“It seems to tie back to the same code-base and the same authors…the code overlaps are significant,” Nish said.
Having looked at the background of this in the first place, I already knew North Korean hackers had been attributed responsibility for previous financially motivated attacks, including a 2016 hack on SWIFT payment systems which netted eighty-one million dollars from the central bank of Bangladesh. The BBC even quoted BAE representative Nish as saying: “It was one of the biggest bank heists of all time in physical space or in cyberspace.” However, the May 2017 Ransomware attack, which primarily hit European Telecoms, Manufacturing plants, Transport Networks, the NHS, and other such networks, saw those incredibly low ransom demands – at around three hundred dollars – which was notably unusual and also resulted in a payment total of only around one hundred and fifty thousand dollars to three Bitcoin wallets which have been left completely untouched. The report also repeated a line first used by the poorly briefed Home Secretary, Amber Rudd, that the attack was random rather than targeted. I could see there were issues, with all of this. Firstly, from a strategic point of view, the attack benefitted two parties above all others. Trump and Putin. Secondly, there was at the time insufficient evidence to attribute the attack to North Korea based on an assessment of old code in the Ransomware providing the link alone. I contacted the experts I originally spoke to at FireEye, who told me on the morning of the fresh report nothing had changed in their assessment. It struck me as a bit peculiar so, partly because of the lack of substance in the BBC report, I called the NCSC, who are part of GCHQ. Their only reply, as I anticipated, was that they could “neither confirm nor deny” the report.
The thrust of a declaration such as this is not to comment but not to dissuade anyone from believing the veracity of the report – in this case indicating North Korea and their state-backed Lazarus hackers were potentially linked to the May attack using Wannacry. However, there was only a “moderate level of confidence” in the assessment. In the case of the intelligence agencies, a moderate confidence level generally means they have credibly sourced and plausible information, but not of sufficient quality or corroboration to warrant a higher level of trust. It meant that, at the NCSC, there was no difference in the information they held to what I’d uncovered as regards the code. Essentially, there was that previous programming link but also doubt as to what it actually proved. As a result, I was able to believe, with a high level of confidence, that FireEye was right and nothing had changed over the four weeks since the attack.
I had, of course, been in touch with industry experts from the start of the outbreak and, while I have no doubt there was North Korean language code in the previous versions of the ransomware and some of the delivery mechanism tools, it was my understanding those similarities in earlier versions were not significant enough to attribute Wannacry version 2 to Lazarus. Also, once the sandpit defect was identified, the software was rapidly adapted twice to remove the so-called kill-switch facility. There was no known North Korean code in those updates either. I had also read the most recent US-CERT bulletin223 from the NSA and the FBI, which confirmed older programming indicated previous versions of ransomware used North Korean code and deployment methods (they referred back to the Sony attack in 2014) but added nothing to change the view I'd established on the recent software itself. In fact, the most recent bulletin focused on DDoS attacks, rather than DoS, and system vulnerabilities completely unrelated to those used in the Wannacry attack.
Having been one of the few people to look at the bigger picture and take the time to understand the complexities of the attack itself, I remained deeply unconvinced as regards the original source of the North Korea finding too. With it having been called by Kaspersky – and largely due to the public declarations of the US intelligence community about the firm being a Russian asset, along with the concerns the US Intelligence Community raised over the Kaspersky software posing a risk to US Government systems due to potential exposure to Kremlin access – it was clear something was off. In light of other reports, including other Joint Assessment Reports and a CIA declassified report I’d gotten hold of, it appeared highly probable the assessment of Kaspersky was more than feasible, which threw doubt on everything they said and continued to say. Lazarus themselves also appear to be a professional outfit with a broadly successful history and rapidly developing technology and finances224. Their last, highly targeted, heist in 2016 was the multi-million dollar Bangladesh central bank attack so, it was subsequently a safe assumption they would have developed well beyond the Sony days and this did not sit well with the low-value Bitcoin demand – or the value of the ransom payments achieved – that lowly hundred and fifty thousand. Those Bitcoin wallets had also, of course, been left untouched. Broadly, the concern I’d followed with interest was the whole ransom aspect of the attack being nothing more than a ruse. None of it sat within the North Korean pattern and didn’t fit the clumsy privateer theory some had put forwards. Sitting alongside the Wannacry issue were those growing concerns over other cyber weapons, such as CrashOverride – the Russian tool which had been linked to Russia’s cyber intelligence operations like APT28/29 (Fancy Bears and Cozy Bears). Through my own network of contacts, the broader issue under discussion had turned to whether the Wannacry episode was, in fact, a weapons test, with the final payload swapped out and the code seeded to deliberately point elsewhere. It made sense really, the thought Russia was simply testing the delivery mechanism for weapons like CrashOverride, gauging the spread and impact. This is also largely supported by low levels of collateral damage in Russia – the outbreaks were, of course, “localised” with only minor disruption – and this was followed almost immediately by Putin's statement in China that intelligence agency led programs sometimes are accompanied by accidents.
APT28 and 29 subsequently dovetailed back into BBC’s rehashed scenario for two further reasons. Firstly, there was still this question of access points. They were running the active spear-phishing operation exploiting Windows vulnerabilities in the run-up to the attack and they got caught out partially because they used a NATO email and it was picked up by the Romanian embassy. The initial entry point for Wannacry, despite its network spread, almost certainly involved some degree spear-phishing and payload adaptation to existing worms like Sality had been all but ruled out. There remained some questions over Zero Day access but, taking into account all the facts available, spear-phishing through emails or cookies appears more likely and Wannacry only needed access to one networked computer to then self-propagate due to the Eternal Blue (or similar) capabilities. Secondly, the involvement of the Shadow Brokers was still highly questionable. My own theory was they were also a deniable asset of APT28/29 and, in part, their broken language pattern was helpful yet again – it was also a feature repeated in the story of the Guccifer 2.0 hack of the DNC (which was Russia) and also in the North Korean code. Poking around, as I do, I found more evidence of this.
Beau Woods, deputy director of the Cyber Statecraft Initiative at the Atlantic Council, told CNBC225 that the Korean language used in some versions of the WannaCry ransom note was: “Not that of a native speaker, making a Lazarus connection unlikely.”
By this point, even Kaspersky’s worldwide staff had started to throw doubt on the claims of North Korean responsibility. Asia research director, Vitaly Kamluk, said it was not conclusive evidence. “It's unusual,” he added.
Meanwhile, the Shadow Brokers had resurfaced again, threatening to auction data on nuclear systems belonging to Iran, North Korea, and Russia, as well as other stolen US intelligence tools226. It was more than enough for me to dismiss the BBC report as spurious. What I concluded, based on the evidence as a whole, is the May 2017 cyber-attack was simply a very pointed, if not partly accidental, warning shot arising from a weapons test and it clearly came from two of the most powerful men in the world – the attack’s usefulness to both Donald Trump and Vladimir Putin was impossible to disregard as a coincidence, especially in the bro
ader context of what I was investigating.
In June 2017, the Westminster emails of the UK parliament were breached and a second worldwide attack, using a different Russian payload – a non-recoverable version of the Petya Ransomware – was launched, initially targeting Ukraine’s infrastructure. After this, NATO finally came out and publicly reminded the world they would be prepared to trigger Article 5, as they had discussed several years before in Wales, if the attacks continued. It was Russia, without a doubt and I had been right to resist the lazy, mainstream view all along.
As far as I was concerned, Putin and Trump – along with others – had already spear-phished democracy but, unlike with Wannacry or Petya, the Ransomware they'd installed in our institutions could not be fixed by anything as simple as a software patch.
Seventeen:
Returning to my primary investigation, I knew Trump had been communicating with Russia for a prolonged period, but one single meeting left him personally exposed in doing so for the first time. I remember thinking he was rowing the last lengths of the river to impeachment single-handed.
On the 10th of May 2017, Russian Foreign Minister Sergei Lavrov met President Trump and US Secretary of State, Rex Tillerson, at the White House227. Initial reports stated they discussed cooperation on a range of issues and policy areas, with a central focus on the hacker’s favourite topic, Syria. Lavrov went on afterwards to give a confirmation Trump and Putin would be meeting in July, during the first few days of the G20 summit. This was the same Lavrov, of course, who was linked to the Montenegro events which almost saw the prime minister assassinated before the country joined NATO.
One Russian news agency reported the White House meeting was not simply a polite gesture, with the General Director of Russia’s International Affairs Council, Andrei Kortunov, issuing a statement saying: “Regardless of the importance of the Secretary of State’s role, US foreign policy is created by the president. I think that Trump has a certain message for Putin that he wants to send personally, through Lavrov.” Russia’s Foreign Minister himself also pressed the point it was necessary to agree on some areas of policy in advance of the leaders’ meeting, in order to ensure “concrete, perceptible results” when the heads of state got together. He also outright refused to discuss Russia’s alleged interference in the US elections, referring to them as “bacchanalia.” Undeterred journalists at the conference did, however, press the Russian Foreign Minister on the dismissal of FBI Director James Comey, asking if it “would influence Russian-American relations.” Lavrov responded with a joke228, saying: “Was he fired? You’re kidding!” On the evening of the meeting, Putin made a statement that Comey’s dismissal was “America’s domestic affair and Russia has nothing to do with it,” which struck me as an oddly significant statement.
Lavrov dedicated most of his own press conference to Syria, highlighting Washington could contribute towards the creation of de-escalation zones in the country – reminding journalists both superpowers have a “mutual understanding about the location of the zones and how they will function.”
“For the US the most important thing is to defeat terror. Here we are in perfect harmony,” he said.
According to Lavrov, he and Trump did not discuss the unilateral sanctions introduced by the Obama administration in late 2016 but added: “Washington understands the seizure of property belonging to Russian diplomats was wrong,” indicating they did. He was referring to the seizure of diplomatic compounds by President Barack Obama in December 2016, who had declared the compounds were being used by Russian personnel for intelligence-related purposes. Obama had also expelled thirty-five Russian nationals, declaring them “intelligence operatives.” Following Trump’s meeting with Lavrov, Trump’s administration began to negotiate the handing back of the property to Russia.
Trump also stated, after seeing Lavrov, he was “pleased with the meeting” and, according to an official White House Press Service statement229, the President impressed the need for Russia to “rein in” Assad. “He also raised the possibility of broader cooperation on resolving conflicts in the Middle East and elsewhere,” the statement added. Trump went on to visit the Middle East, where he pretty much declared war on the Islamic State and then, bizarrely, sided against Qatar in a dispute with Saudi Arabia, despite having almost ten thousand troops stationed in the allied country. The dispute swiftly extended to border crossings and began to disrupt Qatar’s gas exports – the country purchased a large stake in Russia’s Rosneft in December 2016 in a deal worth billions. As a result of the Saudi crisis, however, Qatar became diplomatically closer to Russian allies Iran and Turkey.
RT’s propaganda network was quick to leap into a commentary on the new Gulf crisis230, explaining the advantages of the situation: “This may help Russia on the European gas market. Qatar’s tanker fleet is barred from using regional ports and anchorages, posing a threat to the country’s LNG supplies. Traders are worried Saudi Arabia and allies would refuse to accept LNG shipments from Qatar, and that Egypt might even bar tankers carrying Qatari cargo from using the Suez Canal, despite Cairo's obligation under an international agreement to allow the use of the waterway. If LNG supplies are disrupted, Europe will have to buy more gas from Russia.”
“Gazprom is building new pipelines in Europe – Nord Stream-2 and Turkish Stream, but the Russian energy major is facing opposition on the continent,” the Kremlin-managed channel added.
This clearly makes sense from a Russian position, because it brings a range of benefits and leverage. However, Trump’s angle took me a little while longer to get my head around – until I revisited Carter Page. Christopher Steele’s Trump-Russia Dossier describes the huge Rosneft Oil company sale to Qatar but adds a second party, a secret buyer in the Cayman Islands. Investigation work in the US has uncovered that Trump hosted a Qatari state-run business owned by the QIA, the buyer of Rosneft shares in the deal, in the Manhattan Trump Tower for many years. Carter Page, who acted as a gopher in the transaction, was working directly for Trump at the time. Having flatly denied meeting any Russian officials in 2016, Page later contradicted himself as it emerged he met Sergey Kislyak, the Russian Ambassador, during the Republican National Convention231. Though Russia always denies the claims, Kislyak is described as a spy and a recruiter of spies by top intelligence officials.
Kislyak was also in attendance at the White House meeting along with Lavrov and, as was originally reported by the Washington Post232, during the discussions Trump “went off-script.” What they meant was he began to give specific, classified information on the Islamic State threat related to the use of laptop computers on aircraft. Intelligence officials subsequently told reporters US agencies were: “In the process of drawing up plans to expand a ban on passengers carrying laptop computers onto US-bound flights from several countries in conflict zones due to new intelligence about how militant groups are refining techniques for installing bombs in laptops.” As a measure of the seriousness of the threat assessment, services were at the time also considering the banning of passengers from several European countries, including Britain, from carrying electronic devices in the cabin on flights destined for the United States. Washington had, allegedly, informed its allies of these plans. While a president does have legal powers to declassify information, the leak of this specific intelligence had serious ramifications – not least because the meeting with Lavrov and Kislyak came only one day after he fired FBI Director Comey.
Trump's national security adviser, General Herbert Raymond McMaster, also present during the meeting, initially gave a statement which said: “No intelligence sources or methods were discussed that were not already known publicly” before declining to comment further. However, it then emerged the classified intelligence President Trump disclosed had been provided in strictest confidence by Israel and, according to sources – current and former American officials familiar with the information itself – the disclosure threw a further diplomatic spanner in the works of an episode which had already drawn t
he reliability of the White House into question. Israel has long been one of the United States’ most strategically important allies, operating one of the most complex and highly active espionage networks in the Middle East. As a result of Trump’s disclosure, it was feared the incident could inhibit the critical intelligence relationship amidst clear risks information could be passed to Iran – a close ally of Russia and also Israel’s main threat actor.
One former director of the National Counterterrorism Center, Matt Olsen, spoke on ABC233, stating Trump’s disclosures posed: “A real threat to future sources of information about plots against us.”
“Russia is not part of the ISIS coalition. They are not our partner,” he added pointedly.
Other US officials have since come forward and told reporters: “The intelligence provided by the spy was so sensitive that it was shared only with the US and was conditioned on the source remaining secret.”
General McMaster responded by making clear he was not personally concerned the incident could hinder US Intelligence relations with its partners. “What the president discussed with the foreign minister was wholly appropriate to that conversation and is consistent with the routine sharing of information between the president and any leaders with whom he’s engaged,” he said234.
Sean Spicer, now the former White House press secretary, also declined to answer questions as to whether the White House had made efforts to contact Israel and discuss the disclosure. Dan Shapiro, the Former US ambassador to Israel, also told ABC235 the: “Careless handling of sensitive information by Trump and his team would inevitably cause elements of Israel’s intelligence service to demonstrate more caution.”
In a statement emailed to The New York Times, Ron Dermer, the Israeli ambassador to the United States, approached the issue rather politely, in my view, writing: “Israel has full confidence in our intelligence-sharing relationship with the United States and looks forward to deepening that relationship in the years ahead under President Trump.”
Alternative War: Unabridged Page 26