NSA's Hacking Tool in World's Biggest Malware Attack

Prabir Purkayastha

LAST week, the world woke up to the largest cyber security threat ever, with a ransomware wannacry originating from NSA's cache of cyber weapons, infecting hundreds of thousands of computers. Computers in more than 150 countries have been infected by the ransomware, with the users locked out of their vital files and data. The criminal group behind wannacry want $300 in bitcoin as ransom, for releasing the files back to their users. The ransom note, displayed on the hacked machines, also say that the ransom will double if the victims do not pay up within three days. Reports indicate that the bitcoin purses are filling up worldwide, as people are paying the ransom instead of losing their files.

According to Kaspersky Labs, one of the major security firms in the world, India had the third highest number of infected machines, with only Russia and Ukraine being worst hit. An Indian security and anti-virus firm QuickHeal stated that more than 48,000 computers, presumably using their virus scanner, have been identified as infected by wannacry. Other reports indicate a much larger infection.

Some of the panchayats in Kerala using Microsoft Windows have also been hit by wannacry; others that used GnuLinux, promoted by the Free Software Movement of India, are unaffected. For Indian users, who have been reluctant to switch to GnuLinux from their Windows platform, this is another indication of the risk of proprietary software.

How did a NSA hacking tool end up as a part of world's biggest malware attack? In April this year, a group called Shadow Brokers, dumped online NSA's cache of cyber weapons/hacking tools. These were one of the most sophisticated set of cyber weapons that security experts had ever seen. Such NSA's tools can infect machines, transmit information back to NSA, or take control of the machines themselves.  The security experts had then pointed out that NSA had either found a large number of backdoors in existing software of companies such as Microsoft, Apple, etc., or such backdoors were being deliberately provided by the companies themselves to help the NSA in its hacking. 

A Microsoft Window's vulnerability was exploited by the criminal group behind wannacry ransomware. Using a particular NSA hacking tool called EternalBlue, the group created a worm that could use this Window's security hole, and spread from machine to machine. Once infected, the ransomware encrypted the original files of the machines, and deleted the original files. While installing security patches to Windows can protect the machines from future infections, decrypting the encrypted files is not easy without paying the ransom. Alternatively, the users can forget about these files, format their machines, reinstall all the software, and load the back-ups.

Wannacry uses a security hole in the MS Windows operating system that seems to have been present from Windows XP days. Microsoft does not support Windows XP anymore, meaning that though it releases regular patches and updates for its current generation of operating systems, but does not do so for older systems such as XP. After the attack of systems by wannacry, Microsoft has now released patches for XP as well.

In India, 70 per cent of the ATM software used by the banks run on Windows XP, so not having regular security patches for XP is a huge security risk for the banks.

The ransomware also had a kill switch disguised as a domain name. A UK security expert, who saw this code, bought the domain, and temporarily managed to stop further spread of the worm. Unfortunately, new variants, without the kill switch, started appearing almost immediately, so we are now back to square one.

In March this year, Microsoft had released a security patch blocking the particular hole that NSA's hacking tool EternalBlue uses. The global news agencies have been blaming the users regarding wannacry, arguing that the users are at fault, as they do not upgrade their system software regularly.  The far more important question is left unasked. Why did Microsoft take more than five years to provide a patch for this security hole? Did NSA not inform Microsoft of this hole, as it wanted to keep its ability to hack into such target Windows machines? Or was their collusion between NSA and Microsoft to create and maintain this hole?

NSA was well aware for some time that its cyber weapons cache had been hacked. Did the NSA inform Microsoft of its loss, leading Microsoft to hurriedly releasing this security patch? Ars Technica reported (April 4, 2017) Microsoft's suspicious fix of four zero-date (security holes not known previously) fixes exactly a month before the Shadow Brokers NSA tools dump. It wrote, “Those updates – which Microsoft indexes as MS17-010, CVE-2017-0146, and CVE-2017-0147 – make no mention of the person or group who reported the vulnerabilities to Microsoft. The lack of credit isn't unprecedented, but it's uncommon, and it's generating speculation that the reporters were tied to the NSA.”

Microsoft's president and chief legal officer, Brad Smith has written a blog post (The need for urgent collective action to keep people safe online: Lessons from last week’s cyber attack: May 14, 2017), where he has talked of the joint responsibility of the vendor selling software and the consumer buying software for security. This is in line with what various “experts” have been saying – that it is the responsibility of the users for updating their systems and keeping themselves safe. What is carefully not stated is that the software products in the market are full of security holes, complex to maintain and quite often not supported after sometime by the vendors. Microsoft stopped supporting XP as they wanted people to pay again for the new operating system they were releasing.

If the vendors want to stop their support, they should be forced to make their code open source. Otherwise, we are at risk of ransomware from criminal groups; or being forced to pay the vendors and buying their new systems under threat of no support for older systems. Not providing support and forcing people to shift to newer unnecessary products, is simple blackmail, not very different from ransomware!

Brad Smith in his blog post has also acknowledged the threat that nation states pose to ordinary citizens by developing hacking tools. He has used the Sony hack of 2015, blaming North Korea in his argument. There is enough evidence to show that North Korea was not behind the Sony hack, which was most probably a criminal exercise, but the same set of criminals who hacked $81 million from Bangladesh banks by hacking the Swift banking system, were.

The key issue is that NSA's hacking tools or cyber weapons are now openly available to any criminal group anywhere in the world. Wannacry is only the first attack using one of NSA's tool, EternalBlue. The number of such tools or cyber weapons that have been released are large, therefore we are at risk of many such attacks. Wikileaks has also reported CIA's cyber weapons getting hacked. Smith writes, “Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the US military having some of its Tomahawk missiles stolen.”

Smith and Microsoft are now advocating for a Digital Geneva Conventions for protecting the world against cyber weapons. This is the path the US refuses to tread, in the belief that its huge array of hacking tools and cyber weapons are far ahead of others. Now the US tech companies, who have worked closely till now with NSA and CIA, are realising the risks to their systems from the leaking of US cyber weapons to criminal groups.

If intelligence agencies with the resources of a nation state create cyber weapons, what kind of risk does it pose for all of us? NSA's cyber weapons are far superior to what any criminal group can create. That is why its leak poses enormous risks to the computer systems that pretty much run everything in the world today; that is why the demand for a cyber weapon ban, and treating the internet as a non-weaponised space. The same way we treat outer space.

If Microsoft realises the need for an international treaty on cyberspace, it is time the nation states and all of us, understand it as well.



Newsletter category: