to be seeking two separate gangs – one with possible links to the Kremlin which stole US National Security Agency (NSA) cyber tools that allowed the attack to take place; and a second crime syndicate which has attempted to hold hundreds of organisations, including the NHS, to ransom.
Europol, the European Union’s police agency, said the attack was “at an unprecedented level and will require a complex international investigation to identify the culprits”.
Yesterday the cyber attack had spread to more than 100 countries, infecting more than 130,000 IT systems.
Companies and organisations are bracing themselves for further disruption when staff return to work tomorrow and try to switch on computers not used since Friday.
The inquiry will focus first on a group called Shadow Brokers, which stole a cyber “weapon” developed by the NSA that gave remote access to computer systems operating Microsoft Windows. Shadow Brokers announced itself to the world in August last year, declaring it had hacked into a huge cache of NSA files which it would sell online to the highest bidder.
The information it had obtained had come from a secret body within the NSA called The Equation Group, which specialised in developing cyber-security hacks to allow the US Government to spy on enemy states, such as North Korea and Russia, as well as terrorist organisations including Islamic State of Iraq and the Levant (Isil).
The Equation Group will have developed its hacking “weapons” working alongside British agencies such as GCHQ and Her Majesty’s Government Communications Centre. The various agencies swap cyber-hacking information, but it raises the very real possibility that British intelligence could have inadvertently aided Friday’s computer meltdown. Sources would not be drawn on that.
Within days of Shadow Brokers’ declaration that it had obtained NSA files, the FBI had raided the home of Harold Thomas Martin, 51, a US navy veteran and contractor working for the NSA, arresting him for the theft of the hacking tools that included material also in possession of Shadow Brokers.
Mr Martin remains in jail awaiting trial amid intense speculation he was the source of the leak to Shadow Brokers. His arrest was kept secret until October over an alleged crime said to be the “single largest removal of classified information in US history”.
It is possible that Shadow Brokers hacked into Mr Martin’s systems or that
he was simply caught up as “collateral damage” when investigators began seeking the source of the Shadow Brokers’ documents.
The initial dump of documents in August was highly damaging to the NSA, serving as a warning that the organisation had worked out various ways of getting behind firewalls to infiltrate the computers of adversaries.
The circumstantial evidence, according to analysts, was “compelling” that Shadow Brokers was backed by the Russian state.
At some point after the theft, the NSA contacted Microsoft to warn the software giant its best-selling Windows operating system was compromised.
By March, Microsoft had developed a fix – known as a “patch” – that could protect its computers. The fix was only available for Windows 7, introduced in 2009, and newer versions. The NHS, with a disparate IT system that
includes older versions such as Windows XP, would prove particularly vulnerable to what would happen next.
A day after President Donald Trump ordered the first US air strikes on the Syrian regime, Shadow Brokers issued a rare statement in broken English on the internet: “respectfully, what the f--are you doing? The Shadow Brokers voted for you. The Shadow Brokers is losing faith in you.”
Six days later, on April 14, the group “dumped” details of the NSA’s hacking weapon “Eternal Blue” and how to use it on an obscure website. Effectively, it had primed the most destructive “hacking weapon” ever and made it available to anyone willing to use it.
Exactly who picked up the Shadow Brokers’ baton is the subject of the second stage of the inquiry. The likelihood is a “non-state actor”, according to intelligence sources, pointing to the likelihood of a crime gang, possibly operating out of the old Eastern Bloc. The crime gang sent fake emails to computers around the world, gaining remote control when users fell for “phishing” emails and clicked on links.
The crime gang deployed “Eternal Blue” to get into the Windows operat- ing system and then used a second virus – a “ransomware” known variously as WanaCrypt or WannaCry – to make money out of the cyber hack.
Ransomware hijacks a computing system and encrypts all the files on it; the only way to unlock them is to pay a ransom. The gangsters demanded $300 for each computer unlocked, to
be paid in Bitcoins – a virtual currency. By last night there was little evidence the attack had reaped huge rewards. Just over $30,000 (£23,000) had been harvested from 106 transactions in three Bitcoin accounts used by the cyber criminals.
One cyber-security expert said the gang behind the ransom demand appeared to be “amateur”. Sean Sullivan, a cyber-security adviser with security firm F-Secure, said the gang did not realise it had in its possession the most powerful cyber-hacking tool in history. It simply wasn’t prepared for the numbers of computers it would infect.
“Somebody was playing with fire; they have created something that is spreading far faster than they had thought it would,” said Mr Sullivan. “Now instead of raking in the money they will have every law enforcement agency on earth looking for them. They are not going to get away with it.”
‘Instead of raking in the money, they will have every law enforcement agency on earth looking for them’