While I am a man who broadly accepts coincidence, I don’t accept it exists in such a state of consistency as to make an identifiable pattern. APT28 and the Shadow Brokers were operating the same software and the same narrative and, I quite reasonably believed as a result, were the same people. It would, of course, make sense them for them to dump the tools on the internet for all too, to muddy the waters by introducing yet more plausible deniability.
The 11th of May was also the same day US spy bosses and the acting FBI chief told the Senate intelligence committee they did not trust software from Kaspersky and, as a result, were reviewing its use across government. The officials cited concerns the Russian-made Kaspersky system could be used by the Kremlin to attack and sabotage computers used in American government institutions. The unanimous agreement on this, as well as a consensus Putin interfered in the US election, came from Daniel Coats, the Director of National Intelligence, Michael Pompeo, Director of the CIA, Michael Rogers, Director of the NSA, Andrew McCabe, Acting Director of the FBI, Vincent Stewart, Director of the Defense Intelligence Agency, and Robert Cardillo, Director of the National Geospatial-Intelligence Agency213.
“Only Russia's senior-most officials could have authorized the 2016 US election-focused data thefts and disclosures, based on the scope and sensitivity of the targets,” said Coats, adding: “Russia has also leveraged cyberspace to seek to influence public opinion across Europe and Eurasia. We assess that Russian cyber operations will continue to target the United States and its allies.”
Though Kaspersky’s CEO denied any wrongdoing in an open forum, during a Q&A session, one Redditor asked him why Kaspersky had paid Michael Flynn, Trump's disgraced National Security Advisor fired for his Russian ties. Eugene Kaspersky said it was: “A standard fee for a speech Flynn gave in Washington, DC,” and added: “I would be very happy to testify in front of the Senate, to participate in the hearings and to answer any questions they would decide to ask me.”
Also on the same day, President Trump signed an executive order commanding a review of the United States’ cyber security capabilities.
The President was initially set to sign the order shortly after his inauguration in January and held a press conference on the issue, but the action was delayed. Scott Vernick, a data security lawyer in Philadelphia, said at the time214 the draft made no mention of the role that FBI, CIA and other major law enforcement agencies have in protecting the nation from hackers. The version of the document finally signed just before the worldwide cyberattack contained significant changes, however, placing responsibility for cybersecurity risk on the heads of federal agencies rather than the White House. A full report on cyber security concerns regarding critical infrastructure was mandated within six months. (The FBI had been completely excluded from the original draft and in the final version greater responsibility for federal cybersecurity was also given to the military – a move which was rejected by the Obama administration.)
White House homeland security advisor, Tom Bossert, discussed the new executive order with reporters215, saying: “A lot of progress was made in the last administration, but not nearly enough. The Russians are not our only adversary on the internet.”
The change of tack in respect of the FBI’s role came only days after Trump’s controversial dismissal of its Director, James Comey, who had publicly confirmed the scale of the President’s conflict with the agency. Former Director of National Intelligence, James Clapper, told reporters in the days following the dismissal: “What's unfolded now, here, the leader…of the investigation about potential collusion between Russia and the Trump campaign has been removed. So the Russians have to consider this as a, you know, another victory on the scoreboard for them.”
“I think in many ways our institutions are under assault,” Clapper told CNN216, adding “Both externally, and that’s the big news here, is Russian interference in our election system. And I think as well our institutions are under assault internally.”
On the topic of Comey, the President himself217 said: “When I decided to just do it I said to myself, I said, you know, this Russia thing with Trump and Russia is a made-up story, it’s an excuse by the Democrats for having lost an election that they should’ve won.”
It was patently obvious, looking at all of this together the cyberattack was not random, as Amber Rudd had so carelessly suggested. It could easily be directly traced to Russia in two ways and in less immediately obvious ones too. The accompanying Russian narrative, backed externally by public figures with close ties to the country, was to blame the US Intelligence Services, which would cause (and did start to cause) international distrust and discord. The upshot was some damage to the “Five Eyes” agreement and the other transatlantic alliances which rely heavily on intelligence co-operation to assess and mitigate threats. Nobody else stood to benefit but Putin’s Russia. Meanwhile, the Trump administration was desperately seeking to cover up its own clear Russia links and, in doing so, was lashing out at the same security services and law enforcement agencies investigating it – all of whom were additionally affected by the burdens and provisions relating to his revised order on cyber security. I also picked up another anomaly while forensically picking through the mess and discovered the cyberattack, somewhat suspiciously, hit Russia more times on the first day than elsewhere yet caused the least disruption. In a country so well known for false flag attacks and disinformation, this was hardly surprising to anyone who had been paying attention – such tactics are old as the Tsars. Curiously, I noted, Putin very swiftly told Russian media218: “Malware created by intelligence agencies can backfire on its creators.” It was about as subtle as a brick, but Russia has never needed to practice finesse because it can afford to simply say: what are you going to do about it?
The attack also came at the time NATO had convened for the STRATCOM summit in Prague. Hosted by European Values under the extraordinary circumstances. The whole aim of the gathering was, as I found out, to discuss response options to Russia's mass efforts to destabilise its member nations by hacking, attacking democratic processes and spreading disinformation. Subsequently, I was less than surprised when media reports began to surface, claiming the culprit was North Korea. The main source was the Russian cyber security firm Kaspersky Lab219 – the same company the under-fire US security services had deemed as posing a risk to government agencies through their Kremlin links. Meanwhile, Snowden and Wikileaks continued to push the story of NSA’s stolen Zero Day tools line. Rather than sit back and lap it up, as many newspapers did, repeating the Kaspersky line and letting it drop, I carried on investigating. As a result, I swiftly discovered it was thought North Korea was not, in fact, responsible for the attacks and also had it confirmed that Russian intelligence services have their own Zero Day hacking capabilities which exploit the defects in Microsoft Windows. With the assistance of expert Richard Hummel, Principal Analyst, Production & Analysis at FireEye – the company who had been tracking the hacking activity of Russian intelligence services for some time – the truth started to paint a very different picture.
“At this time, multiple potential attribution scenarios for the WannaCry activity are viable. We are continuing to investigate all potential attribution scenarios,” Hummel told me. According to FireEye, financially-motivated cybercriminals are typically responsible for ransomware operations, with many such actors operating independently worldwide. “However,” Hummel said, “as of yet, none of these actors have been identified as a strong candidate for attributing the WannaCry operation.”
Numerous open-source reports alleged potential North Korean involvement in the cyberattack but, based on FireEye’s initial analysis, the code similarities cited between the allegedly North Korea-linked malware and WannaCry were “not unique enough independent of other evidence to be clearly indicative of common operators.” The link to North Korea was, at best, tenuous, arising only from lines of code in a version of WannaCry which actually pre-dated the one used in the worldwide incident. When I aske
d more specifically if the DPRK theory stood up to scrutiny, Hummel told me: “We often encounter cases in which malicious actors have reused code taken from publicly-available tools or other actors’ tools. Based on our reverse engineering thus far, the similarities that are being cited between WannaCry and tools associated with the Lazarus group are not unique or significant enough to strongly suggest a common operator.”
“For both these reasons, we consider the possibility that WannaCry is attributable to the Lazarus group to be unproven at this time and not necessarily stronger than other attribution scenarios. The primary alternative explanation is that non-state, financially-motivated hackers are responsible for the attackers. However, we are continuing to investigate all possible attribution explanations for these attacks,” he added, though the point where non-state meant anything but a deniable asset for Russia had long since passed for me.
“Russia and China appeared to be the two of the more heavily infected regions based on sinkhole data that can be obtained publicly,” Hummel continued. “The sinkhole data essentially identifies machines that have been infected and beaconing out to what the community has deemed the “kill switch.” If the malware successfully reaches this domain and there is an HTTP web server response, the malware will not encrypt files. If, however, the malware is unable to make a connection then it will proceed with encrypting machines.”
Hummel did note a lack of sophistication in the operation and made it clear it was a possibility the culprits may not have anticipated the malware would spread as widely as it did, saying: “One of these aspects is the kill switch functionality.” However, while the spread of the attack was halted when the young British IT blogger found a way to stop it communicating220, a swiftly released third generation of the malware had already removed the flaw. There was also the Vladimir Putin issue, whereby the Russian President had told that world forum in China malware created by intelligence agencies can backfire on its creators, and it held true, even days after the attack began, that the impact in Russia – despite the alleged spread – was largely non-disruptive and infections were localised relatively quickly. It appeared they already knew how to kill it domestically and helped do just that in a very short space of time.
“Another aspect is that identified ransom payments have been reported to be relatively low thus far, suggesting the operators’ payment system may not have been equipped to handle the outcome,” Hummel added, helpfully. I’d been sticking my nose into this aspect too, and also saw, across the technical and intelligence community, the low 'ransom' demand and lack of withdrawal activity in the Bitcoin wallets receiving payments had raised suspicions of the financial element being little more than a distraction. To give a bit of context, my sister-in-law (for all intents and purposes) fell victim to a ransomware attack in 2016. In a standard financially motivated attack, she was forced to pay 1 Bitcoin, at the time around one-and-a-half thousand pounds, to retrieve access to her one-woman-band company files. In the worldwide attack, ransom had dropped to only hundreds of dollars on high-profile targets, which led me to suspect from the outset this wasn’t a financial scam at all but a further element to muddy the waters in a deliberate decoy.
I may not be hugely technical, but I do have some skills and, following the attack, I used a series of publicly available cyber threat mapping tools and botnet trackers with which I identified a correlation between the locations of computers infected with a peer-to-peer (P2P) worm virus called Sality and the distribution of Wannacry. I wanted to explore how the virus infected computers if it wasn’t by spear-phishing. Hummel reviewed the possibility that the Ransomware was using an existing virus network to piggy-back and spread. “At this point, we haven’t ruled out any attack vector as we are still researching initial entry into networks. Sality is a worm and has the ability to download additional payloads but we have not found any evidence to suggest that it is being used as a vehicle to distribute WannaCry at this time,” he said.
“Sality and other worms like it are heavily distributed and often very difficult to remove as it infects every binary on an infected machine and then auto-propagates. Thus, seeing similarities in distribution or infection patterns isn’t out of the question, but doesn’t mean it is the vehicle being used,” he added.
As with any virus, there are two ways for it to contaminate the first computer before it spreads – essentially a “patient zero” must exist. One way to enter a network would be through an infected email document or browser cookie, through the technique known as spear-phishing, or another would be through the exploitation of a “zero-day” defect which allows a computer to be directly infected through its operating system by hackers. Zero Day defects are unknown to software developers until the attack happens, and are so named because they provide no time for a software patch to be released addressing the weakness. The Wannacry hack also used a network weakness in Windows software, developed as the Eternal Blue espionage tool by the NSA, to spread across any available connections once loaded onto a single networked machine.
“We are still investigating the original entry point, but some theories that have been circulating include email, RDP, and direct SMB exploitation. The only spreading technique we have confirmed is that SMB was used to compromise some machines. We believe the particular incidents we have observed are lateral movement or a pivot from a previously compromised device and as such are still searching for the initial intrusion vector,” Hummel said.
In the days preceding the attack, I discovered there was no apparent clue in data traffic which could identify a likely source. Hummel was clear though, telling me: “Based on the evidence and inclusive research into the original entry point, characterising a potential distribution vector would likely be misleading.”
Prior to the worldwide outbreak, FireEye was instrumental in stopping the spear-phishing threat targeted at NATO, along with other European Defence and Security Agencies. One of the victims of that Russian attack was, of course, the Romanian Foreign Ministry. When the experts asked me how I knew, I pointed them back to FireEye's own technical documents on their identification of the Russian attack and how they coincided with Microsoft's security updates – the software giant released two patches to shut down the Zero Day defects exploited by the GRU. Being attentive like this does raise eyebrows, but it also gets answers. “The two recently patched APT28 0-days were used to target European Defense and Security entities. The vulnerabilities were in Microsoft Office and Microsoft Windows,” Hummel confirmed.
“The APT28 vulnerabilities were not related to ShadowBrokers,” he added, making clear that the NSA were not the only intelligence service to have developed and deployed cyberattack software.
After the noise of the Ransomware attack died down and the North Korea line was quietly dropped for a while, more evidence started to emerge of a new cyber weapon in the Russian arsenal. Across the world, alarming reports came in that Russian government-linked hacking groups had devised “a cyber-weapon” called CrashOverride – a malware program which had the potential to disrupt electrical systems. It had already been tested too: it was deployed against Ukraine to shut-down one-fifth of Kiev’s power grid in December 2016.
“With modifications, it could be deployed against US electric transmission and distribution systems to devastating effect,” commented Sergio Caltagirone, director of threat intelligence for Dragos, a cybersecurity firm who issued the report221. “It's the culmination of over a decade of theory and attack scenarios,” Caltagirone warned, adding: “It's a game changer.”
Dragos named the hacking group responsible for Ukraine, “Electrum” – every company does this for corporate branding reasons – and state they have determined with high confidence it used the same computer systems as the hackers who first attacked the Ukraine electric grid in 2015. That attack, which left a quarter of a million customers without power, was carried out by Russian government hackers according to German intelligence services who agreed with private sector assessments. “The same
Russian group that targeted US (industrial control) systems in 2014 turned out the lights in Ukraine in 2015,” said John Hultquist, an expert who investigated both incidents for iSight Partners, now owned by FireEye. “Whether they're contractors or actual government officials, we're not sure,” he said, but added: “We believe they are linked to the security services.”
Dan Gunter, another senior threat expert for the firm Dragos, explained my own concerns quite neatly, saying: “What is particularly alarming…is that it is all part of a larger framework…like a Swiss Army knife, where you flip open the tool you need, and where different tools can be added to achieve different effects.”
“This speaks to a larger effort often associated with a nation-state or highly funded team operations,” he added.
Once this came out – only just over a month after the Wannacry attack – the North Korea rumour started to resurface.
The BBC reported222 on the 16th of June 2017 unnamed security sources had informed them the UK’s National Cyber Security Centre (NCSC) believed: “That a hacking group known as Lazarus launched the attack.” The Lazarus group I’d discussed with FireEye is the name attributed to state-linked North Korea hackers by some experts in the cyber security industry.
The British state broadcaster’s report speculated: “Private sector cyber security researchers reverse engineered the code but the British assessment by the NCSC – part of the intelligence agency GCHQ – is likely to have been made based on a wider set of sources.” The article also quoted Adrian Nish, who they say led the cyber threat intelligence team at BAE Systems. According to the report, his team saw overlaps with previous code developed by the Lazarus group.
Alternative War: Unabridged Page 25