A vicious attack that was powered by a stolen U.S. cyber weapon and deployed by a North Korean hacking unit was worse than originally thought, locking up one to two million computers, a congressional panel heard Thursday.
And only the lucky discovery of a “kill switch” prevented the WannaCry ransomware attack last month from encrypting the hard drives of 10 to 15 million computers, Salim Neino, the founder of Kryptos Logic, a Los Angeles cybersecurity company, told legislators.
The attack affected computers in 190 countries, hitting hardest in Russia, China and India before a British researcher stumbled on a way to choke it off.
“It could have been much, much worse,” Ret. Air Force Brig. Gen. Gregory T. Touhill, a cybersecurity expert at Carnegie Mellon University, told lawmakers from two subcommittees of the House Committee on Science Space & Technology who held a joint hearing.
I view WannaCry as a slow-pitch softball whereas the next one may be a high and tight fastball. Ret.
Air Force Brig. Gen. Gregory T. Touhill, a cybersecurity expert
“I view WannaCry as a slow-pitch softball whereas the next one may be a high and tight fastball coming in. We need to be ready,” said Touhill, former chief information security officer in the Obama administration.
As soon as the malicious worm that became known as WannaCry began to spread around the globe on May 12, it froze a cascading number of computers running older Microsoft Windows software. Dozens of hospitals, clinics and offices of Britain’s National Health Service ground to a halt, and Spain’s Telefonica, FedEx and Germany’s Deutsche Bahn were affected.
The worm forced computers to display a screen with a ransom message demanding payment of $300 in bitcoin, a digital currency, to unlock the hard drives.
The administration of President Donald Trump this week laid formal blame for the WannaCry attack on “cyber actors of the North Korean government.”
In a joint alert issued Tuesday by the FBI and the Department of Homeland Security, high tech professionals were told that the North Korean hacking unit, sometimes called the Lazarus Group but labeled Hidden Cobra by the government, was behind a series of attacks since 2009 and carried off the WannaCry epidemic. It offered minimal specific evidence.
Several private cybersecurity firms, including ThreatConnect and Symantec, first reported the common characteristics of cyberattacks now blamed on North Korea.
“The links we saw between WannaCry and Lazarus include shared code, the reuse of (internet protocol) addresses, and similar code obfuscation techniques,” Hugh Thompson, chief technology officer at Symantec, told the hearing.
Previous attacks linked to Lazarus Group include a 2014 breach of Sony Pictures, which delayed release of a satirical movie, The Interview, starring Seth Rogen and James Franco, that portrayed an assassination attempt on Kim Jong Un, and last year’s heist of $81 million from the central bank of Bangladesh.
In the wake of the WannaCry epidemic, researchers said it appeared to have infected 240,000 to 300,000 computers worldwide.
But Neino said the toll was far higher, and that variants of the initial worm sought to infect seven million computers in the United States but were thwarted by a “kill switch” that a Kryptos Logic researcher spent $11 to activate. That was the fee for an unregistered domain. When WannaCry-infected devices were directed to the domain, the worm terminated.
Were it not for the “kill switch,” Neino said the epidemic would have hit two hospitals on the U.S. east coast, striking one on May 30 and the second on June 8-9. A high school in the Midwest was hit June 9. Neino did not name any of the institutions affected.
Part of what powered the WannaCry ransomware was a powerful tool that was leaked from the National Security Agency and dumped by a mystery hacker group calling itself The Shadow Brokers. The dump of the tool, known as EternalBlue, occurred in mid-April, a month before WannaCry began its global rampage.