'Blackhat' tag logo

Wannacry: a full scale war game?

An unidentified group, the Shadow Brokers, stole NSA’s secret cyber-weapons and decided to publish (some of) them. A mafia group took this opportunity to develop a ransomware which will make the headlines as “WannaCry” or “Wcry”.

Fortunately, the damages were far from what they could have been:

  • Microsoft published a fix for the exact issue exploited by the ransomware just a month before these tools became public.
  • The malware embedded a trivial kill switch allowing anyone in the world to easily stop the propagation: it worked so well it was accidentally trigerred stopping malware propagation just a few hours after its release.

Without this “luck” the attack could have been damaging in a way out of proportion with what we currently encountered. The current estimation of 230,000 infected computers may seem a high and impressive number, but this is nothing like one could expect with such a piece of software. Compare this to the 11 million computers infected during Conficker infection climax.

It’s nice to see the gods of luck kindly protecting our world, isn’t it? Or may the actual story be a bit different? Personally, despite the news headlines, I cannot help myself from finding all this “luck” a bit suspicious.

Last year we already saw another wide-scale attack which made IT security specialists such as Schneier to announce Someone is learning how to take down the Internet. Today we can try to look at the WannaCry attack from a different perspective:

  • August 2016: Initial leak of NSA tools and documents by the Shadow Brokers, Edward Snowden shared that this operation may involve “more diplomacy than intelligence”:

    Circumstantial evidence and conventional wisdom indicates Russian responsibility. […]

    This may be an effort to influence the calculus of decision-makers wondering how sharply to respond to the DNC hacks.

    TL;DR: This leak looks like a somebody sending a message that an escalation in the attribution game could get messy fast.

  • January 8, 2017: The Shadow Brokers publicly reveal NSA’s catalog names of some more exploits they have in their possession, leaving room for interested parties to organize themselves. It is important to highlight that this information only mentions NSA’s exploits names, giving no technical details on the actual vulnerabilities leveraged, and therefore not enough for Microsoft alone to produce any fix.

  • February 14: Microsoft cancels for the first time in 13 years their monthly delivery of security updates because of “a last minute issue”.

  • March 14: Microsoft publishes an update fixing the vulnerability used by the afore-mentioned exploits. The “Vulnerability information” table indicates that the associated vulnerabilities are neither publicly disclosed nor have been exploited in the wild (which is obviously wrong since at least the NSA exploited them). There is no attribution for the vulnerability discovery, and Microsoft also officially stated that:

    Other than reporters, no individual or organization has contacted us in relation to the materials released by Shadow Brokers.

    So, according to their sayings, Microsoft worked alone, is not aware of anything and did not received any help from anyone.

    How lucky that they knew what to fix!

  • April 14 (Friday): After having published the password giving access to the encrypted part of their initial release accompanied by a message against Trump attack against Syrian airfield on April 8, the Shadow Brokers published the afore-mentioned tools exactly one month after Microsoft’s update was published, along with some documentation showing NSA activity notably in Asian financial networks. In their publication message, the Shadow Brokers group explicitly refer to an upcoming World War III:

    Maybe if all suviving WWIII theshadowbrokers be seeing you next week.

  • May 12 (Friday): One month later (again) the WannaCry attack begins: it will last only a few hours until the kill switch gets accidentally triggered by a security researcher.

Interesting detail: the original author and provider of the WannaCry malware and the entity behind the spread and the ransoms process may not be the same and may have diverging interests, as new versions of WannaCry with “the killswitch hexedited out” but pointing to the same bitcoin addresses are now being found in the wild. Would this kill switch be a silly developer mistake a new clean version would be published. Chances are that this was not a mistake at all from the malware provider (the Shadow Brokers themselves?) but that this feature was not known by the malicious group used to spread the malware. This group was not in measure to obtain a properly modified version and tried to do alter it with their own means as an attempt to collect more ransoms.

So, with all that being said, were we lucky? In a ransomware scenario, for me this is not luck, this is just non-sense. However, in the scenario of a demonstration of power from one nation-state to another, the ingredients seem to quickly fit-in:

  • Ensure non-attribution by setting-up a covert operation using an autonomous group to launch the attack.
  • Factually demonstrate what can be done, with frozen hospitals, public transportation, communication systems, plants, etc.
  • Ensure that things do not get out of control by both announcing at an earlier stage the exploits which will be used and including a quasi-self-destructing mechanism in the malware to quickly stop its spread as soon as the demonstration requirements are fullfilled.
  • Imagine a moment what would such an attack really be if there was no previous warning and no kill-switch, potentially even no ransom: in other words if this attack was really done with destruction in mind as a cyber-warfare operation?

Imagine the impact of such kind of attack in the context of a real WWIII as mentioned by the Shadow Brokers?

This is, IMHO, the actual message being sent here.

More about the NSA and Microsoft in another post.

Popular tags see all