Hello, it has been a while. The further I went down this rabbit hole, the more questions I had therefore there is no singular mystery but rather multiple different mysteries all attached in some form to the same event. For writing purposes, italics indicates 'exposition' from myself. I have done a video which visualizes the event here.
[LONG]
Introduction:
In 2017 a massive cyber attack took down the National Health Service in England. Thousands of appointments and potentially life saving operations were delayed or cancelled, as well as the relocation of many Critical Patients.
This attack wasn’t just targeted at the NHS. The attack brought thousands of organizations, and government agencies to a standstill. The groundwork for this attack was laid years in advance.
Birth of the Exploit:
In 2009, windows 7 was released and was heavily adopted by industries and government agencies. As years past, new operating systems were released and subsequent updates to windows 7 less regular a due to this a small vulnerability formed. The MS17-010 exploit was discovered or created by the National Security Agency and was dubbed the ‘Eternal Blue’ exploit. It worked by targeting a fault in any machine which uses SMBv1 (or Server Message Block version 1) file sharing protocol.
SMB is a protocol that Microsoft uses to allow the sharing of files between computers and other devices.
The exploit, Eternal Blue, which the NSA had discovered allowed attackers to implant the backdoor codenamed Double Pulsar onto a machine. Which would allow them to execute code on the target computer, otherwise known as a remote code execution vulnerability. In effect, this exploit allows hackers to control another person’s computer. It further was able to spread malicious data packets within networks, allowing for duplications of the malware to spread to other computers automatically. The NSA had utilized this exploit for 5 years, and the exact details of what they had used the exploit for are currently unknown. The so called ‘Equation Group’, a highly sophisticated ‘threat actor’, that earned its name from the groups extensive use of encryption is believed to be a group within the NSA. This group, The Equation Group, is regarded as the most skilled and best equipped cyber-threat. It is also suspected to be involved in many large cyber-attacks such as Stuxnet, however this is unconfirmed. The Equation Group is also the primary suspect for the initial cyber-attack usage of the Eternal Blue exploit.
The odd thing about this exploit, is that the NSA had managed to use it for (as noted above) 5 years. Yet we have absolutely no clue what they were doing with it. The NSA infamously does not inform tech giants of exploits, in order to let themselves use it. Furthermore the identities of the Equation group are currently unknown and their linkage to the NSA is merely suspected (on good evidence). Some argue that the group doesn't even exist as a structure but is a name given to a group of tools linked to the NSA.
It is known that Eternalblue existed as part of a larger Zero Day arsenal – a group of exploits which the NSA has accumulated that allow them to attack vulnerabilities in systems which operators are unaware of. These exploits, such as Eternalblue, were – and many presumably still are - unknown to Microsoft and the general public. As soon as one exploit is closed, rest assured, a new one is created by the NSA. Eternal Blue was a highly confidential exploit and had remained hidden till the NSA themselves were hacked.
The Shadow Brokers are a hacking group which initially appeared in 2016 with the publication of the following content on pastebin.
[Quote]
‘ Equation Group Cyber Chase Weapons Auction – Invitation.
Attention government sponsors of cyber warfare and those who profit from it.
How much you pay for enemies cyber weapons ? Not malware you find in Networks. Both sides, RAT + LP, full state sponsor tool set ? We find cyber weapons made by the creators of Stuxnet, duqu, flame. Kaspersky calls Equation Group. We follow Equation Group traffic. We find Equation Group source range. We hack Equation Group. We find many Equation Group cyber weapons. You see pictures. We give you some Equation Group files free, you see. This is good proof no? You enjoy! You break many things. You find many intrusions. You write many words. But not all, we are auction the best files.’
[End]
The shadow brokers would then further go on to leak information four more times. The Fifth and final leak, titled ‘Lost in Translation’ . This time the information was published on the Steem Blockchain, and a link was posted to twitter under the handle shdowbrokersss. This leak, amongst other things contained a number of tools and exploits. Containing a total of 9 exploits, one of which named Eternal Blue and another named Double Pulsar.
The leaking of these exploits lead to the previously mentioned Kaspersky Lab, a Russian Cybersecurity company, to check for similarities between the leaked data and known Equation Group malware samples. Kaspersky Lab had recognized similarities between the leaked code and known malware samples, in particular the ways in which the RC6 encryption algorithm was implemented. However, Edward Snowden had himself found that the most recent date within the stolen files was 2013 – indicating that potentially the lockdown which occurred as a result of his leak also stopped the Shadow Brokers breach of the NSA. Finally in the months leading up to the leak, the NSA had warned Microsoft of Eternal Blues leak leading to Microsoft issuing a patch in March of 2017. Rendering the exploit useless, that is, if the user downloads the patch.
The statement by Snowden was interesting to say the least, the implication is that the hacking of the NSA occurred 4 years prior to the events of the 2017 Wannacry ransomware attack. The NSA would only inform Microsoft of the exploit after it had been leaked.
You are probably right now, wondering who The Shadow Brokers are. This in itself is a bit of a mystery. Suspicion’s surrounding the possibility of a leak originating from within the NSA are high, with one primary suspect Harold T. Martin, who had in fact worked as a contractor for the NSA. Martin had stolen approximately 50 Terabytes of data from the NSA. However during his detainment the Shadow Brokers continued posting cryptographically- signed messages –indicating either that he did not act alone or he was not involved.
Edward Snowden tweeted that ‘circumstantial evidence and conventional wisdom indicates Russian responsibility’. Snowden later indicated that a lot of these releases could be the Russian government sending a message, that they now have evidence indicating certain activities of the NSA. Now any accusations which the US targets at Russia; Russia can now accuse the US of its own activities in Cyberwarfare. As the Russian government now have proof of American cyberwarfare activities. However, apart from presumptions, there has been no persons or countries which have claimed to be The Shadow Brokers; nor is there any strong evidence which indicates their identities.
Once again, we're left with a number of options and Questions surrounding the identities and allegiances of The Shadow brokers. Both could be true, Martin was arrested for hoarding information from the NSA so it could be entirely possible that it was he who was hacked while hoarding sensitive NSA information - and not the NSA itself. He could of been a member of the group, and not necessarily the leader. Furthermore, the Shadow brokers seemed to have just dissolved, with no real conclusion to their story or case. The group have not claimed any leak or attack since 2017. They left as fast as they arrived.
The Lazarus Group:
The Lazarus group are a collective of hackers which were originally believed to be a criminal group are now considered to be an advanced persistent threat which likely has ties to North Korea. The Lazarus group had first emerged in 2009 conducting what is now known as ‘Operation Troy’, which was a distributed denial of service attack or DDos on multiple South Korean organizations. Between 2009 and 2017 4 major cyber attacks are credited to this group, including the infamous Sony Breach of 2016. This group is known to not have the most sophisticated methods, or to have the capabilities to create completely unique and intricate attacks.
The Lazarus group had gained access to the EternalBlue exploit, and the Double Pulsar backdoor from the leaks conducted by The Shadow Group . The Lazarus now had the means of delivering a cyber attack, but they had no weapon. This is where the WannaCry ransomware steps in a crude cyber weapon developed by The Lazarus Group, its name comes from its origin as a variant of a Wannacryptor attack. The Wannacry attack would begin to slowly encrypt files in the background, avoiding essential programs which enable the computer to function, therefore the user would not notice what was happening until it was too late. Due to encrypting the files, the information within them would become completely inaccessible to the user. Once encryption is completed, the computer would cease to function properly and display the following message:
[Quote]
‘Your important files are encrypted. Many of your documents, photos, videos, databases and other files are no longer accessible because they have been encrypted. Maybe you are busy looking for a way to recover your files, but do not waste your time. Nobody can recover your files without our decryption service’
[End]
The message would further provide details of how to pay the 600 dollar ransom with Bitcoin, and the amount of time which the user has to pay the ransom. If the user does not pay the ransom, they would be unable to recover the files which had been encrypted. This is the basis of the Wannacry Hack.
The Wannacry hack was a threat which utilized three tools. The EternalBlue exploit, which was a highly sophisticated tool, allowed the Ransomware to infect computers and spread throughout networks at an incredibly rapid pace. Where applicable it would also make use of the Double Pulsar backdoor in order to gain control of systems. Following this the actual ransomware aspect of the Hack would begin, the Wannacry system would being encrypting files without interrupting the usage of the computer. Therefore allowing for the attack to go undetected till the above message would appear.
The Attack:
With the ransomware ready, and the method of delivery primed it was only a matter of time before the Lazarus group would Launch their attack. There is however one final part of the attack which needs to be addressed, Microsoft had released a patch in April of 2017 which closed the EternalBlue exploit, therefore, protecting computers and negating the attack before it even occurred. That is of course, if the organizations actually installed the update – which many did not. Therefore leaving many large organizations throughout the world vulnerable to the attack.
On the 12th of May 2017 at 07:44 Coordinated Universal Time the attack would begin, with the earliest infections appearing in India, Hong Kong and the Philippines. It would then spread like wildfire, duplicating itself to an estimated 230’000 computers worldwide. Multinational Corporations were hit such as Boeing, FedEx, Honda, Renault and Nissan. Governments too were on the receiving end of these attacks; The NHS, PetroChina, Russian Railways, Ministry of Internal Affairs of the Russian Federation and countless universities throughout the world. The fallout was huge, as these massive organizations were effectively crippled. The most prominent impact of the hack was its effect on the NHS. As up to 70’000 devices were impacted, this included computers, MRI scanners, Blood Storage equipment and various other forms of hospital equipment. Effectively crippling the capabilities of hospitals throughout the UK.
Cyber Security experts were quick to approach the issue, advising affected users to not pay the Ransom on principle and because they had found there was no way for the Lazarus group to actually identify the user who paid and their computer therefore nullifying their ability to decrypt the files. Despite multiple large organizations working on reverting the damage, it was a single independent researcher Marcus Hutchins who would make a huge breakthrough.
Marcus would sit down at his computer at 2:30 PM local time in the UK. After receiving a large amount of messages about the NHS being hacked he would search for and obtain a sample of the Wannacry Ransomware. Marcus would then utilize a virtual environment to run the malware, where he would be met with the ransom page. However Marcus had noticed that Wannacry began attempting to connect to random IP addresses using SMB or Server Message Block.
It had occurred to Marcus that the programme was attempting to contact a specific domain amongst the other domains, he decided to register the malware control server or c2 domain, as it was not active. The server took the form of a DNS sinkhole otherwise known as a Blackhole DNS. This type of server provides false results to anything attempting to connect. Shortly afterwards he was contacted by another cyber security expert asking for the sample he had acquired, the expert who worked for Talos noted he could not get the Wannacry software to start connecting to random IP addresses. In fact it is at this time that Marcus had realized, he had accidentally prevented the spread of the Wannacry software.
Marcus had unknowingly uncovered what has since been described as a kill switch , but Marcus himself theorizes it was most likely a poorly made anti-analysis tool which would prevent cyber security experts from reviewing the attack. The Wannacry ransomware attack would only proceed to encrypt files and disrupt computers if it could not connect to the designated server. Therefore when Marucs registered the Server, the software would stop spreading as it could connect to the presumed designated server. This single action which Marcus had made prevented the Wannacry virus from spreading further. In the aftermath cyber security experts were able to retrieve much of the missing data. Finally, after tracing Bitcoin traffic to and from the Bitcoin wallets tied to the Wannacry ransom researchers have found between 50-72000 USD were paid to the hackers.
Charges and Indictments
No, our story does not end here. In fact 6 people were indicted and one was arrested as a result of the attention applied to this case. Three direct members of the Lazarus group were uncovered, and indicted by the FBI being Park Jin Hyok, Kim IL and John Chang Hyok. All three were indicted for being a part of an alleged criminal conspiracy for some of the costliest computer intrusions in history, as well as being members of the Lazarus group. The indictments would further go on to claim that the Lazarus group, is a state sponsored group and a part of the Democratic Peoples Republic of Koreas Reconnaissance General Bureau. A Canadian citizen by the name of Ghaleb Alaumary as well as two Chinese citezen’s Tian Yinyin and Li Jiadong were charged with being intermediaries and money mules for the Lazarus group. They organized crews, of money launderers in the US and Canada to receive stolen funds and then relay them to the Lazarus group.
Yet with these indictments and charges the Lazarus group remains active with the three direct members remain at large. Since the Wannacry event the Lazarus group is suspected to be responsible for three major attacks; The 2017 Cryptocurrency attacks, the September 2019 ElecticFish Attacks and the 2020 pharmaceutical attacks.
The Lazarus group now currently remain at large, their current location is completely unknown. I will also say, it was a surprise to me that the FBI have photos of these guys. Which is strange considering they would be from a very remote and inaccessible country.
Finally, the Hero of the story Marcus Hutchins himself was arrested while on a trip to the USA after further inspection by the FBI. He was arrested on Six-hacking related federal charges, Hutchins was tied to the creation of a completely different piece of malware known as Kronos. The FBI had managed to link Hutchins to the software after the seizure of the now infamous dark web market known as AlphaBay where evidence was found indicating his involvement. Hutchins would confess to being involved with Kronos. During legal proceedings, Hutchins would be offered a zero-time guilty verdict if he could provide information on a group of hackers which he had previously worked with. Hutchins either couldn’t or wouldn’t provided any information on his previous associates. Eventually he was charged to time served and one year supervised release, as the Judge presiding over the case Joseph Peter Stadtmuller recognized he had turned a corner in his life and no longer used his skills for nefarious reasons. Currently Hutchins is employed by the cyber security firm Kryptos Logic, and has his own youtube channel.
I really hope you enjoyed this one, it took almost a month to complete. As with anything involving the US gov, aspects can get a little too conspiratorial and I have tried to avoid that. I had to trim down a lot. I hope I explained concepts well and it is an enjoyable read. If you wish to watch a video on it click here.
Further Reading:
Acronis
Wired
Kaspersky
Guardian
Verge
Wiki Marcus Hutchins
Wiki Eternal Blue
Wiki Shadow Brokers
Avast Eternal Blue
SecPod DoublePulsar
Malwaretech (Marcus Hutchins Blog)
HashedOut
Talos
zdnet charges 1
zdnet charges 2
FBI most wanted Lazarus group