The NHS Attack That Never Actually Happened
Unless you live under a rock, for those of us who operate in The Channel, you will be aware of the hugely successful hack carried out just a few weeks ago – dubbed ‘The Wanna Cry Hack’. We announced it’s appearance in a brief article on our blog. Many are calling this the largest cyber hack in history, with it effecting massive institutions on a global scale. In the western world, this included the NHS, Renault, Telefonica and FedEx.
It is well known that large and successful hacks such as this one are by no means a rarity anymore. 2016 was the ‘Year of Ransomware’ and saw a jolting increase in ransomware attacks, with large organisations such as BT, Yahoo and LinkedIn being amongst those who were hit badly. I have previously written about some of the destructive ransomware strains of last year, one of the largest being Ransoc.
With WannaCry, it wasn’t especially different to the usual ransomware story, whereby a vulnerability is identified in the Windows programme and this knowledge is sold to hackers to exploit the machines that haven’t installed the update to protect from the vulnerability yet. However, a few specifics make this particular case more interesting than others.
In the first quarter of this year, The National Security Agency (NSA) identified a Windows software exploitation and informed Microsoft so that a patch could be developed and made available. This patch was issued in March of this year, however as usual – many organisations failed to install it. But the key question to this process was, what happened in between the NSA identifying the exploit and them informing Microsoft? Accusations were made by Microsoft that these software flaws were kept secret by the NSA and therefore weaponised, allowing them to be leaked into the wider world. Microsoft President, Brad Smith, compared the NSA losing control of the exploit to “the US military having some of its Tomahawk missiles stolen”. He also mentioned that ‘secret software flaws’ are becoming a trend in 2017, with the CIA prompting a leak to WikiLeaks by holding back certain vulnerabilities until too late.
Regardless – these most recent NSA tools ended up in the hands of a renowned hacking groups called The ShadowBrokers (TSB). Managing to pinch such valuable tools from the NSA is one thing, but monetising them is another. They were unsuccessful when attempting to auction the cyberweapon off to other criminal units and arguably, this is what led to the mass deployment and rise of WannaCry. TSB threw all the toys out of their pram and resorted to plan B – they dumped a load of tools belonging to the NSA and made them widely available to the hacking community as a way of increasing their reputation amongst the community.
One particular tool that was leaked, known as Eternal Blue, led to the spread of WannaCry across the globe. This tool exploited a vulnerability in Windows SMBv1 and SMBv2 that enabled the malware to move laterally within networks and infect other machines, thus making it a true computer worm. Many experts have theorised the technical movements of the malware and although not fully confirmed, some believe that it was able to seamlessly jump from one network to another as it scanned the web for even more entry points, specifically ones that had left the Microsoft SMB resource-sharing protocol activated on ‘network port 445’.
Other experts believe that the effected enterprise servers may have already been infiltrated by DoublePulsar – another NSA developed malware. This tool installs a ‘backdoor’ in Windows servers and endpoints that can be kept open for later infections. The speculation comes as DoublePulsar was taken from the NSA at the same time as Eternal Blue. Irrespective of the assumed approach, once WannaCry gets through a server or network and infects a machine, it will attempt to use Eternal Blue to quickly spread across any machine linked to that network. For any endpoint that hasn’t installed a Windows security patch as of March this year, or is running an unsupported version of Windows (XP or older), it will have received the call from the malware tool and will have been infected.
Many people criticised Microsoft for not supporting older versions of their software with patch updates, however with WannaCry it went back on it word to help fight. It issued a fix for Windows XP machines, even though it’s been out of support since 2014, 12 years after the operating system was released. It also added updates to Windows Defender to prevent the malware from spreading further.
On the other hand, others put full blame on the NSA, saying that if they had informed Microsoft as soon as the flaw was discovered, then more computers infected would have had the chance to install the necessary patches and be unaffected by the malware. Having said that, even fi TSB hadn’t dumped the tools, the vulnerability would still have existed, leaving the opportunity open for an independent hacker to get to work.
Overall, I think that many security experts would agree on the importance of government organisations having the ability to conduct private investigations into widely used programmes and general software. However, one of the consequences of holding a ‘private’ library of potential exploits is that this information will, at some point, get leaked and innocent people will suffer the effects.
As ever, the UK media did an exceptional job of jumping on the reporting bandwagon and providing ample coverage of the attack, however despite the illegal revenue generation through paying ransoms, there was something different about this hack – because it involved our beloved NHS. We knew how the infection was effecting hospitals ability to operate in the short term, with closures of entire wards, some staff being sent home, patients being turned away and asked to look for assistance elsewhere, ambulances being diverted to alternative hospitals and some centres having to limit radiology services. What we don’t know is what the effects would have been longer term if it wasn’t shut down on the same day. What would have happened to those geographical areas where the hospitals were under siege? Would the effected hospitals be significantly busier? Definitely. Would the operating costs increase due to requiring additional services and staff? Definitely. Would those hospitals, under-staffed, lacking resources and subject to immense strain suffer from an increase in death toll? Probably. We can speculate about these effects till the cows come home but only one thing is certain – thank god it didn’t get to that stage.
Another element of uniqueness about the Wanna Cry attack are the political factors surrounding it. All should be aware of the uproar and cries regarding the current funding situation of the NHS. The fact that the UK’s largest and most important institution effected by this attack can’t afford to upgrade their IT infrastructure to be more current and better protected raises many political questions. It also just so happens that the General Election is also around the corner… which raised even deeper questioning and led to the creation of a farfetched conspiracy theory that this hack was planned in order to provide political advantage.
We have already discussed how laughable it is that the NHS is using unsupported legacy software and indeed it is. But as previously mentioned, this was not an attack on the NHS.
One question left unanswered by this whole ordeal though, is what were the intentions of this attack? The ransomware spread is agnostic – it is not bothered by size or value (the ransom request itself is only reported to be £230) and small businesses to large enterprises are being hit. But surely those who issued the attacks had no idea that the NHS would be most vulnerable? Was this the pot of gold under the rainbow they were hoping for?
A Hollywood Movie
The scary thing is that, depending on their overall intentions and how much of an impact it had on the NHS systems, it could well have turned into a Hollywood movie. By that I mean that WannaCry might have ended up shutting down entire hospital IT systems, causing longer term chaos and leading to more serious action having to take place. Doctors and nurses would have been working blind and at the mercy of the “cyber lords” who wanted total control and domination. If there was no kill switch embedded and the growth of this worm continued, what’s to say it couldn’t have caused worldwide headline worthy destruction?
Facetiousness aside, the hackers behind this ordeal could have quite easily had more destructive intentions. They might have been politically outraged with Brexit and the upcoming General Election that they wanted to take control and blackmail the UK government into acting on outrageous demands. Moreover, they would have had one of the largest ransoms available at their fingertips – citizen lives and large amounts of confidential health data.
To some extent though, it did end up like a Hollywood movie – “a saviour who buys an URL and stops the attack by mistake” were some of the anecdotal newspaper headlines over the weekend in which the attack occurred. This raises the question about the intentions of the attack… to say how sophisticated it was, there was a fairly obvious “hidden” kill code that was deliberately placed ‘just in case things got too serious’. The criminals didn’t know how extensive this attack would become and they didn’t really want to cause world destruction or get “too rich”. This type of attack is a great example of what is known as ‘expressive motivation’.
An Important Warning Call
‘Expressive motivation’ is a more pressing topic when concerning hackers because it stems from the human need to feel significant and powerful – that a belief or statement should be appreciated and acknowledged by many. An example of this was Al-Qaeda and the 9/11 attacks. They wanted to demonstrate to the US (and the world) that no one is invulnerable and that their cause should be heard.
Indeed, the worldwide attack that occurred just over two weeks ago happened on a Friday, where historically the demand for health facilities is less, with an American-made kill switch. Furthermore, the initial action of the exploit tools failed, the ransom demands were extremely low (decreasing chances of payment) and Russia were hit on a huge scale… all of this suggests that the attack was nothing more than an American hacking organisation who were frustrated by their failure to make huge amounts of money at the sale of their NSA loot. The case that is building here speculation here is that this group chose expressive impact over making a reasonable amount of money. The attack was a global display of power and strength that caused low financial damage and a moderate level of operational impact. This should be used by three key players; the UK government, as a big warning that they need to revise their IT security strategy, Small and medium businesses worldwide, as a thank you to TSB for the splash to the face, and cyber security companies, who need to be reminded about the prevailing human factors behind major cyber extortion.
Following the announcement of the attack and throughout Friday a few weeks ago, a number of Brigantia partners who had previously decided that a cybersecurity protection was not a suitable solution for their customers, actually had their customers attacked under this strain. Unfortunately, by this stage it was far too late – the damage had been done.
There is a reason why we are so insistent on our partners rolling out Heimdal to their customers, even if they don’t wish to pay for the service – because it stops attacks like these from ever happening. The initial spread of WannaCry came through simple spam, in which fake invoices, job offers and other lures were sent out to random email addresses and required the downloading of attachments. However, Cisco believes vulnerable systems were left open on the internet and could be attacked without any need for phishing, leaving any unpatched machine at direct risk.
The moral of this opinion piece is one that has been stressed several times before by the Brigantia team – it simply isn’t worth taking the risk on not deploying an advanced cybersecurity solution such as Heimdal. These attacks are regular and always end in SMBs being those left worse-off. They cannot afford to deal with the damage in the same way a large corporation can. Life is not fair!
Brigantia partners have a strong specialism in cybersecurity and one of our best in class vendors could and should have protected you. If you would like any more information about our solutions, please get in touch via email firstname.lastname@example.org or on 020 3358 0079. Or visit our website vendor page – www.brigantia.com/vendors .