Mysterious Hacking Collective Known As The ‘Shadow Brokers’ Stole NSA Super Weapon, And Caused Global Cyber Attack That Is Causing Chaos In 74 Countries — Dry Run For A Much Larger, Devastating Attack? What Will al Qaeda & ISIS Take Away From This?
By now, all of you are probably aware that a massive cyber attack yesterday, Friday/May 12, 2017, affected three quarters of the globe; and, the hackers used stolen NSA hacking tools to carry it out. But, exactly who the culprits are; and, whether or not this attack was a dry-run for a much more profound, catastrophic attack is an open question. Regardless, the chaos that yesterday’s hack has caused, almost certainly hasn’t been lost by al Qaeda, the Islamic State, Russia, China, Iran, and the other darker angels of our nature.
There are lots of thoughtful articles out there on what happened; and, the difficulty in forensically determining who is responsible. It will be a monumental challenge — unless of course, the hackers responsible got sloppy and left behind some telltale digital clues. But, then again, investigators will have to try and determine if these clues — if they find them — were not left there deliberately in an attempt to throw investigators off their trail.
Lily Hay Newman writing on WIRED.com’s website, May 12, 2017, notes that once the hackers released the ransomware malware yesterday, the cyber virus spread like wildfire, infecting “National Health Service hospitals and facilities around England; gaining particular traction in Spain, where it hobbled the large telecom company, Telefonica, the natural gas company, Gas Natural, and the electrical company, Iberdrola.” Ms. Newman, like others who have written about this widespread, global hack, wrote “As far as ransomware attacks go, this looks a whole lot like The Big One.” Maybe, but perhaps this may also have been a dry-run for something much more sinister. At a minimum, al Qaeda, the Islamic State, North Korea, Iran, etc. will also look at how this event unfolded, in what amount of time, and the cascading damage that it did. More on that thought later.
“The ransomware strain, WannaCry (also known as WannaCrypt0r and WCry) that caused Friday’s barrage, appears to be a new variant of a type that first appeared in late March,” of this year, Ms. Newman wrote. “This new version has only gamed steam, since its initial barrage, with tens of thousands of infections in 74 countries (latest tally is now around 300 countries),” she added.
“One reason WannaCry has proven so vicious?,” Ms. Newman wrote. “It seems to leverage a Windows vulnerability known as EternalBlue that allegedly originated with NSA,” when the ‘mysterious’ group calling itself The Shadow Brokers, a group of hackers who offered to sell purloined NSA Equation Group hacking tools in August of 2016. These purloined hacking ‘tools’ were “dumped’ into the ‘wild’ last month (April). Microsoft issued a patch last month, which I wrote about at the time; but, as Ms. Newman noted, “clearly many organizations haven’t caught up.” More like, the warning did not register, or was ignored.
“The spread is immense,” said Adam Kujawa, the Director of Malware Intelligence at Malwarebytes, which discovered the original version of WannaCry. I have never seen anything like this. This is nuts,” he said.
Depending on how savvy and sophisticated the perpetrators/hackers who did this are, will determine whether or not they will be discovered and ferreted out by law enforcement, and/or intelligence agencies. What is really worrisome here is the possibility that this hack was a dry-run to see how much damage could be inflicted with this malware; and, how long it takes for companies and governments to overcome it. If these hackers are particularly sick and twisted; and, intent on initiating a Cyber Pearl Harbor at some point, they will carefully, and studiously monitor how long it takes for this version of their malware to be rendered harmless, they will carefully observe what steps and measures that the cyber ‘first-responders’ took in the early hours; as well as how long it took before a thorough remediation strategy was implemented, and so on. This hack/event could well set the stage for a more profound and catastrophic hack in the not too distant future. How long will it take for the U.S. and/or others to definitively determine who is responsible for this hack? That is another thing that will be closely watched by both the white, and black hats. If this is indeed a dry run for a much more catastrophic hack down the road — what should the U.S. do in the interim to protect ourselves and prevent that black swan event from happening?, as well as a mitigation/remediation, and reverse engineering strategy that is ready to go at the zero hour. In essence, do we have a “Seal Team 6 Cyber Team equivalent ready to go, on a short-string notice, much as we do for the deployment of our 911/Special Operations forces? And finally, this attack comes as the U.S. Intelligence Community are attempting to discover if we have a cyber mole inside the ‘fence,’ a trusted insider who has gone rouge. This kind of investigation can be very destructive and detrimental to any current operations, as everyone is walking around on ‘eggshells,’ somewhat paranoid. This kind of environment can paralyze and severely constrain our offensive cyber operations — all the more reason that whoever initiated this attack, may well have sought to take advantage of a U.S. offensive cyber force that may not be able to fully employ its A-game, as such a mole hunt is taking place. In essence, now is a great time for the cyber adversary to try and take advantage of a somewhat distracted U.S. cyber force. I hope like hell…..I am wrong.
One last thing, cyber security stocks like Palo Alto Networks (PANW), Fortinet (FTNT), FireEye (FEYE), Imperva (IMPV) etc., should get a boost at Monday’s stock market open. V/R, RCP