It’s official: North Korea is behind WannaCry

Thomas P. Bossert, Trump’s Homeland Security Advisor, writes: Cybersecurity isn’t easy, but simple principles still apply. Accountability is one, cooperation another. They are the cornerstones of security and resilience in any society. In furtherance of both, and after careful investigation, the U.S. today publicly attributes the massive “WannaCry” cyberattack to North Korea.

The attack spread indiscriminately across the world in May. It encrypted and rendered useless hundreds of thousands of computers in hospitals, schools, businesses and homes. While victims received ransom demands, paying did not unlock their computers. It was cowardly, costly and careless. The attack was widespread and cost billions, and North Korea is directly responsible.

We do not make this allegation lightly. It is based on evidence. We are not alone with our findings, either. Other governments and private companies agree. The United Kingdom attributes the attack to North Korea, and Microsoft traced the attack to cyber affiliates of the North Korean government. [Continue reading…]

Last May, Quinn Norton wrote: The story of WannaCry (also called Wcry and WannaCrypt) begins somewhere before 2013, in the hallways of the National Security Agency, but we can only be sure of a few details from that era. The NSA found or purchased the knowledge of a flaw of MicroSoft’s SMB V.1 code, an old bit of network software that lets people share files and resources, like printers. While SMB V.1 has long been superseded by better and safer software, it is still widely used by organizations that can’t, or simply don’t, install the newer software.

The flaw, or bug, is what what people call a vulnerability, but on its own it’s not particularly interesting. Based on this vulnerability, though, the NSA wrote another program—called an exploit—which let them take advantage of the flaw anywhere it existed. The program the NSA wrote was called ETERNALBLUE, and what they used it to do was remarkable.

The NSA gave themselves secret and powerful access to a European banking transaction system called SWIFT, and, in particular, SWIFT’s Middle Eastern transactions, as a subsequent data-dump by a mysterious hacker group demonstrated. Most people know SWIFT as a payment system, part of how they use credit cards and move money. But its anatomy, the guts of the thing, is a series of old Windows computers quietly humming along in offices around the world, constantly talking to each other across the internet in the languages computers only speak to computers.

The NSA used ETERNALBLUE to take over these machines. Security analysts, such as Matthieu Suiche, the founder of Comae Technologies, believe the NSA could see, and as far as we know, even change, the financial data that flowed through much of the Middle East—for years. Many people have speculated on why the NSA did this, speculation that has never been confirmed or denied. A spokesperson for the agency did not immediately reply to The Atlantic’s request for an interview.

But the knowledge of a flaw is simply knowledge. The NSA could not know if anyone else had found this vulnerability, or bought it. They couldn’t know if anyone else was using it, unless that someone else was caught using it. This is the nature of all computer flaws.

In 2013 a group the world would know later as The Shadow Brokers somehow obtained not only ETERNALBLUE, but a large collection of NSA programs and documents. The NSA and the United States government hasn’t indicated whether they know how this happened, or if they know who The Shadow Brokers are. The Shadow Brokers communicate publicly using a form of broken English so unlikely that many people assume they are native English speakers attempting to masquerade themselves as non-native—but that remains speculative. Wherever they are from, the trove they stole and eventually posted for all the world to see on the net contained powerful tools, and the knowledge of many flaws in software used around the world. WannaCry is the first known global crisis to come from these NSA tools. Almost without a doubt, it will not be the last.

A few months ago, someone told Microsoft about the vulnerabilities in the NSA tools before The Shadow Brokers released their documents. There is much speculation about who did this, but, as with so many parts of this story, it is still only that—speculation. Microsoft may or may not even know for sure who told them. Regardless, Microsoft got the chance to release a program that fixed the flaw in SMB V.1 before the flaw became public knowledge. But they couldn’t make anyone use their fix, because using any fix—better known as patching or updating—is always at the discretion of the user. They also didn’t release it for very old versions of Windows. Those old versions are so flawed that Microsoft has every reason to hope people stop using them—and not just because it allows the company to profit from new software purchases.

There is another wrinkle in this already convoluted landscape: Microsoft knew SMB V.1, which was decades old, wasn’t very good software. They’d been trying to abandon it for 10 years, and had replaced it with a stronger and more efficient version. But they couldn’t throw out SMB V.1 completely because so many people were using it. After WannaCry had started its run around the world, the head of SMB for Microsoft tweeted this as part of a long and frustrated thread:

The more new and outdated systems connect, the more chance there is to break everything with a single small change.

We live in an interconnected world, and in a strange twist of irony, that interconnectedness can make it difficult to change anything at all. This is why so many systems remain insecure for years: global banking systems, and Spanish telecoms, and German trains, and the National Health Service of the United Kingdom. [Continue reading…]

Print Friendly, PDF & Email