Cyberattack lands NSA in controversy
As virus spreads, news that the agency failed to safeguard a spying tool stirs criticism.
A crippling computer virus morphed into the biggest ransomware attack in history, triggering a wave of aftershocks being felt well beyond the victims who found their data held hostage.
The so-called WannaCry virus once again placed the cyberactivities of the U.S. National Security Agency in a global controversy. Experts criticized the spy agency for not only developing a dangerous tool to exploit a vulnerability in Windows computers, but also letting it fall into the hands of criminals.
The ransomware attack secretly searched computers for personal files, encrypted them and then displayed a demand for ransom to release the files.
The virus struck with lightning speed. Cybersecurity researchers had warned that such an event was increasingly likely because aging computer operating systems were not being updated with the latest software protections.
The digital blackmail scheme played on people’s worst fears about the risks of living in a connected world where technology such as autonomous cars and medical devices raise the possibility of far more lethal hacks.
After surfacing Friday, the attack continued to gather momentum.
“I don’t see how it’s going
gather momentum.
“I don’t see how it’s going to end,” said Phil Lieberman, president of Lieberman Software. “There’s this list of problems with security that have gone on for the last 10 or 15 years that weren’t fixed and that people didn’t take seriously. And now the bill is coming due.”
By Saturday evening in Europe, the cybersecurity firm Avast was reporting that it had recorded a “massive peak” of WannaCry attacks, bringing the total to 126,000 computers in 104 countries.
Although no corner of the globe seemed immune, Europe initially appeared to be hardest hit, particularly Britain, where the National Health Service suffered an attack on 48 centers.
The health service was particularly vulnerable because so many of its systems ran on Windows XP, a version of the operating system Microsoft stopped supporting years ago.
“The widespread nature of this attack suggests that organizations are still slow to patch significant vulnerabilities like the one currently being associated with this event,” said Travis Farral, director of security strategy at the cybersecurity firm Anomali.
Microsoft took the extraordinary step of issuing software patches this weekend for old versions of Windows, such as XP.
“Many of our customers around the world and the critical systems they depend on were victims,” the company’s security unit wrote in a blog post. “Seeing businesses and individuals affected by cyberattacks, such as the ones reported today, was painful. Microsoft worked throughout the day to ensure we understood the attack and were taking all possible actions to protect our customers.”
Although Britain was hit early, Avast reported that new cases were concentrated in Russia, Ukraine and Taiwan. Russian officials confirmed reports that the nation’s train system and Interior Ministry had been hit, along with a number of businesses. Infections were also reported in China, as well as by companies and government agencies in Spain, Italy and the United States.
Christy Wyatt, chief executive of the cybersecurity firm Dtex Systems, said the virus did not seem to have a specific target. The attack was simply spreading to the most poorly defended computer networks.
“When someone is taking a very large swing like this, they’re going to be indiscriminate,” she said. “They’re looking for impact.”
For those already hit, the options were limited. The hackers have been demanding $300 in electronic money known as bitcoin to regain access to the data. According to the Internet security software firm Kaspersky Lab, about 70 people had paid just over $20,000 into the three bitcoin accounts linked to the attack.
“We do not recommend paying the ransom, as this only encourages the criminals to continue their activities,” said Costin Raiu, director of Kaspersky Lab’s Global Research and Analysis Team. Kaspersky said it is working on a solution to allow users to decrypt their information without paying.
The virus appeared Friday after a week of cybersecurity news.
President Trump on Thursday signed an executive order calling for a review of U.S. cybersecurity assets and defenses. The European Union also released this week a review of progress made under a five-year plan to create a more unified cybersecurity strategy across its 28 member states.
Security experts said the WannaCry attack may shift the debate about privacy and cybersecurity.
“Regulatory frameworks are fantastic,” said Becky Pinkard, vice president of service delivery and intelligence at the cybersecurity firm Digital Shadows. “The problem is that they are slow moving, and they’re slow to come together. Anything that will come on the back of this will come at a very slow pace.”
Security researchers said the NSA is likely to face its greatest scrutiny since the release of the Edward Snowden documents revealing the extent of the agency’s spying activities.
Experts were appalled that the NSA had failed to safeguard one of its surveillance tools.
“Losing your tools, losing what the government paid you to do, losing your cyberweapons, it’s a really tragic event that’s going to hurt the world,” Lieberman said. “To have them fall into the hands of criminals is just awful.”
The vulnerability that the NSA found in Windows was probably a surveillance gold mine. It gave outsiders almost unhindered access to a computer.
The NSA’s discovery of what was code-named EternalBlue was hacked and published in April by a group known as the Shadow Brokers. That month, Microsoft issued a security patch to plug the vulnerability.
On unprotected computers, the WannaCry virus enters the system and plants software that encrypts information. The virus generates an encryption key, registered at a remote site on the Internet. Once the location is identified, an alternative version of the site can be set up to trick the virus and prevent the encryption.
Lieberman said there have been two waves of the virus, and both have been blocked this way.
The problem now is that hackers can relaunch another version of the virus with a different destination. The cybercriminals are more likely to seek money from critical infrastructure such as hospitals, utilities and telecommunication firms.
“You need to defend the network as if your life depends on it,” said Pablo Garcia, chief executive of the security firm FFRI. “Because in this case, the healthcare organizations being hit with the latest ransomware, life really does depend on the compromised network assets being held for ransom.”