[The coordinated attack was first reported in the United Kingdom and spread globally. It has set off fears that the effects of the continuing threat will be felt for months, if not years. It also raised questions about the intentions of the hackers: Did they carry out the attack for mere financial gain or for other unknown reasons?]
By Mark Scott
 |
|
A sign outside the Royal
London Hospital, in Central London. The hospital
was one of a number of
hospitals and institutions operated by Britain’s
National Health Service
hit Friday by a large-scale ransomware cyber
attack. Credit Will
Oliver/European Pressphoto Agency
|
Governments, companies and security experts
from China to the United Kingdom on Saturday raced to contain the fallout from
an audacious cyberattack that spread quickly across the globe, raising fears
that people would not be able to meet ransom demands before their data are
destroyed.
The global efforts come less than a day after
malicious software, transmitted via email and stolen from the National Security
Agency, exposed vulnerabilities in computer systems in almost 100 countries in
one of the largest “ransomware” attacks on record.
The cyberattackers took over the computers,
encrypted the information on them and then demanded payment of $300 or more
from users to unlock the devices. Some of the world’s largest institutions and
government agencies were affected, including the Russian Interior Ministry,
FedEx in the United States and Britain’s National Health Service.
As people fretted over whether to pay the
digital ransom or lose data from their computers, experts said the attackers
might pocket more than $1 billion worldwide before the deadline ran out to
unlock the machines.
The coordinated attack was first reported in
the United Kingdom and spread globally. It has set off fears that the effects
of the continuing threat will be felt for months, if not years. It also raised
questions about the intentions of the hackers: Did they carry out the attack
for mere financial gain or for other unknown reasons?
“Ransomware attacks happen every day — but
what makes this different is the size and boldness of the attack,” said Robert
Pritchard, a cybersecurity expert at the Royal United Services Institute, a
think tank, in London. “Despite people’s best efforts, this vulnerability still
exists, and people will look to exploit it.”
While most cyberattacks are inherently
global, the current one, experts say, is more virulent than most. Security
firms said the attacks had spread to all corners of the globe, with Russia hit
the worst, followed by Ukraine, India and Taiwan, said Kaspersky Lab, a Russian
cybersecurity firm.
The attack is believed to be the first in
which such a cyberweapon developed by the N.S.A. has been used by
cybercriminals against computer users around the globe.
Across Asia, several universities and
organizations said they had been affected. In China, the virus hit the computer
networks of both companies and universities, according to the state-run news
media. News about the attack began trending on Chinese social media on
Saturday, though most attention was focused on university networks, where there
were concerns about students losing access to their academic work.
The attack also spread like wildfire in
Europe. Companies like Deutsche Bahn, the German transport giant; Telefónica, a
Spanish telecommunications firm, though no major service problems had been
reported across the region’s transportation or telecom networks.
Renault, the European automaker, said on
Saturday that its French operations had been hit by the attack, while one of
its plants in Slovakia was shut down because of the digital virus. Nissan, the
Japanese auto giant, said that its manufacturing center in Sunderland in the
north of England had been affected, though a spokesman declined to comment on
whether the company’s production had been stopped.
The British National Health Service said that
45 of its hospitals, doctors’ offices and ambulance companies had been crippled
— making it perhaps one of the largest institutions affected worldwide.
Surgical procedures were canceled and some hospital operations shut down as
government officials struggled to respond to the attack.
“We are not able to tell you who is behind
that attack,” Amber Rudd, Britain’s home secretary, told the British
Broadcasting Corporation on Saturday. “That work is still ongoing.”
While American companies like FedEx said they
had also been hit, experts said that computer users in the United States had so
far been less affected than others after a British cybersecurity researcher
inadvertently stopped the ransomware attack from spreading more widely.
As part of the digital attack, the hackers,
who have yet to be identified, had included a way of disabling the malware in
case they wanted to shut down their activities. To do so, the assailants
included code in the ransomware that would stop it from spreading if the virus
sent an online request to a website created by the attackers.
This so-called kill switch would stop the
malware from spreading as soon as the website went online and communicated with
the spreading digital virus.
When the 22-year-old British researcher,
whose Twitter handle is @MalwareTechBlog, confirmed his involvement but
insisted on anonymity because he did not want the public scrutiny, saw that the
kill switch’s domain name — a long and complicated set of letters — had yet to
be registered, he bought it himself. By making the site go live, the researcher
shut down the hacking attack before it could fully spread to the United States.
“The kill switch is why the U.S. hasn’t been
touched so far,” said Matthieu Suiche, founder of Comae Technologies, a
cybersecurity company in the United Arab Emirates. “But it’s only temporary.
All the attackers would have to do is create a variant of the hack with a
different domain name. I would expect them to do that.”
The ability of the cyberattack to spread so
quickly was partly because of its high level of sophistication.
The malware, experts said, was based on a
method that the N.S.A. is believed to have developed as part of its arsenal of
cyberweapons. Last summer, a group calling itself the “Shadow Brokers” posted
online digital tools that it had stolen from the United States government’s
stockpile of hacking weapons.
The connection to the N.S.A. is likely to
draw further criticism from privacy advocates who have repeatedly called for a
clampdown on how the agency collects information online.
As the fallout from the attack continued,
industry officials said law enforcement would find it difficult to catch the
ringleaders, mostly because such cyberattacks are borderless crimes in which
the attackers hide behind complex technologies that mask their identities. At
the same time, national legal systems were not created to handle such global
crimes.
Brian Lord, a former deputy director for
intelligence and cyberoperations at Government Communications Headquarters,
Britain’s equivalent to the N.S.A., said that any investigation, which would
include the F.B.I. and the National Crime Agency of Britain, would take months
to identify the attackers, if it ever does.
By focusing the attacks on large institutions
with a track record of not keeping their technology systems up-to-date, global
criminal organizations can cherry-pick easy targets that are highly susceptible
to such hacks, according to Mr. Lord.
“Serious organized crime is looking to these
new technologies to the maximum effect,” Mr. Lord said. “With cybercrime, you
can operate globally without leaving where you already are.”
Of the current attack, he said: “It was well
thought-out, well timed and well coordinated. But, fundamentally, there is
nothing unusual about its delivery. It is still fundamentally robbery and
extortion.”
As part of the efforts to combat the attack,
Microsoft, whose Windows software lies at the heart of the potential hacking
vulnerability, released a software update available to those affected by the
attack and others that could be potential targets.
Yet, security experts said the software
upgrade, while laudable, came too late for many of the tens of thousands of
machines that were locked and whose data could be erased.
Government officials and industry watchers
also warned on Saturday that other hackers might now try to use the global
ransomware attack for their own means, potentially tweaking the code and
developing their own targets for new cyberattacks.
“As
with everything in cyber, we’re now waiting for the next type of attack,” said
Paul Bantick, a cyber security expert at Beazley, a global insurance
underwriter, who has handled similar ransomware attacks for clients around the
world.
“Ransomware like this has been on the rise
over the last 18 months,” he said. “This represents the next step that people
were expecting.”
Follow Mark Scott @markscott82 on Twitter.
Reporting was contributed by Keith Bradsher
from Beijing, Paul Mozur and Gerry Mullany from Hong Kong, and Alison Smale
from Berlin.
