Cyber wrap
24 May 2017|

Image courtesy of Pixabay user stellabelle.

The fallout from the WannaCry ransomware incident continued this week. ShadowBrokers, who released the Eternal Blue exploit used by the WannaCry ransomware, have announced a new program where members will gain access to new vulnerabilities and tools, as well as information supposedly stolen from Iranian, Chinese and North Korean missile programs. While ShadowBrokers have been linked to Russian intelligence services, it’s noteworthy that Russia itself was significantly affected by the incident. As expected, additional uses of the EternalBlue exploit have been uncovered, including to install software that mines the cryptocurrency Monero.

Speculation over whether the Hermit Kingdom is behind WannaCry has also continued this week. Cybersecurity firm Symantec’s Security Response team have released further evidence which they claim more closely ties WannaCry to the North Korean-linked Lazarus Group of hackers. Symantec notes that similarities in the tools used in last week’s attack link the ransomware to the tools used in other cyber incidents linked to North Korea—including the 2014 Sony hack and last year’s attack on Bangladesh’s Central bank. However, the difference between previous incidents and WannaCry is the nature of the malware’s autonomous propagation through networks using the EternalBlue exploit, whereas previous Lazarus Group linked malware required greater intervention by the hackers, limiting the extent of its spread.

WannaCry has also focused international attention on North Korea’s cyber capabilities. Jim Lewis from CSIS noted that the Sony hack marked a steep change in the nature of North Korean cyber espionage and hacking activity. Lewis notes that before Sony North Korea focused on espionage and harassment of South Korean political targets, but afterwards they’ve increasingly used their skills for criminal activity to generate hard currency for the regime.

Various North Korean People’s Army units have been identified as being involved in cyber operations, but Unit 180 in the Reconnaissance General Bureau has been most closely linked to WannaCry. Greg Austin from UNSW told a seminar in Canberra last week that over 6,000 North Koreans are involved in various aspects of cyber operations including disrupting the South’s military critical infrastructure and command and control systems. And over at the UN, the North Korean Sanctions Committee has warned members to be alert to North Korean hacking after one of its panel of experts was hacked. The warning ominously noted that the hackers had gained ‘very detailed insight’ into the work of the committee.

Another infamous hacking group—variously known as APT3, Gothic Panda and UPS—has been linked to the Chinese Ministry of State Security (MSS) in a blog published by Intrusion Truth, an anonymous cybersecurity blogging group. The post notes the links between two directors of the Guangzhou Boyu Information Technology Group (Boyusec), and the domains used by APT3 for their activities. Boyusec is also linked with Chinese technology firm Huawei, and the US Defense Department reportedly noted in an internal investigation in 2016 that Boyusec and Huawei had been cooperating to develop products with “backdoors” installed to enable future espionage activity. Intrusion Truth believes that Boyusec is contracted to MSS through various intermediary state organs, keeping with that agency’s  conventional intelligence collection methods by utilising  commercial organisations as cover for intelligence collection. APT3 has previously been linked with cyber operations targeting both the US and Hong Kong.

Closer to home, the Australian government has agreed to work with the Information Commissioner to develop a privacy code for Commonwealth agencies. Back in March, Commissioner Tim Pilgrim requested that the new code be developed, spurred by the fact that significant bungles including #censusfail and data breaches from the Health Department and Public Service Commission had the potential to significantly undermine public trust in the government’s ability to manage data appropriately. The code will be implemented in 2018.

Also in Canberra, in an attempt to improve their own skills and attract more tech-savvy people, teams of government cybersecurity personnel will take part in a cyber ‘war game’ this September, hosted by the Department of Human Services. The teams will work on a cyber test range to defend Lego models of trains, bridges and towns.