Public Safety & Homeland Security

Was North Korea Behind Ransomware Cyberattack?

The indicators are far from conclusive, the researchers warned, and it could be weeks, if not months, before investigators are confident enough in their findings to officially point the finger.

by Tim Feran, The Columbus Dispatch, Ohio / May 16, 2017
Shutterstock

(TNS) - The global ransomware attack that infected tens of thousands of computers in nearly 100 countries over the weekend spread to thousands of additional computers Monday, mainly in Asia, as workers logged in at the start of a new workweek.

Meanwhile, intelligence officials and private security experts say that new digital clues point to North Korean-linked hackers as likely suspects in the sweeping attacks.

The indicators are far from conclusive, the researchers warned, and it could be weeks, if not months, before investigators are confident enough in their findings to officially point the finger at Pyongyang's increasingly bold corps of digital hackers.

While there have been no reports of major ransomware attacks in central Ohio, Columbus-based organizations are on the alert for the next attack.

In Europe, where the cyberattack first emerged, officials said it appeared that a much-feared second wave — based on copycat variants of the original malicious software — had not yet materialized.

The new disruptions were most apparent in Asia, where many workers had already left for the day Friday when the attack broke out.

China alone reported disruptions at nearly 40,000 organizations, including about 4,000 academic institutions, figures that experts say are most likely to be low estimates, given the prevalence of pirated software there.

In central Ohio, the member companies of the Columbus Collaboratory — American Electric Power, Battelle, Cardinal Health, Huntington Bancshares, L Brands, Nationwide and OhioHealth — jumped on the phone Saturday morning to share information on what they learned about this latest wave of attacks. The companies talked again Monday to discuss new developments.

The Columbus Collaboratory was formed in February 2014 by the member companies to help analyze data and combat the latest cyber threats.

Sharing such intelligence is a key defensive strategy to ensure a rapid response, said Jeff Schmidt, the Collaboratory's head of cybersecurity.

"All companies need to be aware of defensive strategies and not just utilize the bare necessities to meet regulatory standards," Schmidt said.

In addition, the Collaboratory is mining through WikiLeaks and data dumps to prepare for whatever comes next.

The ransomware attacks are the latest wave in computer crime, experts say.

"Ransomware is the ... next development — after 'Denial of Service' and data breach theft — to not only enter computers, but inflict psychological and financial loss at the same time," said Mark Skilton, a professor who researches cybersecurity at Warwick Business School in England.

"The risk and impact of cyber weapons can do the same or more harm than physical weapons," Skilton added. "It can indirectly kill patients, change traffic controls, alter car onboard steering systems, change election outcomes and more."

Pictures posted on social media showed screens of National Health Service computers in England with images demanding payment of $300 worth of the online currency Bitcoin, saying: "Ooops, your files have been encrypted!"

But the attackers are hardly using cutting-edge technology, said Columbus-based online security expert C. Matthew Curtin, founder of Interhack Corp.

"There's nothing new here, really," Curtin said. "The attackers used exploits that target old systems that can't be patched.

"If (affected companies and organizations) have still got these (old programming) things in place, it's a failure to plan."

The so-called ransomware continued to ripple through politics and markets Monday. Russian president Vladimir Putin blamed the United States, noting that the malicious software used in the attack was originally developed by the National Security Agency. It was then stolen and released by an elite hacking group known as the Shadow Brokers.

The attack was so widespread across the world that Microsoft has called for a "digital Geneva convention of rights," and Skilton called for a worldwide "cyber police force" to help manage these escalating threats with the right level of specialist skills, and not just vendors sorting it out for themselves."

But Curtin dismissed the idea of a global police force for cyberattacks as "an absurd and even stupid idea. ... Let's not forget that it's an NSA and CIA work product that made this accessible to the attackers."

To effectively battle ransomware and similar threats, companies and organizations should work together in the same way that Columbus-based organizations do with the Collaboratory, Schmidt said.

"To compete effectively in this environment, companies must start innovating and collaborating as effectively as the bad guys," he said. "The bad guys are dumping more data to share new tools and resources to execute increasingly sophisticated attacks."

President Donald Trump's homeland security adviser said Monday that the malware is "in the wild," but so far has not infiltrated U.S. government systems.

Tom Bossert, assistant to the president for homeland security and counterterrorism, said three variants of the malware have been discovered, and the U.S. government was closely monitoring the situation with officials in Britain.

"Overall, the U.S. infection rate has been lower than many parts of the world, but we may still see significant impacts in additional networks as these malware attacks morph and change," Bossert told reporters at the White House. "We had a small number of affected parties in the U.S., including FedEx. As of today, no federal systems are affected."

Information from The New York Times and The Associated Press was used in this story.

tferan@dispatch.com

@timferan

———

©2017 The Columbus Dispatch (Columbus, Ohio)

Visit The Columbus Dispatch (Columbus, Ohio) at www.dispatch.com

Distributed by Tribune Content Agency, LLC.