Worst of WannaCry may be over but the ‘cyberattack game has changed’
Malware puts weapons of mass cyber destruction in hands of everyday thugs, Chinese specialist says
The worst of the WannaCry global malware attack may be over for now, but specialists say it has changed the game in cybersecurity.
“In the past, the tools and technologies [of launching cyberattacks on such a scale] were in the hands of governments. But now, a thug on the street can get access to a cyberweapon of mass destruction,” Professor Xue Yibo, a researcher at Tsinghua University’s Network Security Lab in Beijing, said.
The WannaCry virus started spreading rapidly around the world on Friday, locking up data on infected computers and networks in more than 100 countries, and demanding a ransom to release the systems.
There were fears for the worst as people returned to work after the weekend, but across the United States, Europe and Asia, few new cases were reported on Monday and Tuesday as most work computers were taken offline until their systems were scanned and updated.
A feared mutation of the malware, or WannaCry 2.0, did not materialise either. And while international cybersecurity agencies reported variants of the ransomware, all appeared to respond to a “kill switch” stopping them from wreaking further havoc.
In China – where almost 30,000 organisations were reportedly affected – security firm Qihoo 360 confirmed on Tuesday night that WannaCry had been contained. Some government agencies had recovered up to half of their locked data, according to cybersecurity specialists involved in the recovery process.
WannaCry encrypted user data and deleted the original files, but some files, mostly text documents, could be retrieved using existing system recovery tools, the specialists said.
Most services affecting the public, such as energy giant China National Petroleum Corporation’s 20,000 petrol stations, had also resumed normal operations by Tuesday.
The China Education and Research Network, a computer backbone for Chinese universities, said late on Monday that the damage to its systems was not as severe as reported, with just 66 out of 1,600 institutions affected.
The Hong Kong Computer Emergency Response Team said it had received 14 more reports of infected systems by yesterday afternoon, taking the total to 31 since Saturday, with 28 involving family users and three business systems.
But Tsinghua’s Professor Xue said the ransomware had introduced the world to a “new normal” of cyberattacks, describing it as a “game changer”.
The malware’s earliest forms had been around since 2013 but could not spread efficiently until they were recently combined with a leaked US government cyberweapon known as EternalBlue, Xue said.
The US National Security Agency was believed to have developed the cyberweapon to exploit a weakness in a Microsoft communication protocol, allowing hackers to infiltrate any computer running on a Windows operating system.
A security engineer with Topsec, a Beijing cybersecurity firm that sells most of its products to the government and state firms, said it had confirmed WannaCry codes included NSA-developed cyberweapons.
Xue said Tsinghua University was largely spared from the attack in part because its campus had previously been a major target of the NSA’s cyberespionage campaign. In 2013, whistleblower Edward Snowden said the NSA hacked 63 Tsinghua computers and servers in one day.
Since then, the university had tightened cybersecurity on its campuses, including shutting down the data port EternalBlue used, Xue said.
Vulnerable university networks infected by WannaCry would allow hackers to do great damage if they were linked to the country’s top research institutes and state firms, according to a Chinese security specialist.
“In the past this was done by the US government, but now anyone can use such weapons. Things can easily get out of control,” the specialist said.
Meanwhile, security researchers investigating WannaCry yesterday reported signs of a possible North Korean link. In the first clues of the origin of the massive cyberattack, Google researcher Neel Mehta found similarities between WannaCry’s computer code and that of a vast hacking effort that was widely attributed to Pyongyang.
The ransomware’s code resembled tools used by Lazarus Group, a hacking organisation involved in sabotaging on Sony Pictures in 2014 and a Bangladeshi bank last year, Mehta found. Lazarus Group is believed to be linked to the North Korean government.
Russian security firm Kaspersky described Mehta’s findings as “most significant” in the hunt for the cyberattack’s origins.
But Xue said the attack could have been launched by anyone.
“I think [the hackers] are just a bunch of thugs desperate for money. What they did so far is not much different from low-end telecoms fraud,” he said.
Tang Wei, a senior engineer with Chinese cybersecurity giant Rising, said the firm suspected the cyberattack was meant to distract. “When the world’s attention is turned to WannaCry, they can work on their real target,” he said.