Russian-linked cyber gang blamed for NHS computer hack using bug stolen from US spy agency
A cyber gang with possible links to Russia is being blamed for the extraordinary worldwide computer security breach - possibly in retaliation for US airstrikes on Syria.
The mysterious organisation - called Shadow Brokers - claimed in April it had stolen a ‘cyber weapon’ from an American spying agency that gives unprecedented access to all computers using Microsoft Windows, the world’s most popular computer operating system.
The hacking tool had been developed by the National Security Agency (NSA), America’s powerful military intelligence unit. The NSA had developed its ‘Eternal Blue’ hacking weapon to gain access to computers used by terrorists and enemy states.
But in an astonishing twist, the NSA’s tool was stolen by Shadow Brokers.
The gang in turn ‘dumped’ the computer bug on an obscure website on April 14, just a week after President Donald Trump ordered the US bombing of Syria.
Some experts believe that timing is significant and indicates that Shadow Brokers has links to the Russian government.
In an internet posting, six days earlier on April 8 - and a day after the first airstrikes - Shadow Brokers appeared to issue a warning to President Trump.
In a statement, the group said in broken English: “Respectfully, what the f*** are you doing? The Shadow Brokers voted for you. The Shadow Brokers supports you. The Shadow Brokers is losing faith in you. Mr Trump helping the Shadow Brokers, helping you. Is appearing you are abandoning ‘your base’, ‘the movement’, and the peoples who getting you elected.”
It is believed ‘Eternal Blue’, having been dumped by Shadow Brokers, was then picked up by a separate crime gang which used it to gain remote access to computers, including systems that brought parts of the NHS to a standstill.
The gang, having gained access to computers, then deployed a second software programme - using ransomware called WanaCrypt or WannaCry - which hijacks a computing system and encrypts all the files contained on it.
The only way to unlock the files is to pay a ransom.
In this case, the gang is demanding $300 for each computer it unlocks - paid in ‘bitcoins’, a virtual currency used on the internet.
One computer security expert said ‘Eternal Blue’ was used as the ‘crowbar’ that effectively opened the doors to computers, making them vulnerable to attack. The results have been devastating.
Sean Sullivan, security adviser to F-Secure, a cyber security company, said: “Shadow Brokers obtained the NSA tools that exposed a vulnerability in Microsoft’s operating systems. They dumped the instructions detailing how to get in. The exploit is the ‘crowbar’ to open the door and the ransomware is the ‘hand grenade’ you lob in once the door is open.”
It is thought the NSA warned Microsoft its hacking tool had been stolen earlier this year, prompting Microsoft to develop a ‘patch’ - or fix - in March allowing computer users to update their systems and protect them from cyber attack. But operating systems older than 2009 are not though to have been protected. This may have made the NHS more vulnerable because of outdated systems in some hospitals and GP surgeries due to lack of IT investment.
Graham Cluley, a computer security expert, said: “Microsoft developed the patch after an exploit was taken from US intelligence. The US intelligence agency found a security hole in Microsoft software and rather than doing the decent thing and contacting Microsoft they kept it to themselves and exploited it for the purposes of spying. Then they themselves got hacked. And it was at that point Microsoft thought, ‘Jesus we need to patch against this thing’”
“It’s likely that regular online criminals simply used the information that the Shadow Brokers put on the internet and thought ‘how can we monetise this’.”
Nobody knows who is behind Shadow Brokers but in a statement issued to a specialist technology website in December, the gang said: “The Shadow Brokers is not being irresponsible criminals. The Shadow Brokers is opportunists. The Shadow Brokers is giving ‘responsible parties’ opportunity to making things right.”
Edward Snowden, the NSA whistleblower now living in exile in Russia, claimed last year that Shadow Brokers was backed by the Kremlin following another leak. Snowden tweeted that “circumstantial evidence and conventional wisdom indicates Russian responsibility”.
Official advice from Spain’s emergency computer response service yesterday appeared to confirm that the ransomware attacks stemmed from the Eternal Blue tool, when it urged organisations to download a Microsoft update that protects against it.
Cyber security experts told The Telegraph the ransomware was being quickly spread by a wave of “phishing” emails carrying bogus attachments that infected computers when unsuspecting users clicked on them.
The scam emails lured victims into opening infected files posing as invoices, job offers, or even clinical test results.
By Friday night, the ruse appeared to be paying off handsomely.
Adam Meyers, vice president of intelligence at the cyber firm CrowdStrike, said thousands of dollars had been tracked rolling into internet accounts set to up to receive the ransom payments.
However official government advice on both sides of the Atlantic is not to pay criminals behind such attacks.
Mr Meyers said: “We advise people not to pay, because if people do pay, it emboldens these criminal actors.”
He instead urged organisations to make sure they had backed up their data and installed the latest software updates and security. Employees in the NHS also had to be warned how to spot the suspect emails.