Information Warfare: An Endless Mystery Called WannaCry

Archives

May 21, 2017: On May 12th 2017 there was a rare bit of Internet based criminal activity that made headlines worldwide for reasons that are still not quite clear, both to the general public and Internet security professionals. Note that all the hacker terms are described at the end of this piece in plain English.

The incident began with the activation of ransomware malware called WannaCry. What made WannaCry so dangerous was that it made use of several capabilities including a hidden (but findable) backdoor program that tried to spread WannaCry to Microsoft Windows computers that had a known vulnerability but were not updated to remove the vulnerability. This automatic spread of malware is called a worm and it depends on other computers being vulnerable to allowing malware to be automatically installed. With WannaCry local PC networks run by Microsoft server software were vulnerable it the latest patches were not installed.

What made this newsworthy was that the worm depended on information stolen from the NSA (American National Security Agency) and made public by Wikileaks in March. The NSA tool was called EternalBlue and it used a ZDE (Zero Day Exploit) stockpiled by the NSA for possible Cyber War operations. This particular ZDE exploited a flaw in Windows network software allowing the EternalBlue program to quietly insert itself into other PCs on the same network as the PC infected (probably via a spear fishing attack) with WannaCry.

All this was news for several reasons. First, the attack could have been a lot more effective than it was except for a hidden flaw (a kill switch) that was soon discovered and activated by the work of an international network of White Hat hackers. Then the incident became even more mysterious. While at least a quarter million PCs in 150 countries were infected with Wannacry and had their hard drive contents encrypted, only about one in a thousand of these PCs paid the $300 (in bitcoin) ransom. But those who paid the ransom did not receive the decryption information and the bitcoin payments (worth nearly $100,000) were sent to three bitcoin “wallets” that have not been used and are apparently still being monitored.

Meanwhile the White Hats and intel agencies were scrutinizing WannaCry in detail. The computer code and other evidence indicated that this attack was the work of North Korean government hackers. The North Koreans do it mainly for the money because North Korea is broke and run by a ruthless dictator. It did not make any sense for North Korea to unleash Wannacry because most of the victims were in the few countries (China and Russia) that still supported North Korea. These two countries were hard hit because both depend heavily on illegal copies of Windows and other software. Most users of the illegal Windows software don’t bother to pay for security and other software updates provided by other hackers who supply these updates for a fee. Microsoft will not upgrade illegal copies of its software. Worse, even though Microsoft regularly releases free updates via the Internet many users do not immediately apply those updates (because updates sometimes break something else).

Wannacry is one of those mysteries that will take a while to solve and may never be “solved” because there so many black hat hackers involved, operating at different skill levels and with different objectives. It later turned out that WannaCry was first used in late April and perhaps ever earlier. Based on past experience with malware we can expect numerous WannaCry variants to show up, for a few months at least, until enough users are made aware of the threat and enough Internet security software is updated to recognize and defeat the various tools WannaCry employs.

Glossary of Computer Terms

Backdoor – A secret command that will enable anyone with it to use a computer program.

Bitcoin- A “cryptocurrency” or currency based on software, not physical (paper and coins) media. Bitcoin is one of the first and most widely used. There are online markets for buying and selling bitcoins. Anyone can establish an online account (a bitcoin wallet) that others can sent bitcoin to without knowing who controls (has the password) for the bitcoin wallet. It takes a lot of effort to find out who owns a bitcoin wallet and even governments don’t (yet) have the resources to monitor all bitcoin wallets. Apparently bitcoin wallet owners can be discovered if the owner is not very careful.

Black hat hacker- Someone who uses their programming skills to create or modify software for criminal purposes.

Computer code- Software, a computer application the user (or the computer itself) employs to perform a task. What most users encounter is “executable code.” The “execuatables” makes no sense if you look it because in a word processor it is seemingly random digits, letters and symbols. But the “source code” (that a programmer writes) is in something that is readable and makes sense depending on how much you know about programming.

Cyber War – Attacking someone else (or defending) via computers (usually via the Internet). In peacetime Cyber War is usually about espionage or, in the case of North Korea, financing a failed dictatorship.

Decryption – The process by which special software turns encrypted (not usable) computer data back into its original form. The user sometime employs a password (decryption key) to make decryption happen.

Encryption- The process by which special software turns computer data from its original form into something unusable until converted back (decrypted). The user sometime employs a password (encryption key) to make encrypt a file or program.

EternalBlue – A bit of malware developed by the NSA that exploits a ZDE in Microsoft local network software. EternalBlue was stolen and distributed by Wikileaks.

Fishing- Sending a message (usually email) to someone that has a file attacked which, if opened secretly installs malware on your computer.

Hackers- Programmers who are particularly skilled and eager to create new code or improve existing stuff. The term “hack” has been used for centuries for tinkering with something.

Illegal software- Software that is protected (games, major applications, operating systems) but has those protections disabled and then sold, or distributed for free.

Kill switch – A capability (usually kept secret) built into software that enables anyone to turn the program off (usually via the Internet).

Malware – Software created to do something harmful (usually illegal and secretly.)

NSA (American National Security Agency) a post-World War II U.S. government agency for creating new secret codes (encryption) and better methods to decrypting encryption used by others. NSA became the lead agency for Internet matters.

Phishing- See Fishing.

Programmer- Someone who can create an app (application). For most it is a job, do some (hackers) it is a passion.

Source code – The readable software that is turned into unreadable but useful “executables” that users refer to as apps. Programmers create, modify and, when investigating malware, scrutinize source code.

Ransomware – Malware that secretly encrypts a hard drive and then offers the user the decryption key for $300 to $600 (or more). The relatively low ($300) demand was found the most profitable (for the black hat) ransom because most victims would rather pay that amount, or less, than permanently lose access to their data.

Security software- Programs that usually run automatically on your PC to detect malware and deal with it. Black hats must continually update their malware to cope with constantly updated security software.

Social Engineering- Exploiting human nature to get malware onto a system. This is what fishing and spear fishing attacks depend on.

Spear fishing- a fishing operation where targets are carefully chosen and researched before putting together the attack. Despite having software and user rules in place to block spear fishing attacks there are so many email accounts to attack and you only have to get one victim to respond to a bogus email with a “vital attachment” that must be “opened immediately”. Among the favored targets for these attacks are anyone providing access to something worth stealing via an Internet connection. This often means business executives as well as senior civilian officials in the government and the Internet security industry.

Updates- Modifications to apps and operating systems that are usually sent out and installed automatically these days.

WannaCry- A ransomware app recently distributed using fishing and a ZDE stolen from the NSA.

White Hat hacker- Someone who uses their programming skills to create or modify software for to protect it from Black Hats (criminal programmers).

Wikileaks- An organization that accepts stolen documents and distributes them on the Internet. This organization is doing a public service or a criminal act depending on who is being hurt by the leaked software. Most nations consider Wikileaks a criminal group.

ZDE (Zero Day Exploit) – A previously unknown flaw in software that allows the first user to get into other networks and PCs secretly. ZDEs have become very expensive because in the right hands these vulnerabilities/flaws can enable criminals to pull off a large online heist or simply maintain secret control over thousands of computers. ZDEs have also become the very expensive and highly perishable ammunition for any future Cyber War. The most successful hackers use high-quality ZDEs. Not surprisingly ZDEs are difficult to find and can be sold on the black (or legitimate) market for hundreds of thousands of dollars. Their value declines when the publisher becomes aware of the flaw and patches it. But not every user applies the patch right away, if ever.