NSA ‘not to blame’ for WannaCry cyber crisis

The question of who is to blame over last week's malware attacks that crippled worldwide systems is being hotly debated by cyber intelligence analysts. 

Shortly after networks began to be locked by the WannaCry malware, accusations were levelled at the US National Security Agency (NSA) that the tools employed by the hackers had been stolen from government servers. 

This sophisticated malware was then embedded within ransomware, exploiting vulnerabilities in unpatched versions of Microsoft Windows XP. 

SEE ALSO: The Intoxication of the ‘Art of the Hack’

Brad Smith, president and chief legal officer at Microsoft, wrote a blog post attempting to shift blame on the intelligence agency: "This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem.” 

Smith went on to demand that governments should treat the attack as a wake-up call, saying they should have similar limitations on hoarding cyber vulnerabilities in the same way that physical weapons are often restricted. 

The Russian government has also been quick to blame the US government, with President Vladimir Putin seizing on Smith’s public indictment. 

“The initial source of this virus is the United States security agencies,” he said. “Russia’s got absolutely nothing to do with it. Given that, it’s strange to hear anything else.” 

In response, White House Homeland Security adviser Tom Bossert came to the defence of the intelligence services. 

“This was a vulnerability exploited as one part of a much larger tool that was put together by the culpable parties and not by the US government,” Bossert told reporters, referring to the fact that the malware had been reengineered within the malware that encrypted and ransomed data.

It is understood that the criminal group behind the operation, known as the Shadow Brokers, compromised several NSA servers, stole the sophisticated cyber ‘weapons’, and then attempted to sell them. When buyers were not forthcoming, the group leaked the code online.  

The NSA, noticing the activity, tipped off Microsoft, who in turn issued a patch (MS17-010) for users of the outdated operating system. However, the attack occurred three weeks later, and many users had not applied the update. 

Rickey Gevers, a cyber security expert at RedSocks Security, explained that this approach is likely to reoccur whether or not government agencies build offensive cyber tools. 

“The NSA is to blame for developing the exploit but it is not to blame for the impact of the exploit,” he said. “People highlight the fact that the NSA is actively searching for these types of vulnerabilities – which is true – but it doesn’t mean that if the NSA did not search for them, they would not be found by others. They will be found. We will keep seeing these vulnerabilities in the future. So what is going wrong is the timing of the patching.  

“These vulnerabilities seem to happen once every five to ten years. When comparing other incidents, we seem to have about three weeks to act before they are exploited. Preventing the NSA from holding these vulnerabilities will never solve this problem.  

“There is only one solution to this problem: make sure people patch their systems.” 

Many nations are believed to be holding offensive cyber weaponry, some of which may have already been used to attack foreign states. This includes Russia's 'Ouroboros' malware that targeted Ukrainian systems in 2014, and China's 'Great Cannon' that targeted websites attempting to evade censorship tools.

While an immediate second wave of WannaCry attacks has not yet occurred, there are fears that further disruption from the malware could return, particularly as other ‘strains’ of the virus have since been developed without the kill switch code that stopped the first wave in its tracks. 

“Thus far, the confirmed variants of WannaCry with no kill switch have had non-functioning ransomware components – they do not encrypt victims’ systems,” explained John Miller, manager at cyber threat intelligence firm FireEye.

“However, organisations should address the SMB security recommendations provided by Microsoft for this threat to prevent further issues. Meanwhile, forensic details from the WannaCry attacks will be of high interest, including how the attackers implemented the initial wave of ransomware infections and positioned those to rapidly self-propagate the malware globally.”