This, the third in a series on the WannaCry worm, sharpens the focus on the ploys, tactics and incentives behind the mid-May attack on networks worldwide. The computer breach is being repetitively described by the fake news media, quoting deeply compromised computer-security companies, as a criminal hacker plot to freeze older Microsoft operating systems for the purpose of extracting a $300 ransom into an untraceable bitcoin account in exchange for unlocking an infected computer.
The forensics and history behind that epidemic, however, disclose that the “multi-warhead” strike was not done by cyber-thieves but was instead a long-awaited counterattack by the elite NSA cyberweapons team known as Equation. Their objective was to demonstrate cold-calculated ruthlessness in a frame-up of the freedom-fighters known as the Shadow Breakers, who stole Wannacry with dozens of other cyberweapons from the NSA arsenal, along with surveillance tools that can penetrate any firewall.
Challenger versus Champion
Over the past six months, Equation had refused to be drawn out by challenges and taunting from the Shadow Breakers, who eventually became lulled into complacency by the lack of response. Meanwhile the NSA team silently positioned into place its chess pieces, including expendable pawns Sophos and Huari, rook Google and the red queen herself, Microsoft.
To discredit the upstart Shadow Brokers, the initial damage was directed against the British National Health Service (NHS), which was easily accomplished due to the treachery of computer-security firm Sophos, which left its client hospitals defenseless against WannaCry. The attack then moved on to Chinese and Russian financial centers, which have so far not disclosed the extent of losses.
To evade responsibility for the outbreak, the culprits at NSA directed the blame against a nonexistent “North Korean” hacker group called Lazarus, a decoy created by South Korea’s intelligence agency, with a little help from the Israeli cyber-command, to camouflage its own domestic cyber-surveillance activities against opposition parties and domestic advocates of national reunification.
An Unstoppable Blitzkrieg
By mid-May, while the Shadow Brokers were watching news coverage of James Comey’s firing, Equation launched a sudden attack reminiscent of one of Bobby Fischer’s furious blitzkriegs. Every bit as plodding, methodical and predictable as a Garry Kasparov, the Shadow Breakers looked on helplessly as their positions quickly became untenable and watched their game end in a zugzwang, where any further move is a turn toward one’s own destruction.
Shadow Brokers fell into a trap of their own making after boasting of their theft of 75 percent of the NSA’s stockpile of cyber-weapons. Their admission of guilt exonerated Equation of any suspicion for launching the worm attack, especially since Wanna Decryptor is supposedly missing from the NSA vault. The question is: How did the NSA recover the stolen wares used in the worldwide attack?
A Flaw in Physical Security
Presumably, to ensure their sole possession of the heisted malware, the Shadow Brokers erased all back-up copies in the NSA archives, leaving the hated Equation team empty-handed. To minimize the loss of these unholy treasures due, for example, to the death of a team member or a car accident or an arrest, the cyber-thieves made several identical copies to be secretly kept by their closest confidants.
Thus, apparently, a complete set was left in the safekeeping of a low-profile NSA contractor from Booz, Allen, Hamilton (the firm that employed Edward Snowden). During their fishing expedition this past autumn, the FBI and their Pentagon counterparts cast a wide net. One of the lowest-threat security risks was a compulsive hoarder, a former US Navy signals corpsman named Harold Thomas Martin III. An FBI search of his premises uncovered hard drives containing 50 terabytes of classified files and top-secret programs, including the NSA cyber-weapons archive.
Whatever the NSA might have lost in the theft of August 2016 was recovered from Martin’s hoard. The court proceedings against him were kept off the public record, so as not to alert the Shadow Brokers.
Meanwhile, the unsuspecting thieves tried to force a response from Microsoft, in order to publicly verify its insider collusion with the NSA-Equation team: “In January theshadowbrokers is deciding to show screenshots of lost theequationgroup 2013 Windows Ops Disk. TheShadowBrokers is knowing if showing screenshots, then vulnerabilities is being reported by theequationgroup to Microsoft and is being patched.“
But even a month later, Microsoft had not responded as anticipated. “In February Microsoft is missing patch Tuesday. TheShadowBrokers is knowing, Microsoft is missing to be making patches for Eternal exploits.” The inaction was in denial of suspicions of Microsoft collaboration with the NSA.
The came a false spring. “In March Microsoft is releasing patch for SMB vulnerabilities. TheShadowBrokers is knowing this is being for Eternal exploits. TheShadowBrokers is still waiting and not releasing.” SMB stands for Windows Server Message Block, the site of the NSA-rigged EternalBlue vulnerability. More cautious now due to Microsoft’s unpredictable behavior, the Shadow Brokers withheld release of WannaCry. Something was up, but they couldn’t figure out what.
In April, “Microsoft patch was being available for 30 days before theshadowbrokers is releasing dump to public.” Shadow Brokers threatened to release (dump) WannaCry but didn’t follow through with its threat, due to the strange toe dance with Microsoft to the non-rhythmic music of the NSA.
The Shadow Brokers therefore took another look at the Wanna Decryptor in their possession and, to their dismay, discovered a kill switch inserted in the code. A kill switch is a domain name that the user can access to disengage the worm and resume normal computer operations. WannaCry was like a revolver loaded with blanks, and so once-cocky Shadow Brokers were now running scared.
“In May, No dumps, theshadowbrokers is eating popcorn and watching ‘Your Fired’ and WannaCry. Is being very strange behavior for crimeware? Killswitch? Crimeware is caring about target country?”
Little did they realize that Microsoft has not released a patch for XP and older systems, which are prevalent among the countries targeted by the NSA. Since blame could be heaped on the Shadow Brokers, NSA-Equation had nothing to lose by releasing the virus. Already the Five Eyes spymaster summit in Queenstown, New Zealand, had indicated their consent for veiled cyber-strikes on Russia, China and Iran.
Then, to rub the noses of the Shadow Brokers into their messy pile of filched wares, NSA Equation released WannaCry on a massive scale. In a frame-up of global dimensions. the Shadow Brokers were no longer the good-guy vigilantes but despicable outlaws beyond the pale of cyberspace.
Despite its previous announcements, Microsoft was holding back the patch for older versions of Windows until the NSA’s attack mission was completed against select targets. Never mind the collateral damage to poorer users around the world because those losers don’t matter a whit.
The former defenders of online privacy against state surveillance, the Shadow Brokers have since fallen into the category of indictable felons, prime suspects for extortion along with billions of dollars in lost time for computer networks, thus exonerating the NSA for creating the weapons of cyberspace destruction.
Innocence or guilt is a matter of who is more credible: the hackers who threatened to release the virus or the NSA that pledged to recover the stolen wares? Given this false dichotomy, the news media has forgiven the NSA for amassing a cyber arsenal and chooses to ignore its suspect role in unleashing the WannaCry virus.
The denouement for the Shadow Brokers came from trying to outwit the devil known only by the nickname Equation. To his credit, the master of dirty tricks is a gentleman who, after soundly whipping the Shadow Brokers, showed mercy by laying the entire blame on the North Koreans. Lazarus was once again raised from the dead.
Minions of the Cyber-State
The craftiness of NSA-Equation is proven beyond a shadow of doubt, when the entire world, including its best cryptographers, fail to recognize its role in the release of Wanna Decryptor. For intelligence professionals, truly masterful victories are those that remain forever undetected, never to be cited even in dusty history books. Celebrity spies are the miserable failures of the craft when publicity is the ultimate shame. Given the dubious rules of the spy game, NSA-Equation is a paragon. Let’s not get into conniptions over ethics, which have no place in intelligence affairs, except for the suicidal, another epidemic of late.
Now for tidbits of information on those chess pieces played by NSA-Equation.
Microsoft: Using any search engine, key in “Microsoft NSA” to call up dozens of articles disclosing collusion. This from techrights.org: “No software company has been quite as collaborative with the NSA as Microsoft has, e.g. in providing direct Skype access. Microsoft offers back doors at the operating systems level, not the just Internet/communications level; the NSA as a whole has come to share a bed with Microsoft (even staff intersections exist) and this technology giant, Microsoft, also receives payments for these abuses of privacy. e.g. from the CIA, based on clear disclosures (leaks). Sharing a bed without a marriage certificate and for payment is called prostitution.
Google: One of its India-born staffers Neel Mehta was the first to cite “similarities” between WannaCry and the Sony Pictures virus blamed on the (fictitious) Lazarus group of North Korean hackers. The Google-NSA alliance has been so blatant, it’s gotten mention from the Washington Post and New York Times, which are themselves creatures of intelligence agencies. Google staffers were caught red-handed inside (physically, bodily) the faciities of CERNET, China’s top network security provider, in an inadvisable attempt to install TOR on the Internet backbone prior to encryption. Google chairman Eric Schmidt’s visit to North Korean internet hubs was yet another adventure in espionage.
Lazarus: The ghost North Korean hacker group is an invention of Sophos and Huari, created to divert attention away from the Israeli origins of the DarkSeoul virus, which was based on Shamoon, the virus that shut down workstations at Saudi Aramco petroleum company in 2012, a year after 911. Lazarus has been used as a fictitious threat for live-exercises by South Korean cyber-security agents to test the anti-hacking defenses of their own national institutions and banks as well as to breach the computer security of opposition political parties and dissenters.
Sophos: This dodgy outfit appeared on the radar screen for abetting the WannaCry attack on the British National Health Service networks, which resulted in the shutdown of 40 NHS hospitals. To avoid notice for its role, the Sophos logo was wiped from the entire NHS computer system.
Sophos was one of two companies that were quick to link the 2013 DarkSeoul attack to the phantom Lazarus group. Despite its deepening financial problems, Sophos has been on a buying spree of European computer security products like Astaro firewall and Hitman Pro virus tracker, whcich are in dire need of NSA control.
Founded at Oxford by British math professors, Sophos has since moved its principal headquarters to Boston. Its current CEO is Kris Hagerman, a former executive for data-center management at computer-security giant Symantec, another well-known gun for the NSA. From Edward Snowden’s Intercept: “An NSA slide describing ‘Project CAMBERDADA’ lists at least 23 antivirus and security firms that were in that spy agency’s sights. They include the Finnish antivirus firm F-Secure, the Slovakian firm Eset, Avast software from the Czech Republic. and Bit-Defender from Romania. Notably missing from the list are the American anti-virus firms Symantec and McAfee as well as the UK-based firm Sophos.”
Huari: Seoul-based producer of the ViRobot anti-virus software.
Reuters feport on WannaCry in South Korea: “’It is similar to North Korea’s backdoor malicious codes,’ said Simon Choi, a senior researcher with Hauri who has done extensive research into North Korea’s hacking capabilities and advises South Korean police and National Intelligence Service. . . . Hauri researcher Choi said the code bore similarities with those allegedly used by North Korean hackers in the Sony and bank heists. He said based on his conversations with North Korean hackers, the reclusive state had been developing and testing ransomware programs since August (2016).”
Cyber-spy Choi missed the fact that it would have been impossible for North Koreans to have developed WannaCry, since it was stolen from the NSA archive by Shadow Brokers in that very same month of August 2016. And why would a nefarious Lazarus bother to install a kill-switch?
According to a 2015 report from Snowden’s Intercept, Hauri is one of 20 computer-security companies on the NSA target list as a suspect in hacks against US networks. This prospect raises the question of whether Lazarus is a Hauri invention, used for South Korean intelligence hacking foreign intelligence agencies and military networks, as well as stealing propriety data from commercial rivals such as Sony. South Korea has the world’s highest rate of computer break-ins, which doesn’t say a lot for ViRobot, which might in fact be a tool for military and police online surveillance of the South Korea population.
Ghost in the Shell
Despite the high-risk efforts of the Shadow Brokers, Edward Snowden and Julian Assange, the world knows hardy anything about the NSA hacking team that was nicknamed “Equation” by the rival Kaspersky Lab in Russia. How many programmers work with that team? When was it organized? Who is its commander? Where is the list of its major achievements? What is its ultimate goal?
More disturbing are the inevitable questions that make one break down and want to cry: Are the Shadow Brokers just an illusion cast by Equation? Was the August theft a fictitious event to enable the first-strike use of cyber-weapons?
As it stands now, whoever leads that NSA team with no name is the “Ghost in the Shell” of the Cyber-State, our tyrannical protector and worst enemy, guardian angel and diabolical tormentor.
Still, most troubling of all is that nobody knows what to call it. Just listen to that electronic hum coming over Skype: “When you meet me have some courtesy, have some sympathy and some taste. Use all your well-learned politesse or I’ll lay your soul to waste. Pleased to meet you, I hope you guess my name, ‘cause what’s puzzling you is the nature of my game.”
Yoichi Shimatsu, Senior Advisor and Contributing Editor for The 4th Media, is a science journalist sometimes based in Hong Kong.