• State-sponsored malware

Approx. read time: 163.3 min.

Post: Silent Warfare: Unveiling the Secrets of State-Sponsored Malware and Cyber-Espionage

State-Sponsored Cyber Threats: An Examination of Notable Computer Viruses, Spyware, and Malware

In the realm of cybersecurity, state-sponsored cyber threats have emerged as some of the most sophisticated and dangerous. These threats often target critical infrastructure, government agencies, and large corporations, aiming to steal sensitive information, disrupt operations, or exert political influence. This article delves into some of the most notorious examples of state-sponsored malware, examining their technical mechanisms and the impact they have had.

Stuxnet

Overview: Stuxnet is perhaps the most well-known state-sponsored malware, widely believed to have been developed by the United States and Israel. First discovered in 2010, Stuxnet was designed to sabotage Iran’s nuclear enrichment facilities.

Technical Details:

  • Infection Method: Stuxnet was initially spread via USB drives, exploiting zero-day vulnerabilities in Windows systems to propagate without detection.
  • Payload: The malware targeted Siemens Step7 software running on programmable logic controllers (PLCs) used in Iran’s Natanz uranium enrichment facility.
  • Mechanism: Stuxnet manipulated the centrifuges’ operation, causing them to spin out of control while reporting normal operations to monitoring systems, thereby avoiding detection.

Impact: Stuxnet set back Iran’s nuclear program by several years and marked the first known instance of malware specifically designed to cause physical damage to industrial systems.

Stuxnet Worm (a State-Sponsored Malware)

Stuxnet: A State-sponsored Malware | Espionage in Cyber Warfare | Intersection of Tech and Politics

Flame

Overview: Discovered in 2012, Flame is a sophisticated cyber-espionage tool suspected to be developed by a nation-state, with strong evidence pointing towards a collaboration between the United States and Israel.

Technical Details:

  • Infection Method: Flame spread through phishing emails and exploited vulnerabilities in Windows operating systems.
  • Capabilities: The malware had modules for data theft, including keylogging, screenshot capturing, and audio recording. It could also intercept network traffic and record Skype conversations.
  • Modularity: Flame’s code was modular, allowing operators to add or remove functionalities as needed.

Impact: Flame was used for extensive cyber-espionage operations across the Middle East, particularly targeting individuals and organizations in Iran. Its discovery highlighted the increasing sophistication of cyber-espionage tools.

Flame Malware, 3 Minute Profile

Duqu

Overview: First identified in 2011, Duqu is believed to be a successor or variant of Stuxnet. It shares significant code similarities with Stuxnet and is thought to be created by the same developers.

Technical Details:

  • Infection Method: Duqu exploited a zero-day vulnerability in Microsoft Word documents to infect systems.
  • Payload: Unlike Stuxnet, Duqu focused on data theft rather than physical sabotage. It collected information that could be useful for future cyber-attacks, including keystrokes and system information.
  • Command and Control (C&C): Duqu used encrypted communication channels to exfiltrate data to remote servers controlled by the attackers.

Impact: Duqu provided insights into the intelligence-gathering phase preceding cyber-sabotage attacks. Its discovery helped cybersecurity professionals understand the lifecycle of advanced persistent threats (APTs).

Duqu Malware, 3 Minute Profile

APT28 (Fancy Bear)

Overview: APT28, also known as Fancy Bear, is a hacking group believed to be associated with the Russian military intelligence agency GRU. Active since the mid-2000s, APT28 has been implicated in numerous high-profile cyber-attacks.

Technical Details:

  • Infection Methods: APT28 uses a variety of techniques, including spear-phishing emails, zero-day exploits, and malware-laden documents.
  • Malware Tools: Notable tools include Sofacy, X-Agent, and X-Tunnel, which are used for espionage, data exfiltration, and establishing backdoors in infected systems.
  • Targets: The group has targeted military, government, and media organizations, primarily in Europe and North America.

Impact: APT28 has been linked to several significant cyber-attacks, including the 2016 Democratic National Committee email leak. Their activities have heightened awareness of state-sponsored cyber-espionage and its potential impact on international relations.

Everything You Need to Know About the APT, Fancy Bear

WannaCry

Overview: WannaCry was a ransomware attack that spread globally in May 2017, causing widespread disruption. It is widely believed to have been developed by the North Korean group Lazarus.

Technical Details:

  • Infection Method: WannaCry leveraged the EternalBlue exploit, a vulnerability in Windows’ Server Message Block (SMB) protocol, allegedly developed by the NSA and leaked by the Shadow Brokers hacker group.
  • Payload: The ransomware encrypted users’ files and demanded a Bitcoin ransom for their release.
  • Propagation: WannaCry had a worm-like ability to spread rapidly across networks, infecting hundreds of thousands of computers in over 150 countries.

Impact: WannaCry caused significant disruptions, affecting hospitals, businesses, and government agencies. The attack underscored the dangers of using leaked cyber weapons and the critical need for timely software updates and patch management.

Why Was the WannaCry Attack Such a Big Deal?

Conclusion

State-sponsored malware represents a significant threat to global cybersecurity. The examples discussed—Stuxnet, Flame, Duqu, APT28, and WannaCry—highlight the diverse tactics and objectives of such attacks. These instances are not just technical anomalies; they are stark illustrations of how technology can be weaponized to manipulate, disrupt, and control on a global scale.

As cyber threats continue to evolve, the importance of robust cybersecurity measures, international cooperation, and constant vigilance cannot be overstated. Governments and organizations must recognize that these sophisticated cyber weapons are not merely theoretical dangers—they are active tools of geopolitical influence and control. The ability of a few lines of code to bring entire infrastructures to a halt or to covertly siphon sensitive information is a wakeup call to the potential for abuse inherent in our increasingly interconnected world.

This is more than a call for better security; it’s a call for awareness and action. The digital realm has become a battlefield, and the stakes are higher than ever. We must confront the reality that technology, while a force for good, can also be turned into a tool of oppression and conflict. Only through concerted effort and proactive defense can we safeguard the integrity of our digital future.

How Cyberwarfare Actually Works

State-Sponsored Cyber Threats: An Examination of Notable Computer Viruses, Spyware, and Malware – WIKIs

Stuxnet

Stuxnet
Technical name As Stuxnet

Worm:Win32/Stuxnet.[Letter]
TrojanDropper:Win32/Stuxnet
W32.Stuxnet
W32.Stuxnet!lnk
Troj/Stuxnet-[Letter]
Trojan-Dropper.Win32.Stuxnet.[Letter]
Worm.Win32.Stuxnet.[Letter]
TR/Drop.Stuxnet.[Letter].[Number]
Worm.Win32.Stuxnet
Trojan-Dropper:W32/Stuxnet
Rootkit:W32/Stuxnet
RTKT_STUXNET.[Letter]
LNK_STUXNET.[Letter]
WORM_STUXNET.[Letter]
Classification Computer worm
Type Dropper
Author(s) Equation Group
Operating system(s) affected

Source:[1]

Stuxnet is a malicious computer worm first uncovered in 2010 and thought to have been in development since at least 2005. Stuxnet targets supervisory control and data acquisition (SCADA) systems and is believed to be responsible for causing substantial damage to the nuclear program of Iran.[2] Although neither country has openly admitted responsibility, multiple independent news organizations recognize Stuxnet to be a cyberweapon built jointly by the United States and Israel in a collaborative effort known as Operation Olympic Games.[3][4][5] The program, started during the Bush administration, was rapidly expanded within the first months of Barack Obama‘s presidency.[6]

Stuxnet specifically targets programmable logic controllers (PLCs), which allow the automation of electromechanical processes such as those used to control machinery and industrial processes including gas centrifuges for separating nuclear material. Exploiting four zero-day flaws,[7] Stuxnet functions by targeting machines using the Microsoft Windows operating system and networks, then seeking out Siemens Step7 software. Stuxnet reportedly compromised Iranian PLCs, collecting information on industrial systems and causing the fast-spinning centrifuges to tear themselves apart.[2] Stuxnet’s design and architecture are not domain-specific and it could be tailored as a platform for attacking modern SCADA and PLC systems (e.g., in factory assembly lines or power plants), most of which are in Europe, Japan, and the United States.[8] Stuxnet reportedly ruined almost one-fifth of Iran’s nuclear centrifuges.[9] Targeting industrial control systems, the worm infected over 200,000 computers and caused 1,000 machines to physically degrade.[10]

Stuxnet has three modules: a worm that executes all routines related to the main payload of the attack; a link file that automatically executes the propagated copies of the worm; and a rootkit component responsible for hiding all malicious files and processes, to prevent detection of Stuxnet.[11] It is typically introduced to the target environment via an infected USB flash drive, thus crossing any air gap. The worm then propagates across the network, scanning for Siemens Step7 software on computers controlling a PLC. In the absence of either criterion, Stuxnet becomes dormant inside the computer. If both the conditions are fulfilled, Stuxnet introduces the infected rootkit onto the PLC and Step7 software, modifying the code and giving unexpected commands to the PLC while returning a loop of normal operation system values back to the users.[12][13]

Discovery

Stuxnet, discovered by Sergey Ulasen from a Belarusian antivirus company VirusBlokAda, initially spread via Microsoft Windows, and targeted Siemens industrial control systems. While it is not the first time that hackers have targeted industrial systems,[14] nor the first publicly known intentional act of cyberwarfare to be implemented, it is the first discovered malware that spies on and subverts industrial systems,[15] and the first to include a programmable logic controller (PLC) rootkit.[16][17]

The worm initially spreads indiscriminately, but includes a highly specialized malware payload that is designed to target only Siemens supervisory control and data acquisition (SCADA) systems that are configured to control and monitor specific industrial processes.[18][19] Stuxnet infects PLCs by subverting the Step-7 software application that is used to reprogram these devices.[20][21]

Different variants of Stuxnet targeted five Iranian organizations,[22] with the probable target widely suspected to be uranium enrichment infrastructure in Iran;[21][23][24] Symantec noted in August 2010 that 60 percent of the infected computers worldwide were in Iran.[25] Siemens stated that the worm caused no damage to its customers,[15] but the Iran nuclear program, which uses embargoed Siemens equipment procured secretly, was damaged by Stuxnet.[26][27][28] Kaspersky Lab concluded that the sophisticated attack could only have been conducted “with nation-state support.”[29] F-Secure‘s chief researcher Mikko Hyppönen, when asked if possible nation-state support were involved, agreed: “That’s what it would look like, yes.”[30]

In May 2011, the PBS program Need To Know cited a statement by Gary Samore, White House Coordinator for Arms Control and Weapons of Mass Destruction, in which he said, “we’re glad they [the Iranians] are having trouble with their centrifuge machine and that we — the U.S. and its allies — are doing everything we can to make sure that we complicate matters for them,” offering “winking acknowledgement” of United States involvement in Stuxnet.[31] According to The Daily Telegraph, a showreel that was played at a retirement party for the head of the Israel Defense Forces (IDF), Gabi Ashkenazi, included references to Stuxnet as one of his operational successes as the IDF chief of staff.[32]

On 1 June 2012, an article in The New York Times reported that Stuxnet was part of a US and Israeli intelligence operation named Operation Olympic Games, devised by the NSA under President George W. Bush and executed under President Barack Obama.[33]

On 24 July 2012, an article by Chris Matyszczyk from CNET[34] reported that the Atomic Energy Organization of Iran e-mailed F-Secure‘s chief research officer Mikko Hyppönen to report a new instance of malware.

On 25 December 2012, an Iranian semi-official news agency announced there was a cyberattack by Stuxnet, this time on the industries in the southern area of the country. The malware targeted a power plant and some other industries in Hormozgan province in recent months.[35]

According to Eugene Kaspersky, the worm also infected a nuclear power plant in Russia. Kaspersky noted, however, that since the power plant is not connected to the public Internet, the system should remain safe.[36]

History

The worm was first identified by the security company VirusBlokAda in mid-June 2010.[20] Journalist Brian Krebs‘s blog posting on 15 July 2010 was the first widely read report on the worm.[37][38] The original name given by VirusBlokAda was “Rootkit.Tmphider;”[39] Symantec, however, called it “W32.Temphid,” later changing to “W32.Stuxnet.”[40] Its current name is derived from a combination of some keywords in the software (“.stub” and “mrxnet.sys”).[41][42] The reason for the discovery at this time is attributed to the virus accidentally spreading beyond its intended target (the Natanz plant) due to a programming error introduced in an update; this led to the worm spreading to an engineer’s computer that had been connected to the centrifuges and spreading further when the engineer returned home and connected his computer to the internet.[33]

Kaspersky Lab experts at first estimated that Stuxnet started spreading around March or April 2010,[43] but the first variant of the worm appeared in June 2009.[20] On 15 July 2010, the day the worm’s existence became widely known, a distributed denial-of-service attack was made on the servers for two leading mailing lists on industrial-systems security. This attack, from an unknown source but likely related to Stuxnet, disabled one of the lists, thereby interrupting an important source of information for power plants and factories.[38] On the other hand, researchers at Symantec have uncovered a version of the Stuxnet computer virus that was used to attack Iran’s nuclear program in November 2007, being developed as early as 2005, when Iran was still setting up its uranium enrichment facility.[44]

The second variant, with substantial improvements, appeared in March 2010, apparently because its authors believed that Stuxnet was not spreading fast enough; a third, with minor improvements, appeared in April 2010.[38] The worm contains a component with a build timestamp from 3 February 2010.[45] In the United Kingdom on 25 November 2010, Sky News reported that it had received information from an anonymous source at an unidentified IT security organization that Stuxnet, or a variation of the worm, had been traded on the black market.[46]

In 2015, Kaspersky Lab noted that the Equation Group had used two of the same zero-day attacks prior to their use in Stuxnet, in another malware called fanny.bmp.[47][48] and commented that “the similar type of usage of both exploits together in different computer worms, at around the same time, indicates that the Equation Group and the Stuxnet developers are either the same or working closely together”.[49]

In 2019, Chronicle researchers Juan Andres Guerrero-Saade and Silas Cutler presented evidence of at least four distinct threat actor malware platforms collaborating to create the different versions of Stuxnet.[50][51] The collaboration was dubbed ‘GOSSIP GIRL’ after a threat group leaked from classified CSE slides that included Flame.[52] GOSSIP GIRL is a cooperative umbrella that includes the Equation GroupFlameDuqu, and Flowershop (also known as ‘Cheshire Cat’).[53][54][55]

In 2020, researcher Facundo Muñoz found evidence suggesting that Equation Group collaborated with Stuxnet developers in 2009 by lending them at least one zero-day exploit,[56] and one exploit from 2008[57] that was being actively used in-the-wild by the Conficker computer worm and Chinese hackers.[58] In 2017, a group of hackers known as The Shadow Brokers leaked a massive trove of tools belonging to Equation Group, including new versions of both exploits compiled in 2010, showing significant code overlaps as both Stuxnet’s exploits and Equation Group’s exploits were developed using a set of libraries called “Exploit Development Framework” also leaked by The Shadow Brokers.

Affected countries

A study of the spread of Stuxnet by Symantec showed that the main affected countries in the early days of the infection were Iran, Indonesia and India:[59]

Country Share of infected computers
Iran 58.9%
Indonesia 18.2%
India 8.3%
Azerbaijan 2.6%
United States 1.6%
Pakistan 1.3%
Other countries 9.2%

Iran was reported to have fortified its cyberwar abilities following the Stuxnet attack, and has been suspected of retaliatory attacks against United States banks in Operation Ababil.[60]

Operation

Unlike most malware, Stuxnet does little harm to computers and networks that do not meet specific configuration requirements; “The attackers took great care to make sure that only their designated targets were hit … It was a marksman’s job.”[61] While the worm is promiscuous, it makes itself inert if Siemens software is not found on infected computers, and contains safeguards to prevent each infected computer from spreading the worm to more than three others, and to erase itself on 24 June 2012.[38]

For its targets, Stuxnet contains, among other things, code for a man-in-the-middle attack that fakes industrial process control sensor signals so an infected system does not shut down due to detected abnormal behavior.[38][61][62] Such complexity is very unusual for malware. The worm consists of a layered attack against three different systems:

  1. The Windows operating system,
  2. Siemens PCS 7, WinCC and STEP7 industrial software applications that run on Windows and
  3. One or more Siemens S7 PLCs.

Windows infection

Stuxnet attacked Windows systems using an unprecedented four zero-day attacks (plus the CPLINK vulnerability and a vulnerability used by the Conficker worm[63]). It is initially spread using infected removable drives such as USB flash drives,[21][45] which contain Windows shortcut files to initiate executable code.[64] The worm then uses other exploits and techniques such as peer-to-peer remote procedure call (RPC) to infect and update other computers inside private networks that are not directly connected to the Internet.[65][66][67] The number of zero-day exploits used is unusual, as they are highly valued and malware creators do not typically make use of (and thus simultaneously make visible) four different zero-day exploits in the same worm.[23] Amongst these exploits were remote code execution on a computer with Printer Sharing enabled,[68] and the LNK/PIF vulnerability,[69] in which file execution is accomplished when an icon is viewed in Windows Explorer, negating the need for user interaction.[70] Stuxnet is unusually large at half a megabyte in size,[65] and written in several different programming languages (including C and C++) which is also irregular for malware.[15][20][62] The Windows component of the malware is promiscuous in that it spreads relatively quickly and indiscriminately.[45]

The malware has both user mode and kernel mode rootkit ability under Windows,[67] and its device drivers have been digitally signed with the private keys of two public key certificates that were stolen from separate well-known companies, JMicron and Realtek, both located at Hsinchu Science Park in Taiwan.[45][65] The driver signing helped it install kernel mode rootkit drivers successfully without users being notified, and thus it remained undetected for a relatively long period of time.[71] Both compromised certificates have been revoked by Verisign.

Two websites in Denmark and Malaysia were configured as command and control servers for the malware, allowing it to be updated, and for industrial espionage to be conducted by uploading information. Both of these domain names have subsequently been redirected by their DNS service provider to Dynadot as part of a global effort to disable the malware.[67][38]

Step 7 software infection

Overview of normal communications between Step 7 and a Siemens PLC
Overview of Stuxnet hijacking communication between Step 7 software and a Siemens PLC

According to researcher Ralph Langner,[72][73] once installed on a Windows system, Stuxnet infects project files belonging to Siemens’ WinCC/PCS 7 SCADA control software[74] (Step 7), and subverts a key communication library of WinCC called s7otbxdx.dll. Doing so intercepts communications between the WinCC software running under Windows and the target Siemens PLC devices, when the two are connected via a data cable. The malware is able to modify the code on PLC devices unnoticed, and subsequently to mask its presence from WinCC if the control software attempts to read an infected block of memory from the PLC system.[67]

The malware furthermore used a zero-day exploit in the WinCC/SCADA database software in the form of a hard-coded database password.[75]

PLC infection

Siemens Simatic S7-300 PLC CPU with three I/O modules attached

Stuxnet’s payload targets only those SCADA configurations that meet criteria that it is programmed to identify.[38]

Stuxnet requires specific slave variable-frequency drives (frequency converter drives) to be attached to the targeted Siemens S7-300 system and its associated modules. It only attacks those PLC systems with variable-frequency drives from two specific vendors: Vacon based in Finland and Fararo Paya based in Iran.[76] Furthermore, it monitors the frequency of the attached motors, and only attacks systems that spin between 807 Hz and 1,210 Hz. This is a much higher frequency than motors typically operate at in most industrial applications, with the notable exception of gas centrifuges.[76] Stuxnet installs malware into memory block DB890 of the PLC that monitors the Profibus messaging bus of the system.[67] When certain criteria are met, it periodically modifies the frequency to 1,410 Hz and then to 2 Hz and then to 1,064 Hz, and thus affects the operation of the connected motors by changing their rotational speed.[76] It also installs a rootkit – the first such documented case on this platform – that hides the malware on the system and masks the changes in rotational speed from monitoring systems.

Removal

Siemens has released a detection and removal tool for Stuxnet. Siemens recommends contacting customer support if an infection is detected and advises installing Microsoft updates for security vulnerabilities and prohibiting the use of third-party USB flash drives.[77] Siemens also advises immediately upgrading password access codes.[78]

The worm’s ability to reprogram external PLCs may complicate the removal procedure. Symantec’s Liam O’Murchu warns that fixing Windows systems may not fully solve the infection; a thorough audit of PLCs may be necessary. Despite speculation that incorrect removal of the worm could cause damage,[15] Siemens reports that in the first four months since discovery, the malware was successfully removed from the systems of 22 customers without any adverse effects.[77][79]

Control system security

Main article: Control system security

Prevention of control system security incidents,[80] such as from viral infections like Stuxnet, is a topic that is being addressed in both the public and the private sector.

The US Department of Homeland Security National Cyber Security Division (NCSD) operates the Control System Security Program (CSSP).[81] The program operates a specialized computer emergency response team called the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), conducts a biannual conference (ICSJWG), provides training, publishes recommended practices, and provides a self-assessment tool. As part of a Department of Homeland Security plan to improve American computer security, in 2008 it and the Idaho National Laboratory (INL) worked with Siemens to identify security holes in the company’s widely used Process Control System 7 (PCS 7) and its software Step 7. In July 2008, INL and Siemens publicly announced flaws in the control system at a Chicago conference; Stuxnet exploited these holes in 2009.[61]

Several industry organizations[82][83] and professional societies[84][85] have published standards and best practice guidelines providing direction and guidance for control system end-users on how to establish a control system security management program. The basic premise that all of these documents share is that prevention requires a multi-layered approach, often termed defense in depth.[86] The layers include policies and procedures, awareness and training, network segmentation, access control measures, physical security measures, system hardening, e.g., patch management, and system monitoring, anti-virus and intrusion prevention system (IPS). The standards and best practices[who?] also all[improper synthesis?] recommend starting with a risk analysis and a control system security assessment.[87][88]

Target and origin

See also: Operation Olympic Games

Experts believe that Stuxnet required the largest and costliest development effort in malware history.[38] Developing its many abilities would have required a team of highly capable programmers, in-depth knowledge of industrial processes, and an interest in attacking industrial infrastructure.[15][20] Eric Byres, who has years of experience maintaining and troubleshooting Siemens systems, told Wired that writing the code would have taken many man-months, if not man-years.[65] Symantec estimates that the group developing Stuxnet would have consisted of between five and thirty people, and would have taken six months to prepare.[89][38] The Guardian, the BBC and The New York Times all claimed that (unnamed) experts studying Stuxnet believe the complexity of the code indicates that only a nation-state would have the abilities to produce it.[23][89][90] The self-destruct and other safeguards within the code implied that a Western government was responsible, or at least is responsible for its development.[38] However, software security expert Bruce Schneier initially condemned the 2010 news coverage of Stuxnet as hype, stating that it was almost entirely based on speculation.[91] But after subsequent research, Schneier stated in 2012 that “we can now conclusively link Stuxnet to the centrifuge structure at the Natanz nuclear enrichment lab in Iran”.[92]

In January 2024, de Volkskrant reported that Dutch engineer Erik van Sabben was the saboteur who had infiltrated the underground nuclear complex in the city of Natanz and installed equipment infected with Stuxnet.[93]

Iran as a target

Ralph Langner, the researcher who identified that Stuxnet infected PLCs,[21] first speculated publicly in September 2010 that the malware was of Israeli origin, and that it targeted Iranian nuclear facilities.[94] However Langner more recently, at a TED conference, recorded in February 2011, stated that, “My opinion is that the Mossad is involved, but that the leading force is not Israel. The leading force behind Stuxnet is the cyber superpower – there is only one; and that’s the United States.”[95] Kevin Hogan, Senior Director of Security Response at Symantec, reported that most infected systems were in Iran (about 60%),[96] which has led to speculation that it may have been deliberately targeting “high-value infrastructure” in Iran[23] including either the Bushehr Nuclear Power Plant or the Natanz nuclear facility.[65][97][98] Langner called the malware “a one-shot weapon” and said that the intended target was probably hit,[99] although he admitted this was speculation.[65] Another German researcher and spokesman of the German-based Chaos Computer Club, Frank Rieger, was the first to speculate that Natanz was the target.[38]

Natanz nuclear facilities

Anti-aircraft guns guarding Natanz Nuclear Facility

According to the Israeli newspaper Haaretz, in September 2010 experts on Iran and computer security specialists were increasingly convinced that Stuxnet was meant “to sabotage the uranium enrichment facility at Natanz – where the centrifuge operational capacity had dropped over the past year by 30 percent.”[100] On 23 November 2010 it was announced that uranium enrichment at Natanz had ceased several times because of a series of major technical problems.[101] A “serious nuclear accident” (supposedly the shutdown of some of its centrifuges[102]) occurred at the site in the first half of 2009, which is speculated to have forced Gholam Reza Aghazadeh, the head of the Atomic Energy Organization of Iran (AEOI), to resign.[103] Statistics published by the Federation of American Scientists (FAS) show that the number of enrichment centrifuges operational in Iran mysteriously declined from about 4,700 to about 3,900 beginning around the time the nuclear incident WikiLeaks mentioned would have occurred.[104] The Institute for Science and International Security (ISIS) suggests, in a report published in December 2010, that Stuxnet is a reasonable explanation for the apparent damage[105] at Natanz, and may have destroyed up to 1,000 centrifuges (10 percent) sometime between November 2009 and late January 2010. The authors conclude:

The attacks seem designed to force a change in the centrifuge’s rotor speed, first raising the speed and then lowering it, likely with the intention of inducing excessive vibrations or distortions that would destroy the centrifuge. If its goal was to quickly destroy all the centrifuges in the FEP [Fuel Enrichment Plant], Stuxnet failed. But if the goal was to destroy a more limited number of centrifuges and set back Iran’s progress in operating the FEP, while making detection difficult, it may have succeeded, at least temporarily.[105]

The Institute for Science and International Security (ISIS) report further notes that Iranian authorities have attempted to conceal the breakdown by installing new centrifuges on a large scale.[105][106]

The worm worked by first causing an infected Iranian IR-1 centrifuge to increase from its normal operating speed of 1,064 hertz to 1,410 hertz for 15 minutes before returning to its normal frequency. Twenty-seven days later, the worm went back into action, slowing the infected centrifuges down to a few hundred hertz for a full 50 minutes. The stresses from the excessive, then slower, speeds caused the aluminium centrifugal tubes to expand, often forcing parts of the centrifuges into sufficient contact with each other to destroy the machine.[107]

According to The Washington PostInternational Atomic Energy Agency (IAEA) cameras installed in the Natanz facility recorded the sudden dismantling and removal of approximately 900–1,000 centrifuges during the time the Stuxnet worm was reportedly active at the plant. Iranian technicians, however, were able to quickly replace the centrifuges and the report concluded that uranium enrichment was likely only briefly disrupted.[108]

On 15 February 2011, the Institute for Science and International Security released a report concluding that:

Assuming Iran exercises caution, Stuxnet is unlikely to destroy more centrifuges at the Natanz plant. Iran likely cleaned the malware from its control systems. To prevent re-infection, Iran will have to exercise special caution since so many computers in Iran contain Stuxnet. Although Stuxnet appears to be designed to destroy centrifuges at the Natanz facility, destruction was by no means total. Moreover, Stuxnet did not lower the production of low enriched uranium (LEU) during 2010. LEU quantities could have certainly been greater, and Stuxnet could be an important part of the reason why they did not increase significantly. Nonetheless, there remain important questions about why Stuxnet destroyed only 1,000 centrifuges. One observation is that it may be harder to destroy centrifuges by use of cyber attacks than often believed.[109]

Iranian reaction

The Associated Press reported that the semi-official Iranian Students News Agency released a statement on 24 September 2010 stating that experts from the Atomic Energy Organization of Iran met in the previous week to discuss how Stuxnet could be removed from their systems.[19] According to analysts, such as David Albright, Western intelligence agencies had been attempting to sabotage the Iranian nuclear program for some time.[110][111]

The head of the Bushehr Nuclear Power Plant told Reuters that only the personal computers of staff at the plant had been infected by Stuxnet and the state-run newspaper Iran Daily quoted Reza Taghipour, Iran’s telecommunications minister, as saying that it had not caused “serious damage to government systems”.[90] The Director of Information Technology Council at the Iranian Ministry of Industries and Mines, Mahmud Liaii, has said that: “An electronic war has been launched against Iran… This computer worm is designed to transfer data about production lines from our industrial plants to locations outside Iran.”[112]

In response to the infection, Iran assembled a team to combat it. With more than 30,000 IP addresses affected in Iran, an official said that the infection was fast spreading in Iran and the problem had been compounded by the ability of Stuxnet to mutate. Iran had set up its own systems to clean up infections and had advised against using the Siemens SCADA antivirus since it is suspected that the antivirus contains embedded code which updates Stuxnet instead of removing it.[113][114][115][116]

According to Hamid Alipour, deputy head of Iran’s government Information Technology Company, “The attack is still ongoing and new versions of this virus are spreading.” He reported that his company had begun the cleanup process at Iran’s “sensitive centres and organizations.”[114] “We had anticipated that we could root out the virus within one to two months, but the virus is not stable, and since we started the cleanup process three new versions of it have been spreading”, he told the Islamic Republic News Agency on 27 September 2010.[116]

On 29 November 2010, Iranian president Mahmoud Ahmadinejad stated for the first time that a computer virus had caused problems with the controller handling the centrifuges at its Natanz facilities. According to Reuters, he told reporters at a news conference in Tehran, “They succeeded in creating problems for a limited number of our centrifuges with the software they had installed in electronic parts.”[117][118]

On the same day two Iranian nuclear scientists were targeted in separate, but nearly simultaneous car bomb attacks near Shahid Beheshti University in Tehran. Majid Shahriari, a quantum physicist, was killed. Fereydoon Abbasi, a high-ranking official at the Ministry of Defense was seriously wounded. Wired speculated that the assassinations could indicate that whoever was behind Stuxnet felt that it was not sufficient to stop the nuclear program.[119] That same Wired article suggested the Iranian government could have been behind the assassinations.[119] In January 2010, another Iranian nuclear scientist, a physics professor at Tehran University, was killed in a similar bomb explosion.[119] On 11 January 2012, a director of the Natanz nuclear enrichment facility, Mostafa Ahmadi Roshan, was killed in an attack quite similar to the one that killed Shahriari.[120]

An analysis by the FAS demonstrates that Iran’s enrichment capacity grew during 2010. The study indicated that Iran’s centrifuges appeared to be performing 60% better than in the previous year, which would significantly reduce Tehran’s time to produce bomb-grade uranium. The FAS report was reviewed by an official with the IAEA who affirmed the study.[121][122][123]

European and US officials, along with private experts, told Reuters that Iranian engineers were successful in neutralizing and purging Stuxnet from their country’s nuclear machinery.[124]

Given the growth in Iranian enrichment ability in 2010, the country may have intentionally put out misinformation to cause Stuxnet’s creators to believe that the worm was more successful in disabling the Iranian nuclear program than it actually was.[38]

Israel

Israel, through Unit 8200,[125][126] has been speculated to be the country behind Stuxnet in many media reports[89][102][127] and by experts such as Richard A. Falkenrath, former Senior Director for Policy and Plans within the US Office of Homeland Security.[128][90] Yossi Melman, who covers intelligence for Israeli newspaper Haaretz and wrote a book about Israeli intelligence, also suspected that Israel was involved, noting that Meir Dagan, the former (up until 2011) head of the national intelligence agency Mossad, had his term extended in 2009 because he was said to be involved in important projects. Additionally, in 2010 Israel grew to expect that Iran would have a nuclear weapon in 2014 or 2015 – at least three years later than earlier estimates – without the need for an Israeli military attack on Iranian nuclear facilities; “They seem to know something, that they have more time than originally thought”, he added.[27][61] Israel has not publicly commented on the Stuxnet attack but in 2010 confirmed that cyberwarfare was now among the pillars of its defense doctrine, with a military intelligence unit set up to pursue both defensive and offensive options.[129][130][131] When questioned whether Israel was behind the virus in the fall of 2010, some Israeli officials[who?] broke into “wide smiles”, fueling speculation that the government of Israel was involved with its genesis.[132] American presidential advisor Gary Samore also smiled when Stuxnet was mentioned,[61] although American officials have suggested that the virus originated abroad.[132] According to The Telegraph, Israeli newspaper Haaretz reported that a video celebrating operational successes of Gabi Ashkenazi, retiring Israel Defense Forces (IDF) Chief of Staff, was shown at his retirement party and included references to Stuxnet, thus strengthening claims that Israel’s security forces were responsible.[133]

In 2009, a year before Stuxnet was discovered, Scott Borg of the United States Cyber-Consequences Unit (US-CCU)[134] suggested that Israel may prefer to mount a cyberattack rather than a military strike on Iran’s nuclear facilities.[111] In late 2010 Borg stated, “Israel certainly has the ability to create Stuxnet and there is little downside to such an attack because it would be virtually impossible to prove who did it. So a tool like Stuxnet is Israel’s obvious weapon of choice.”[135] Iran uses P-1 centrifuges at Natanz, the design for which A. Q. Khan stole in 1976 and took to Pakistan. His black market nuclear-proliferation network sold P-1s to, among other customers, Iran. Experts believe that Israel also somehow acquired P-1s and tested Stuxnet on the centrifuges, installed at the Dimona facility that is part of its own nuclear program.[61] The equipment may be from the United States, which received P-1s from Libya’s former nuclear program.[136][61]

Some have also cited several clues in the code such as a concealed reference to the word MYRTUS, believed to refer to the Latin name myrtus of the Myrtle tree, which in Hebrew is called hadassah. Hadassah was the birth name of the former Jewish queen of Persia, Queen Esther.[137][138] However, it may be that the “MYRTUS” reference is simply a misinterpreted reference to SCADA components known as RTUs (Remote Terminal Units) and that this reference is actually “My RTUs”–a management feature of SCADA.[139] Also, the number 19790509 appears once in the code and may refer to the date 1979 May 09, the day Habib Elghanian, a Persian Jew, was executed in Tehran.[67][140][141] Another date that appears in the code is “24 September 2007”, the day that Iran’s president Mahmoud Ahmadinejad spoke at Columbia University and made comments questioning the validity of the Holocaust.[38] Such data is not conclusive, since, as noted by Symantec, “…attackers would have the natural desire to implicate another party”.[67]

United States

There has also been reports on the involvement of the United States and its collaboration with Israel,[142][143] with one report stating that “there is vanishingly little doubt that [it] played a role in creating the worm.”[38] It has been reported that the United States, under one of its most secret programs, initiated by the Bush administration and accelerated by the Obama administration,[144] has sought to destroy Iran’s nuclear program by novel methods such as undermining Iranian computer systems. A leaked diplomatic cable showed how the United States was advised to target Iran’s nuclear abilities through ‘covert sabotage’.[145] An article in The New York Times in January 2009 credited a then-unspecified program with preventing an Israeli military attack on Iran where some of the efforts focused on ways to destabilize the centrifuges.[146] A Wired article claimed that Stuxnet “is believed to have been created by the United States”.[147] Dutch historian Peter Koop speculated that the Tailored Access Operations could have developed Stuxnet, possibly in collaboration with Israel.[148]

The fact that John Bumgarner, a former intelligence officer and member of the United States Cyber-Consequences Unit (US-CCU), published an article prior to Stuxnet being discovered or deciphered, that outlined a strategic cyber strike on centrifuges[149] and suggests that cyber attacks are permissible against nation states which are operating uranium enrichment programs that violate international treaties gives some credibility to these claims. Bumgarner pointed out that the centrifuges used to process fuel for nuclear weapons are a key target for cybertage operations and that they can be made to destroy themselves by manipulating their rotational speeds.[150]

In a March 2012 interview with 60 Minutes, retired US Air Force General Michael Hayden – who served as director of both the Central Intelligence Agency and National Security Agency – while denying knowledge of who created Stuxnet said that he believed it had been “a good idea” but that it carried a downside in that it had legitimized the use of sophisticated cyber weapons designed to cause physical damage. Hayden said, “There are those out there who can take a look at this… and maybe even attempt to turn it to their own purposes”. In the same report, Sean McGurk, a former cybersecurity official at the Department of Homeland Security noted that the Stuxnet source code could now be downloaded online and modified to be directed at new target systems. Speaking of the Stuxnet creators, he said, “They opened the box. They demonstrated the capability… It’s not something that can be put back.”[151]

Joint effort and other states and targets

In April 2011, Iranian government official Gholam Reza Jalali stated that an investigation had concluded that the United States and Israel were behind the Stuxnet attack.[152] Frank Rieger stated that three European countries’ intelligence agencies agreed that Stuxnet was a joint United States-Israel effort. The code for the Windows injector and the PLC payload differ in style, likely implying collaboration. Other experts believe that a US-Israel cooperation is unlikely because “the level of trust between the two countries’ intelligence and military establishments is not high.”[38]

Wired magazine article about US General Keith B. Alexander stated: “And he and his cyber warriors have already launched their first attack. The cyber weapon that came to be known as Stuxnet was created and built by the NSA in partnership with the CIA and Israeli intelligence in the mid-2000s.”[153]

China,[154] Jordan, and France are other possibilities, and Siemens may have also participated.[38][142] Langner speculated that the infection may have spread from USB drives belonging to Russian contractors since the Iranian targets were not accessible via the Internet.[21][155] In 2019, it was reported that an Iranian mole working for Dutch intelligence at the behest of Israel and the CIA inserted the Stuxnet virus with a USB flash drive or convinced another person working at the Natanz facility to do so.[156][157]

Sandro Gaycken from the Free University Berlin argued that the attack on Iran was a ruse to distract from Stuxnet’s real purpose. According to him, its broad dissemination in more than 100,000 industrial plants worldwide suggests a field test of a cyber weapon in different security cultures, testing their preparedness, resilience, and reactions, all highly valuable information for a cyberwar unit.[158]

The United Kingdom has denied involvement in the worm’s creation.[159]

In July 2013, Edward Snowden claimed that Stuxnet was cooperatively developed by the United States and Israel.[160]

Deployment in North Korea

According to a report by Reuters, the NSA also tried to sabotage North Korea‘s nuclear program using a version of Stuxnet. The operation was reportedly launched in tandem with the attack that targeted Iranian centrifuges in 2009–10. The North Korean nuclear program shares many similarities with the Iranian, both having been developed with technology transferred by Pakistani nuclear scientist A.Q. Khan. The effort failed, however, because North Korea’s extreme secrecy and isolation made it impossible to introduce Stuxnet into the nuclear facility.[161]

Stuxnet 2.0 cyberattack

In 2018, Gholamreza Jalali, Iran’s chief of the National Passive Defence Organisation (NPDO), claimed that his country fended off a Stuxnet-like attack targeting the country’s telecom infrastructure. Iran’s Telecommunications minister Mohammad-Javad Azari Jahromi has since accused Israel of orchestrating the attack. Iran plans to sue Israel through the International Court of Justice (ICJ) and is also willing to launch a retaliation attack if Israel does not desist.[162]

Related malware

“Stuxnet’s Secret Twin”

A November 2013 article[163] in Foreign Policy magazine claims existence of an earlier, much more sophisticated attack on the centrifuge complex at Natanz, focused on increasing centrifuge failure rate over a long time period by stealthily inducing uranium hexafluoride gas overpressure incidents. This malware was capable of spreading only by being physically installed, probably by previously contaminated field equipment used by contractors working on Siemens control systems within the complex. It is not clear whether this attack attempt was successful, but it being followed by a different, simpler and more conventional attack is indicative.

Duqu

Main article: Duqu

On 1 September 2011, a new worm was found, thought to be related to Stuxnet. The Laboratory of Cryptography and System Security (CrySyS) of the Budapest University of Technology and Economics analyzed the malware, naming the threat Duqu.[164][165] Symantec, based on this report, continued the analysis of the threat, calling it “nearly identical to Stuxnet, but with a completely different purpose”, and published a detailed technical paper.[166] The main component used in Duqu is designed to capture information[62] such as keystrokes and system information. The exfiltrated data may be used to enable a future Stuxnet-like attack. On 28 December 2011, Kaspersky Lab’s director of global research and analysis spoke to Reuters about recent research results showing that the platform Stuxnet and Duqu both originated in 2007, and is being referred to as Tilded due to the ~d at the beginning of the file names. Also uncovered in this research was the possibility for three more variants based on the Tilded platform.[167]

Flame

Main article: Flame (malware)

In May 2012, the new malware “Flame” was found, thought to be related to Stuxnet.[168] Researchers named the program “Flame” after the name of one of its modules.[168] After analysing the code of Flame, Kaspersky Lab said that there is a strong relationship between Flame and Stuxnet. An early version of Stuxnet contained code to propagate infections via USB drives that is nearly identical to a Flame module that exploits the same vulnerability.[169]

Media coverage

Since 2010, there has been extensive international media coverage on Stuxnet and its aftermath. In early commentary, The Economist pointed out that Stuxnet was “a new kind of cyber-attack.”[170] On 8 July 2011, Wired then published an article detailing how network security experts were able to decipher the origins of Stuxnet. In that piece, Kim Zetter claimed that Stuxnet’s “cost–benefit ratio is still in question.”[171] Later commentators tended to focus on the strategic significance of Stuxnet as a cyber weapon. Following the Wired piece, Holger Stark called Stuxnet the “first digital weapon of geopolitical importance, it could change the way wars are fought.”[172] Meanwhile, Eddie Walsh referred to Stuxnet as “the world’s newest high-end asymmetric threat.”[173] Ultimately, some claim that the “extensive media coverage afforded to Stuxnet has only served as an advertisement for the vulnerabilities used by various cybercriminal groups.”[174] While that may be the case, the media coverage has also increased awareness of cyber security threats.

Alex Gibney‘s 2016 documentary Zero Days covers the phenomenon around Stuxnet.[175] A zero-day (also known as 0-day) vulnerability is a computer-software vulnerability that is unknown to, or unaddressed by, those who should be interested in mitigating the vulnerability (including the vendor of the target software). Until the vulnerability is mitigated, hackers can exploit it to adversely affect computer programs, data, additional computers or a network.

In 2016, it was revealed that General James Cartwright, the former head of the U.S. Strategic Command, had leaked information related to Stuxnet. He later pleaded guilty for lying to FBI agents pursuing an investigation into the leak.[176][177] On 17 January 2017, he was granted a full pardon in this case by President Obama, thus expunging his conviction.

In popular culture

Besides the aforementioned Alex Gibney documentary Zero Days (2016), which looks into the malware and the cyberwarfare surrounding it, other works which reference Stuxnet include:

  • In Castleseason 8, episode 18 “Backstabber” Stuxnet is revealed to have been (fictionally) created by MI6, and a version of it is used to take down the London power grid.
  • Trojan Horse is a novel written by Windows utility writer and novelist Mark Russinovich. It features the usage of the Stuxnet virus as a main plot line for the story, and the attempt of Iran to bypass it.
  • In Ghost in the Shell: Arise, Stuxnet is the named type of computer virus which infected Kusanagi and Manamura allowing false memories to be implanted.
  • In July 2017, MRSA (Mat Zo) released a track named “Stuxnet” through Hospital Records.
  • In Ubisoft’s 2013 video game Tom Clancy’s Splinter Cell: Blacklist, the protagonist, Sam Fisher, makes use of a mobile, airborne headquarters (“Paladin”) which is said at one point within the game’s story mode to have been targeted by a Stuxnet-style virus, causing its systems to fail and the plane to careen towards the ocean, and would have crashed without Fisher’s intervening.[178]
  • In Michael Mann’s 2015 movie Blackhat, the code shown as belonging to a virus used by a hacker to cause the coolant pumps explosion in a nuclear plant in Chai Wan, Hong Kong, is actual Stuxnet decompiled code.
  • In the third episode of Star Trek: Discovery, “Context Is for Kings“, characters identify a segment of code as being part of an experimental transportation system. The code shown is decompiled Stuxnet code.[179] Much of the same code is shown in the eighth episode of The Expanse, “Pyre”, this time as a visual representation of a “diagnostic exploit” breaking into the control software for nuclear missiles.

See also

References

  1. ^ “W32.Stuxnet Dossier” (PDF)Symantec. November 2010. Archived from the original (PDF) on 4 November 2019.
  2. Jump up to:a b Kushner, David (26 February 2013). “The Real Story of Stuxnet”IEEE Spectrum50 (3): 48–53. doi:10.1109/MSPEC.2013.6471059S2CID 29782870Archived from the original on 7 February 2022. Retrieved 13 November 2021.
  3. ^ “Confirmed: US and Israel created Stuxnet, lost control of it”Ars Technica. June 2012. Archived from the original on 6 May 2019. Retrieved 15 June 2017.
  4. ^ Ellen Nakashima (2 June 2012). “Stuxnet was work of U.S. and Israeli experts, officials say”The Washington PostArchived from the original on 4 May 2019. Retrieved 8 September 2015.
  5. ^ Bergman, Ronen; Mazzetti, Mark (4 September 2019). “The Secret History of the Push to Strike Iran”The New York TimesProQuest 2283858753Archived from the original on 15 March 2023. Retrieved 23 March 2023.
  6. ^ Sanger, David E. (1 June 2012). “Obama Order Sped Up Wave of Cyberattacks Against Iran”The New York TimesISSN 0362-4331Archived from the original on 1 June 2012. Retrieved 3 October 2022.
  7. ^ Naraine, Ryan (14 September 2010). “Stuxnet attackers used 4 Windows zero-day exploits”ZDNetArchived from the original on 25 November 2014. Retrieved 12 April 2014.
  8. ^ Karnouskos, Stamatis (November 2011). “Stuxnet worm impact on industrial cyber-physical system security” (PDF)IECON 2011 – 37th Annual Conference of the IEEE Industrial Electronics Society. pp. 4490–4494. doi:10.1109/IECON.2011.6120048ISBN 978-1-61284-972-0S2CID 1980890. Retrieved 23 March 2023.
  9. ^ Kelley, Michael (20 November 2013). “The Stuxnet Attack on Iran’s Nuclear Plant Was ‘Far More Dangerous’ Than Previously Thought”Business InsiderArchived from the original on 9 May 2014. Retrieved 8 February 2014.
  10. ^ “Sheep dip your removable storage devices to reduce the threat of cyber attacks”www.mac-solutions.net. Archived from the original on 4 September 2017. Retrieved 26 July 2017.
  11. ^ “STUXNET Malware Targets SCADA Systems”. Trend Micro. January 2012. Archived from the original on 13 April 2014. Retrieved 12 April 2014.
  12. ^ Gross, Michael Joseph (April 2011). “A Declaration of Cyber-War”Vanity FairArchived from the original on 31 August 2021. Retrieved 31 December 2015.
  13. ^ “Exploring Stuxnet’s PLC Infection Process”. Symantec. 23 January 2014. Archived from the original on 21 June 2021. Retrieved 22 September 2010.
  14. ^ “Building a Cyber Secure Plant”. Siemens. 30 September 2010. Archived from the original on 21 April 2021. Retrieved 5 December 2010.
  15. Jump up to:a b c d e McMillan, Robert (16 September 2010). “Siemens: Stuxnet worm hit industrial systems”ComputerworldArchived from the original on 20 February 2019. Retrieved 16 September 2010. {{cite magazine}}Unknown parameter |agency= ignored (help)
  16. ^ “Last-minute paper: An indepth look into Stuxnet”. Virus Bulletin. Archived from the original on 9 December 2021.
  17. ^ “Stuxnet worm hits Iran nuclear plant staff computers”BBC News. 26 September 2010. Archived from the original on 16 July 2017.
  18. ^ Nicolas Falliere (6 August 2010). “Stuxnet Introduces the First Known Rootkit for Industrial Control Systems”. Symantec. Archived from the original on 11 September 2012. Retrieved 9 February 2011.
  19. Jump up to:a b “Iran’s Nuclear Agency Trying to Stop Computer Worm”. Tehran. Associated Press. 25 September 2010. Archived from the original on 25 September 2010. Retrieved 25 September 2010.
  20. Jump up to:a b c d e Keizer, Gregg (16 September 2010). “Is Stuxnet the ‘best’ malware ever?”InfoWorldArchived from the original on 5 May 2021. Retrieved 16 September 2010.
  21. Jump up to:a b c d e Cherry, Steven; Langner, Ralph (13 October 2010). “How Stuxnet Is Rewriting the Cyberterrorism Playbook”IEEE Spectrum. Archived from the original on 14 April 2021. Retrieved 2 February 2020.
  22. ^ “Stuxnet Virus Targets and Spread Revealed”BBC News. 15 February 2011. Archived from the original on 25 November 2021. Retrieved 17 February 2011.
  23. Jump up to:a b c d Fildes, Jonathan (23 September 2010). “Stuxnet worm ‘targeted high-value Iranian assets'”BBC NewsArchived from the original on 24 September 2010. Retrieved 23 September 2010.
  24. ^ Beaumont, Claudine (23 September 2010). “Stuxnet virus: worm ‘could be aimed at high-profile Iranian targets'”The Daily Telegraph. London. Archived from the original on 12 January 2022. Retrieved 28 September 2010.
  25. ^ MacLean, William (24 September 2010). “Update 2-Cyber attack appears to target Iran-tech firms”ReutersArchived from the original on 14 November 2021. Retrieved 2 July 2017.
  26. ^ “Iran Confirms Stuxnet Worm Halted Centrifuges”CBS News. 29 November 2010. Archived from the original on 12 May 2022. Retrieved 12 May 2022.
  27. Jump up to:a b Bronner, Ethan; Broad, William J. (29 September 2010). “In a Computer Worm, a Possible Biblical Clue”The New York TimesArchived from the original on 25 September 2022. Retrieved 2 October 2010.
  28. ^ “Software smart bomb fired at Iranian nuclear plant: Experts”. Economictimes.indiatimes.com. 24 September 2010. Archived from the original on 14 November 2021. Retrieved 28 September 2010.
  29. ^ “Kaspersky Lab provides its insights on Stuxnet worm”Kaspersky. Russia. 24 September 2010. Archived from the original on 16 November 2021. Retrieved 7 November 2011.
  30. ^ “Stuxnet Questions and Answers – F-Secure Weblog”F-Secure. Finland. 1 October 2010. Archived from the original on 5 May 2021.
  31. ^ Gary Samore Archived 27 April 2018 at the Wayback Machine speaking at the 10 December 2010 Washington Forum of the Foundation for Defense of Democracies in Washington DC, reported by C-Span and contained in the PBS program Need to Know (“Cracking the code: Defending against the superweapons of the 21st century cyberwar”, 4 minutes into piece)
  32. ^ Williams, Christopher (15 February 2011). “Israel video shows Stuxnet as one of its successes”. London: Telegraph.co.uk. Archived from the original on 12 January 2022. Retrieved 14 February 2012.
  33. Jump up to:a b Sanger, David E. (1 June 2012). “Obama Order Sped Up Wave of Cyberattacks Against Iran”The New York Times. Archived from the original on 25 February 2017. Retrieved 1 June 2012.
  34. ^ Matyszczyk, Chris (24 July 2012). “Thunderstruck! A tale of malware, AC/DC, and Iran’s nukes”CNETArchived from the original on 17 February 2022. Retrieved 8 July 2013.
  35. ^ “Iran ‘fends off new Stuxnet cyber attack'”BBC News. 25 December 2012. Archived from the original on 7 August 2016. Retrieved 28 May 2015.
  36. ^ Shamah, David (11 November 2013). “Stuxnet, gone rogue, hit Russian nuke plant, space station”The Times of Israel. Archived from the original on 20 September 2017. Retrieved 12 November 2013.
  37. ^ Krebs, Brian (17 July 2010). “Experts Warn of New Windows Shortcut Flaw”Krebs on SecurityArchived from the original on 2 September 2022. Retrieved 3 March 2011.
  38. Jump up to:a b c d e f g h i j k l m n o p Gross, Michael Joseph (April 2011). “A Declaration of Cyber-War”Vanity Fair. Condé Nast. Archived from the original on 31 August 2021. Retrieved 31 December 2015.
  39. ^ “Rootkit.TmpHider”wilderssecurity.com. Wilders Security Forums. Archived from the original on 15 December 2013. Retrieved 25 March 2014.
  40. ^ Shearer, Jarrad (13 July 2010). “W32.Stuxnet”SymantecSymantec. Archived from the original on 4 January 2012. Retrieved 25 March 2014.
  41. ^ Zetter, Kim (11 July 2011). “How digital detectives deciphered Stuxnet, the most menacing malware in history”arstechnica.comArchived from the original on 14 May 2022. Retrieved 25 March 2014.
  42. ^ Karl (26 October 2011). “Stuxnet opens cracks in Iran nuclear program”abc.net.auABCArchived from the original on 24 February 2021. Retrieved 25 March 2014.
  43. ^ Gostev, Alexander (26 September 2010). “Myrtus and Guava: the epidemic, the trends, the numbers”. Archived from the original on 1 January 2011. Retrieved 22 January 2011.
  44. ^ Finkle, Jim (26 February 2013). “Researchers say Stuxnet was deployed against Iran in 2007”ReutersArchived from the original on 15 August 2021. Retrieved 6 July 2021.
  45. Jump up to:a b c d Aleksandr Matrosov; Eugene Rodionov; David Harley & Juraj Malcho. “Stuxnet Under the Microscope, Revision 1.31” (PDF). Archived from the original (PDF) on 22 January 2022. Retrieved 6 September 2019.
  46. ^ Kiley, Sam (25 November 2010). “Super Virus A Target For Cyber Terrorists”Archived from the original on 28 November 2010. Retrieved 25 November 2010.
  47. ^ “A Fanny Equation: “I am your father, Stuxnet””. Kaspersky Lab. 17 February 2015. Archived from the original on 15 April 2016. Retrieved 24 November 2015.
  48. ^ “fanny.bmp code – at GitHub”GitHub. 23 October 2021. Archived from the original on 3 February 2021. Retrieved 15 February 2021.
  49. ^ “Equation Group Questions and Answers” (PDF)securelist.com. Archived from the original (PDF) on 17 February 2015.
  50. ^ Seals, Tara (9 April 2019). “SAS 2019: Stuxnet-Related APTs Form Gossip Girl, an ‘Apex Threat Actor'”threatpost.comArchived from the original on 28 July 2020. Retrieved 6 August 2020.
  51. ^ Chronicle (12 April 2019). “Who is GOSSIPGIRL?”MediumArchived from the original on 22 July 2020. Retrieved 15 July 2020.
  52. ^ “CSEC SIGINT Cyber Discovery: Summary of the current effort” (PDF)Electrospaces. November 2010. Archived from the original (PDF) on 23 March 2015.
  53. ^ Bencsáth, Boldizsár. “Territorial Dispute – NSA’s perspective on APT landscape” (PDF). Archived from the original (PDF) on 10 January 2022.
  54. ^ Marschalek, Marion; Guarnieri, Claudio. “Big Game Hunting: The Peculiarities of Nation-State Malware Research”YouTubeArchived from the original on 21 December 2021.
  55. ^ Barth, Bradley (10 April 2019). “GOSSIPGIRL – Stuxnet group had ‘4th man;’ unknown version of Flame & Duqu found”Archived from the original on 6 August 2020.
  56. ^ BetaFred. “Microsoft Security Bulletin MS10-061 – Critical”docs.microsoft.comArchived from the original on 6 October 2020. Retrieved 29 September 2020.
  57. ^ BetaFred. “Microsoft Security Bulletin MS08-067 – Critical”docs.microsoft.comArchived from the original on 6 December 2020. Retrieved 29 September 2020.
  58. ^ fmm (28 September 2020). “The Emerald Connection: EquationGroup collaboration with Stuxnet”Facundo Muñoz Research. Archived from the original on 30 September 2020. Retrieved 29 September 2020.
  59. ^ “W32.Stuxnet”Symantec. 17 September 2010. Archived from the original on 4 January 2012. Retrieved 2 March 2011.
  60. ^ Iran denies hacking into American banks Archived 24 September 2015 at the Wayback Machine” Reuters, 23 September 2012
  61. Jump up to:a b c d e f g Broad, William J.Markoff, JohnSanger, David E. (15 January 2011). “Israel Tests on Worm Called Crucial in Iran Nuclear Delay”New York TimesArchived from the original on 20 September 2011. Retrieved 16 January 2011.
  62. Jump up to:a b c Steven Cherry; with Larry Constantine (14 December 2011). “Sons of Stuxnet”IEEE SpectrumArchived from the original on 14 April 2021. Retrieved 2 February 2020.
  63. ^ “Conficker Worm: Help Protect Windows from Conficker”Microsoft. 10 April 2009. Archived from the original on 18 May 2018. Retrieved 6 December 2010.
  64. ^ Buda, Alex (4 December 2016). “Creating Malware using the Stuxnet LNK Exploit”. Ruby Devices. Archived from the original on 18 March 2017. Retrieved 18 March 2017.
  65. Jump up to:a b c d e f Kim Zetter (23 September 2010). “Blockbuster Worm Aimed for Infrastructure, But No Proof Iran Nukes Were Target”WiredArchived from the original on 5 November 2016. Retrieved 4 November 2016.
  66. ^ Liam O Murchu (17 September 2010). “Stuxnet P2P component”SymantecArchived from the original on 17 January 2019. Retrieved 24 September 2010.
  67. Jump up to:a b c d e f g “W32.Stuxnet Dossier” (PDF). Symantec Corporation. Archived from the original (PDF) on 7 July 2012. Retrieved 1 October 2010.
  68. ^ Microsoft (14 September 2010). “Microsoft Security Bulletin MS10-061 – Critical”MicrosoftArchived from the original on 20 March 2015. Retrieved 20 August 2015.
  69. ^ Microsoft (2 August 2010). “Microsoft Security Bulletin MS10-046 – Critical”MicrosoftArchived from the original on 12 August 2015. Retrieved 20 August 2015.
  70. ^ Gostev, Alexander (14 September 2010). “Myrtus and Guava, Episode MS10-061”Kaspersky LabArchived from the original on 23 August 2015. Retrieved 20 August 2015.
  71. ^ “Kaspersky Lab provides its insights on Stuxnet worm”. Kaspersky Lab. 24 September 2010. Archived from the original on 16 November 2021. Retrieved 27 September 2010.
  72. ^ Gross, Michael Joseph (April 2011). “A Declaration of Cyber-War”Vanity FairArchived from the original on 31 August 2021. Retrieved 4 March 2011.
  73. ^ Langner, Ralph (14 September 2010). “Ralph’s Step-By-Step Guide to Get a Crack at Stuxnet Traffic and Behaviour”Ot-Base by LangnerArchived from the original on 25 June 2016. Retrieved 4 March 2011.
  74. ^ Falliere, Nicolas (26 September 2010). “Stuxnet Infection of Step 7 Projects”. Symantec. Archived from the original on 3 January 2015. Retrieved 9 February 2011.
  75. ^ “Vulnerability Summary for CVE-2010-2772”National Vulnerability Database. 22 July 2010. Archived from the original on 11 August 2010. Retrieved 7 December 2010.
  76. Jump up to:a b c Chien, Eric (12 November 2010). “Stuxnet: A Breakthrough”. Symantec. Archived from the original on 18 January 2018. Retrieved 14 November 2010.
  77. Jump up to:a b “SIMATIC WinCC / SIMATIC PCS 7: Information concerning Malware / Virus / Trojan”SiemensArchived from the original on 23 September 2019. Retrieved 24 September 2010.
  78. ^ Espiner, Tom (20 July 2010). “Siemens warns Stuxnet targets of password risk”CNETArchived from the original on 9 January 2011. Retrieved 23 March 2023.
  79. ^ crve (17 September 2010). “Stuxnet also found at industrial plants in Germany”The HArchived from the original on 21 September 2010. Retrieved 18 September 2010.
  80. ^ “Repository of Industrial Security Incidents”. Security Incidents Organization. Archived from the original on 26 April 2011. Retrieved 14 October 2010.
  81. ^ “DHS National Cyber Security Division’s CSSP”DHSArchived from the original on 8 October 2010. Retrieved 14 October 2010.
  82. ^ “ISA99, Industrial Automation and Control System Security”International Society of Automation. Archived from the original on 10 January 2011. Retrieved 14 October 2010.
  83. ^ “Industrial communication networks – Network and system security – Part 2-1: Establishing an industrial automation and control system security program”International Electrotechnical Commission. Retrieved 14 October 2010.
  84. ^ “Chemical Sector Cyber Security Program”. ACC ChemITC. Archived from the original on 19 October 2010. Retrieved 14 October 2010.
  85. ^ “Pipeline SCADA Security Standard” (PDF)APIArchived (PDF) from the original on 19 November 2010. Retrieved 19 November 2010.
  86. ^ Marty Edwards (Idaho National Laboratory) & Todd Stauffer (Siemens). 2008 Automation Summit: A User’s Conference (PDF). United States Department of Homeland Security. p. 35. Archived (PDF) from the original on 20 January 2011. Retrieved 18 January 2011.
  87. ^ “The Can of Worms Is Open-Now What?”. controlglobal.com. Archived from the original on 1 October 2010. Retrieved 14 October 2010.
  88. ^ Byres, Eric; Cusimano, John (16 February 2012). “The 7 Steps to ICS Security”. Tofino Security and exida Consulting LLC. Archived from the original on 23 January 2013. Retrieved 3 March 2011.
  89. Jump up to:a b c Halliday, Josh (24 September 2010). “Stuxnet worm is the ‘work of a national government agency'”The Guardian. London. Archived from the original on 22 August 2022. Retrieved 27 September 2010.
  90. Jump up to:a b c Markoff, John (26 September 2010). “A Silent Attack, but Not a Subtle One”The New York TimesArchived from the original on 6 February 2021. Retrieved 27 September 2010.
  91. ^ Schneier, Bruce (6 October 2010). “The Story Behind The Stuxnet Virus”ForbesArchived from the original on 30 August 2017. Retrieved 22 August 2017.
  92. ^ Schneier, Bruce (23 February 2012). “Another Piece of the Stuxnet Puzzle”. Schneier on Security. Archived from the original on 26 February 2012. Retrieved 4 March 2012.
  93. ^ Modderkolk, Huib (8 January 2024). “Sabotage in Iran: A Mission in Darkness”De Volksrant.
  94. ^ Bright, Arthur (1 October 2010). “Clues Emerge About Genesis of Stuxnet Worm”Christian Science MonitorArchived from the original on 6 March 2011. Retrieved 4 March 2011.
  95. ^ Langner, Ralph (February 2011). Ralph Langner: Cracking Stuxnet, a 21st-century cyber weapon (video). TED. Archived from the original on 1 February 2014. Retrieved 4 January 2023.
  96. ^ McMillan, Robert (23 July 2010). “Iran was prime target of SCADA worm”ComputerworldArchived from the original on 5 September 2014. Retrieved 17 September 2010.
  97. ^ Woodward, Paul (22 September 2010). “Iran confirms Stuxnet found at Bushehr nuclear power plant”. Warincontext.org. Archived from the original on 20 March 2019. Retrieved 28 September 2010.
  98. ^ “6 mysteries about Stuxnet”. Blog.foreignpolicy.com. Archived from the original on 9 February 2014. Retrieved 28 September 2010.
  99. ^ Clayton, Mark (21 September 2010). “Stuxnet malware is ‘weapon’ out to destroy … Iran’s Bushehr nuclear plant?”Christian Science MonitorArchived from the original on 24 September 2010. Retrieved 23 September 2010.
  100. ^ Melman, Yossi (28 September 2010). “Computer virus in Iran actually targeted larger nuclear facility”HaaretzArchived from the original on 22 January 2011. Retrieved 1 January 2011.
  101. ^ Melman, Yossi (24 November 2010). “Iran pauses uranium enrichment at Natanz nuclear plant”. Haaretz. Archived from the original on 24 November 2010. Retrieved 24 November 2010.
  102. Jump up to:a b “The Stuxnet worm: A cyber-missile aimed at Iran?”The Economist. 24 September 2010. Archived from the original on 27 September 2010. Retrieved 28 September 2010.
  103. ^ “Serious nuclear accident may lay behind Iranian nuke chief%27s mystery resignation”. WikiLeaks. 16 July 2009. Archived from the original on 30 December 2010. Retrieved 1 January 2011.
  104. ^ IAEA Report on Iran (PDF) (Report). Institute for Science and International Security. 16 November 2010. Archived (PDF) from the original on 11 March 2011. Retrieved 1 January 2011.
  105. Jump up to:a b c “Did Stuxnet Take Out 1,000 Centrifuges at the Natanz Enrichment Plant?” (PDF)Institute for Science and International Security. 22 December 2010. Archived (PDF) from the original on 10 September 2012. Retrieved 27 December 2010.
  106. ^ Stöcker, Christian (26 December 2010). “Stuxnet-Virus könnte tausend Uran-Zentrifugen zerstört haben”Der Spiegel (in German). Archived from the original on 27 December 2010. Retrieved 27 December 2010.
  107. ^ Stark, Holger (8 August 2011). “Mossad’s Miracle Weapon: Stuxnet Virus Opens New Era of Cyber War”Der SpiegelArchived from the original on 15 August 2011. Retrieved 15 August 2011.
  108. ^ Warrick, Joby (15 February 2011). “Iran’s Natanz nuclear facility recovered quickly from Stuxnet cyberattack”The Washington Post. Archived from the original on 24 January 2022. Retrieved 23 March 2023.
  109. ^ “Stuxnet Malware and Natanz: Update of ISIS December 22, 2010 Report”Institute for Science and International Security. 15 February 2011. Archived from the original on 7 August 2011. Retrieved 10 July 2011.
  110. ^ “Signs of sabotage in Tehran’s nuclear programme”Gulf News. 14 July 2010. Archived from the original on 20 November 2010.
  111. Jump up to:a b Williams, Dan (7 July 2009). “Wary of naked force, Israel eyes cyberwar on Iran”ReutersArchived from the original on 19 May 2018. Retrieved 2 July 2017.
  112. ^ Aneja, Atul (26 September 2010). “Under cyber-attack, says Iran”The Hindu. Chennai, India. Archived from the original on 29 September 2010. Retrieved 27 September 2010.
  113. ^ شبکه خبر :: راه های مقابله با ویروس”استاکس نت” (in Persian). Irinn.ir. Archived from the original on 21 June 2013. Retrieved 28 September 2010.
  114. Jump up to:a b “Stuxnet worm rampaging through Iran: IT official”. AFP. Archived from the original on 30 September 2010.
  115. ^ “IRAN: Speculation on Israeli involvement in malware computer attack”Los Angeles Times. 27 September 2010. Archived from the original on 28 September 2010. Retrieved 28 September 2010.
  116. Jump up to:a b Erdbrink, Thomas; Nakashima, Ellen (27 September 2010). “Iran struggling to contain ‘foreign-made’ ‘Stuxnet’ computer virus”The Washington PostArchived from the original on 2 October 2010. Retrieved 28 September 2010.
  117. ^ “Ahmadinedschad räumt Virus-Attack ein”Der Spiegel. 29 November 2010. Archived from the original on 20 December 2010. Retrieved 29 December 2010.
  118. ^ “Stuxnet: Ahmadinejad admits cyberweapon hit Iran nuclear program”The Christian Science Monitor. 30 November 2010. Archived from the original on 5 December 2010. Retrieved 29 December 2010.
  119. Jump up to:a b c Zetter, Kim (29 November 2010). “Iran: Computer Malware Sabotaged Uranium Centrifuges | Threat Level”WiredArchived from the original on 11 March 2012. Retrieved 14 February 2012.
  120. ^ “US Denies Role in Iranian Scientist’s Death”. Fox News. 7 April 2010. Archived from the original on 13 February 2012. Retrieved 14 February 2012.
  121. ^ Monica Amarelo (21 January 2011). “New FAS Report Demonstrates Iran Improved Enrichment in 2010”Federation of American Scientists. Archived from the original on 15 December 2013. Retrieved 1 January 2016.
  122. ^ “Report: Iran’s nuclear capacity unharmed, contrary to U.S. assessment”Haaretz. 22 January 2011. Archived from the original on 25 January 2011. Retrieved 27 January 2011.
  123. ^ Jeffrey Goldberg (22 January 2011). “Report: Report: Iran’s Nuclear Program Going Full Speed Ahead”The AtlanticArchived from the original on 12 November 2016. Retrieved 11 March 2017.
  124. ^ “Experts say Iran has “neutralized” Stuxnet virus”Reuters. 14 February 2012. Archived from the original on 17 August 2021. Retrieved 6 July 2021.
  125. ^ Beaumont, Peter (30 September 2010). “Stuxnet worm heralds new era of global cyberwar”Guardian.co.uk. London. Archived from the original on 30 December 2016. Retrieved 17 December 2016.
  126. ^ Sanger, David E. (1 June 2012). “Obama Order Sped Up Wave of Cyberattacks Against Iran”The New York TimesArchived from the original on 17 September 2022. Retrieved 1 June 2012.
  127. ^ Hounshell, Blake (27 September 2010). “6 mysteries about Stuxnet”Foreign Policy. Archived from the original on 9 February 2014. Retrieved 28 September 2010.
  128. ^ “Falkenrath Says Stuxnet Virus May Have Origin in Israel: Video. Bloomberg Television”. 24 September 2010. Archived from the original on 4 December 2012.
  129. ^ Williams, Dan (15 December 2009). “Spymaster sees Israel as world cyberwar leader”ReutersArchived from the original on 28 December 2010. Retrieved 29 May 2012.
  130. ^ Dan Williams. “Cyber takes centre stage in Israel’s war strategy”. Reuters, 28 September 2010. Archived from the original on 1 October 2010. Retrieved 17 October 2010.
  131. ^ Antonin Gregoire. “Stuxnet, the real face of cyber warfare”. Iloubnan.info, 25 November 2010. Archived from the original on 26 November 2010. Retrieved 25 November 2010.
  132. Jump up to:a b Broad, William J.Sanger, David E. (18 November 2010). “Worm in Iran Can Wreck Nuclear Centrifuges”The New York TimesArchived from the original on 19 February 2017. Retrieved 25 February 2017.
  133. ^ Williams, Christoper (16 February 2011). “Israeli security chief celebrates Stuxnet cyber attack”The Telegraph. London. Archived from the original on 19 February 2011. Retrieved 23 February 2011.
  134. ^ “The U.S. Cyber Consequences Unit”The U.S. Cyber Consequences UnitArchived from the original on 23 March 2023. Retrieved 1 December 2010.
  135. ^ “A worm in the centrifuge: An unusually sophisticated cyber-weapon is mysterious but important”The Economist. 30 September 2010. Archived from the original on 10 October 2010. Retrieved 12 October 2010.
  136. ^ Sanger, David E. (25 September 2010). “Iran Fights Malware Attacking Computers”The New York TimesArchived from the original on 26 May 2011. Retrieved 28 September 2010.
  137. ^ “Iran/Critical National Infrastructure: Cyber Security Experts See The Hand of Israel’s Signals Intelligence Service in The “Stuxnet” Virus Which Has Infected Iranian Nuclear Facilities”. Mideastsecurity.co.uk. 1 September 2010. Archived from the original on 8 December 2010. Retrieved 6 October 2010.
  138. ^ Riddle, Warren (1 October 2010). “Mysterious ‘Myrtus’ Biblical Reference Spotted in Stuxnet Code”. SWITCHED. Archived from the original on 1 October 2011. Retrieved 6 October 2010.
  139. ^ “SCADA Systems Whitepaper” (PDF). Motorola. Archived (PDF) from the original on 1 October 2012. Retrieved 1 January 2016.
  140. ^ “Symantec Puts ‘Stuxnet’ Malware Under the Knife”PC MagazineArchived from the original on 14 August 2017. Retrieved 15 September 2017.
  141. ^ Zetter, Kim (1 October 2010). “New Clues Point to Israel as Author of Blockbuster Worm, Or Not”WiredArchived from the original on 15 December 2013. Retrieved 11 March 2017.
  142. Jump up to:a b Reals, Tucker (24 September 2010). “Stuxnet Worm a U.S. Cyber-Attack on Iran Nukes?”. CBS News. Archived from the original on 16 October 2013. Retrieved 27 September 2010.
  143. ^ “Snowden Der Spiegel Interview”Der Spiegel (in English and German). Archived from the original on 6 July 2014. Retrieved 3 October 2015.
  144. ^ Kelley, Michael B. (1 June 2012). “Obama Administration Admits Cyberattacks Against Iran Are Part of Joint US-Israeli Offensive”Business InsiderArchived from the original on 3 December 2017. Retrieved 23 January 2018.
  145. ^ Halliday, Josh (18 January 2011). “WikiLeaks: the US advised to sabotage Iran nuclear sites by German thinktank”The Guardian. London. Archived from the original on 8 September 2013. Retrieved 19 January 2011.
  146. ^ Sanger, David E. (10 January 2009). “U.S. Rejected Aid for Israeli Raid on Iranian Nuclear Site”The New York TimesArchived from the original on 16 October 2013. Retrieved 12 October 2013.
  147. ^ Kim Zetter (17 February 2011). “Cyberwar Issues Likely to Be Addressed Only After a Catastrophe”WiredArchived from the original on 18 February 2011. Retrieved 18 February 2011.
  148. ^ Koop, Peter (12 December 2013). “Hoe onderschept de NSA ons dataverkeer?”De Correspondent (in Dutch). Archived from the original on 22 February 2022. Retrieved 22 February 2022.
  149. ^ Chris Carroll (18 October 2011). “Cone of silence surrounds U.S. cyberwarfare”Stars and StripesArchived from the original on 7 March 2012. Retrieved 30 October 2011.
  150. ^ John Bumgarner (27 April 2010). “Computers as Weapons of War” (PDF). IO Journal. Archived from the original (PDF) on 19 December 2011. Retrieved 30 October 2011.
  151. ^ Kroft, Steve (4 March 2012). “Stuxnet: Computer worm opens new era of warfare”60 Minutes (CBS News). Archived from the original on 15 October 2013. Retrieved 9 March 2012.
  152. ^ CBS News staff (16 April 2011). “Iran blames U.S., Israel for Stuxnet malware” (SHTML). CBS News. Archived from the original on 24 April 2012. Retrieved 15 January 2012.
  153. ^ James Balford (12 June 2013). “The secret war”WiredArchived from the original on 24 June 2018. Retrieved 2 June 2014.
  154. ^ Carr, Jeffrey (14 December 2010). “Stuxnet’s Finnish-Chinese Connection”ForbesArchived from the original on 18 April 2011. Retrieved 19 April 2011.
  155. ^ Clayton, Mark (24 September 2010). “Stuxnet worm mystery: What’s the cyber weapon after?”Christian Science MonitorArchived from the original on 27 September 2010. Retrieved 21 January 2011.
  156. ^ “Revealed: How a secret Dutch mole aided the U.S.-Israeli Stuxnet cyberattack on Iran”news.yahoo.com. 2 September 2019. Archived from the original on 3 September 2019. Retrieved 3 September 2019.
  157. ^ Bob, Yonah Jeremy (2 September 2019). “Secret Dutch mole aided Stuxnet attack on Iran’s nuke program – Report”Jerusalem PostArchived from the original on 5 September 2019. Retrieved 4 September 2019.
  158. ^ Gaycken, Sandro (26 November 2010). “Stuxnet: Wer war’s? Und wozu?”Die ZEITArchived from the original on 20 April 2011. Retrieved 19 April 2011.
  159. ^ Hopkins, Nick (31 May 2011). “UK developing cyber-weapons programme to counter cyber war threat”The Guardian. United Kingdom. Archived from the original on 10 September 2013. Retrieved 31 May 2011.
  160. ^ Iain Thomson (8 July 2013). “Snowden: US and Israel Did Create Stuxnet Attack Code”The RegisterArchived from the original on 10 July 2013. Retrieved 8 July 2013.
  161. ^ Menn, Joseph (29 May 2015). “Exclusive: U.S. tried Stuxnet-style campaign against North Korea but failed – sources”ReutersArchived from the original on 13 December 2015. Retrieved 31 May 2015.
  162. ^ Goud, Naveen (6 November 2018). “Iran says Israel launched Stuxnet 2.0 Cyber Attack”Archived from the original on 7 February 2019. Retrieved 6 February 2019.
  163. ^ “Stuxnet’s Secret Twin”Foreign Policy. 19 November 2013. Archived from the original on 4 December 2014. Retrieved 11 March 2017.
  164. ^ “Duqu: A Stuxnet-like malware found in the wild, technical report” (PDF). Laboratory of Cryptography of Systems Security (CrySyS). 14 October 2011. Archived (PDF) from the original on 21 April 2019. Retrieved 13 November 2011.
  165. ^ “Statement on Duqu’s initial analysis”. Laboratory of Cryptography of Systems Security (CrySyS). 21 October 2011. Archived from the original on 4 October 2012. Retrieved 25 October 2011.
  166. ^ “W32.Duqu – The precursor to the next Stuxnet (Version 1.2)” (PDF)Symantec. 20 October 2011. Archived from the original (PDF) on 25 October 2019. Retrieved 25 October 2011.
  167. ^ Finkle, Jim (28 December 2011). “Stuxnet weapon has at least 4 cousins: researchers”ReutersArchived from the original on 24 September 2015. Retrieved 6 July 2021.
  168. Jump up to:a b Zetter, Kim (28 May 2012). “Meet ‘Flame,’ The Massive Spy Malware Infiltrating Iranian Computers”WiredArchived from the original on 30 May 2012. Retrieved 29 May 2012.
  169. ^ “Resource 207: Kaspersky Lab Research Proves that Stuxnet and Flame Developers are Connected”. Kaspersky Lab. 11 June 2012. Archived from the original on 16 November 2021. Retrieved 13 June 2012.
  170. ^ “The Meaning of Stuxnet”The Economist. 30 September 2010. Archived from the original on 30 March 2015. Retrieved 18 April 2015.
  171. ^ Kim Zetter (8 July 2011). “How Digital Detectives Deciphered Stuxnet, the Most Menacing Malware in History”WiredArchived from the original on 9 March 2017. Retrieved 11 March 2017.
  172. ^ Holger Stark (8 August 2011). “Mossad’s Miracle Weapon: Stuxnet Virus Opens New Era of Cyber War”Der SpiegelArchived from the original on 12 April 2015. Retrieved 18 April 2015.
  173. ^ Eddie Walsh (1 January 2012). “2011: The year of domestic cyber threat”. Al Jazeera English. Archived from the original on 18 April 2015. Retrieved 18 April 2015.
  174. ^ Vyacheslav Zakorzhevsky (5 October 2010). “Sality & Stuxnet – Not Such a Strange Coincidence”. Kaspersky Lab. Archived from the original on 18 April 2015. Retrieved 18 April 2015.
  175. ^ Ball, James (16 February 2016). “U.S. Hacked into Iran’s Critical Civilian Infrastructure For Massive Cyberattack, New Film Claims”BuzzFeedArchived from the original on 19 July 2017. Retrieved 17 May 2017.
  176. ^ Savage, Charlie (17 October 2016). “James Cartwright, Ex-General, Pleads Guilty in Leak Case”The New York TimesISSN 0362-4331Archived from the original on 12 January 2017. Retrieved 27 December 2016.
  177. ^ “World War Three, by Mistake”The New Yorker. 23 December 2016. Archived from the original on 27 December 2016. Retrieved 27 December 2016.
  178. ^ “Splinter Cell Blacklist – Mission 10 “American Fuel””Archived from the original on 21 December 2021 – via www.youtube.com.
  179. ^ “According to Star Trek: Discovery, Starfleet still runs Microsoft Windows”The Verge. 3 October 2017. Archived from the original on 11 January 2019. Retrieved 11 January 2019.

Further reading

External links

Wikimedia Commons has media related to Stuxnet.

Flame (malware)

“Skywiper” redirects here. For the portable anti-drone device, see EDM4S.
Not to be confused with Stoned (computer virus) § Flame/Stamford, or Flaming (Internet).
Flame
Aliases Flamer, sKyWIper, Skywiper
Type Malware
Author(s) Equation Group
Operating system(s) affected Windows
Filesize 20 MB
Written in C++Lua

Flame,[a] also known as FlamersKyWIper,[b] and Skywiper,[2] is modular computer malware discovered in 2012[3][4] that attacks computers running the Microsoft Windows operating system.[5] The program is used for targeted cyber espionage in Middle Eastern countries.[1][5][6]

Its discovery was announced on 28 May 2012 by the MAHER Center of the Iranian National Computer Emergency Response Team (CERT),[5] Kaspersky Lab[6] and CrySyS Lab of the Budapest University of Technology and Economics.[1] The last of these stated in its report that Flame “is certainly the most sophisticated malware we encountered during our practice; arguably, it is the most complex malware ever found.”[1] Flame can spread to other systems over a local network (LAN). It can record audio, screenshotskeyboard activity and network traffic.[6] The program also records Skype conversations and can turn infected computers into Bluetooth beacons which attempt to download contact information from nearby Bluetooth-enabled devices.[7] This data, along with locally stored documents, is sent on to one of several command and control servers that are scattered around the world. The program then awaits further instructions from these servers.[6]

According to estimates by Kaspersky in May 2012, Flame had initially infected approximately 1,000 machines,[7] with victims including governmental organizations, educational institutions and private individuals.[6] At that time 65% of the infections happened in Iran, Israel, Palestine, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt,[3][6] with a “huge majority of targets” within Iran.[8] Flame has also been reported in Europe and North America.[9] Flame supports a “kill” command which wipes all traces of the malware from the computer. The initial infections of Flame stopped operating after its public exposure, and the “kill” command was sent.[10]

Flame is linked to the Equation Group by Kaspersky Lab. However, Costin Raiu, the director of Kaspersky Lab’s global research and analysis team, believes the group only cooperates with the creators of Flame and Stuxnet from a position of superiority: “Equation Group are definitely the masters, and they are giving the others, maybe, bread crumbs. From time to time they are giving them some goodies to integrate into Stuxnet and Flame.”[11]

Recent research has indicated that Flame is positioned to be remembered as one of the most significant and intricate cyber-espionage tools in history. Using a sophisticated strategy, Flame managed to penetrate numerous computers across the Middle East by falsifying an authentic Microsoft security certificate.[12]

In 2019, researchers Juan Andres Guerrero-Saade and Silas Cutler announced their discovery of the resurgence of Flame.[13][14] The attackers used ‘timestomping’[clarification needed] to make the new samples look like they were created before the ‘suicide’ command. However, a compilation error included the real compilation date (c. 2014). The new version (dubbed ‘Flame 2.0’ by the researchers) includes new encryption and obfuscation mechanisms to hide its functionality.[15]

History

Flame (a.k.a. Da Flame) was identified in May 2012 by the MAHER Center of the Iranian National CERT, Kaspersky Lab and CrySyS Lab (Laboratory of Cryptography and System Security) of the Budapest University of Technology and Economics when Kaspersky Lab was asked by the United Nations International Telecommunication Union to investigate reports of a virus affecting Iranian Oil Ministry computers.[7] As Kaspersky Lab investigated, they discovered an MD5 hash and filename that appeared only on customer machines from Middle Eastern nations. After discovering more pieces, researchers dubbed the program “Flame” after one of the main modules inside the toolkit [FROG.DefaultAttacks.A-InstallFlame].[7]

According to Kaspersky, Flame had been operating in the wild since at least February 2010.[6] CrySyS Lab reported that the file name of the main component was observed as early as December 2007.[1] However, its creation date could not be determined directly, as the creation dates for the malware’s modules are falsely set to dates as early as 1994.[7]

Computer experts consider it the cause of an attack in April 2012 that caused Iranian officials to disconnect their oil terminals from the Internet.[16] At the time the Iranian Students News Agency referred to the malware that caused the attack as “Wiper”, a name given to it by the malware’s creator.[17] However, Kaspersky Lab believes that Flame may be “a separate infection entirely” from the Wiper malware.[7] Due to the size and complexity of the program—described as “twenty times” more complicated than Stuxnet—the Lab stated that a full analysis could require as long as ten years.[7]

On 28 May, Iran’s CERT announced that it had developed a detection program and a removal tool for Flame, and had been distributing these to “select organizations” for several weeks.[7] After Flame’s exposure in news media, Symantec reported on 8 June that some Flame command and control (C&C) computers had sent a “suicide” command to infected PCs to remove all traces of Flame.[10]

According to estimates by Kaspersky in May 2012, initially Flame had infected approximately 1,000 machines,[7] with victims including governmental organizations, educational institutions and private individuals.[6] At that time the countries most affected were Iran, Israel, the Palestinian Territories, Sudan, Syria, Lebanon, Saudi Arabia, and Egypt.[3][6] A sample of the Flame malware is available at GitHub.

Operation

Name Description
List of code names for various families of modules in Flame’s source code and their possible purpose[1]
Flame Modules that perform attack functions
Boost Information gathering modules
Flask A type of attack module
Jimmy A type of attack module
Munch Installation and propagation modules
Snack Local propagation modules
Spotter Scanning modules
Transport Replication modules
Euphoria File leaking modules
Headache Attack parameters or properties

Flame is an uncharacteristically large program for malware at 20 megabytes. It is written partly in the Lua scripting language with compiled C++ code linked in, and allows other attack modules to be loaded after initial infection.[6][18] The malware uses five different encryption methods and an SQLite database to store structured information.[1] The method used to inject code into various processes is stealthy, in that the malware modules do not appear in a listing of the modules loaded into a process and malware memory pages are protected with READ, WRITE and EXECUTE permissions that make them inaccessible by user-mode applications.[1] The internal code has few similarities with other malware, but exploits two of the same security vulnerabilities used previously by Stuxnet to infect systems.[c][1] The malware determines what antivirus software is installed, then customises its own behaviour (for example, by changing the filename extensions it uses) to reduce the probability of detection by that software.[1] Additional indicators of compromise include mutex and registry activity, such as installation of a fake audio driver which the malware uses to maintain persistence on the compromised system.[18]

Flame is not designed to deactivate automatically, but supports a “kill” function that makes it eliminate all traces of its files and operation from a system on receipt of a module from its controllers.[7]

Flame was signed with a fraudulent certificate purportedly from the Microsoft Enforced Licensing Intermediate PCA certificate authority.[19] The malware authors identified a Microsoft Terminal Server Licensing Service certificate that inadvertently was enabled for code signing and that still used the weak MD5 hashing algorithm, then produced a counterfeit copy of the certificate that they used to sign some components of the malware to make them appear to have originated from Microsoft.[19] A successful collision attack against a certificate was previously demonstrated in 2008,[20] but Flame implemented a new variation of the chosen-prefix collision attack.[21]

Deployment

Like the previously known cyber weapons Stuxnet and Duqu, it is employed in a targeted manner and can evade current security software through rootkit functionality. Once a system is infected, Flame can spread to other systems over a local network or via USB stick. It can record audio, screenshots, keyboard activity and network traffic.[6] The program also records Skype conversations and can turn infected computers into Bluetooth beacons which attempt to download contact information from nearby Bluetooth enabled devices.[7] This data, along with locally stored documents, is sent on to one of several command and control servers that are scattered around the world. The program then awaits further instructions from these servers.[6]

Unlike Stuxnet, which was designed to sabotage an industrial process, Flame appears to have been written purely for espionage.[22] It does not appear to target a particular industry, but rather is “a complete attack toolkit designed for general cyber-espionage purposes”.[23]

Using a technique known as sinkholing, Kaspersky demonstrated that “a huge majority of targets” were within Iran, with the attackers particularly seeking AutoCAD drawings, PDFs, and text files.[8] Computing experts said that the program appeared to be gathering technical diagrams for intelligence purposes.[8]

A network of 80 servers across Asia, Europe and North America has been used to access the infected machines remotely.[24]

Origin

On 19 June 2012, The Washington Post published an article claiming that Flame was jointly developed by the U.S. National Security AgencyCIA and Israel’s military at least five years prior. The project was said to be part of a classified effort code-named Olympic Games, which was intended to collect intelligence in preparation for a cyber-sabotage campaign aimed at slowing Iranian nuclear efforts.[25]

According to Kaspersky’s chief malware expert, “the geography of the targets and also the complexity of the threat leaves no doubt about it being a nation-state that sponsored the research that went into it.”[3] Kaspersky initially said that the malware bears no resemblance to Stuxnet, although it may have been a parallel project commissioned by the same attackers.[26] After analysing the code further, Kaspersky later said that there is a strong relationship between Flame and Stuxnet; the early version of Stuxnet contained code to propagate via USB drives that is nearly identical to a Flame module that exploits the same zero-day vulnerability.[27]

Iran’s CERT described the malware’s encryption as having “a special pattern which you only see coming from Israel”.[28] The Daily Telegraph reported that due to Flame’s apparent targets—which included Iran, Syria, and the West Bank—Israel became “many commentators’ prime suspect”. Other commentators named the U.S. as possible perpetrators.[26] Richard Silverstein, a commentator critical of Israeli policies, claimed that he had confirmed with a “senior Israeli source” that the malware was created by Israeli computer experts.[26] The Jerusalem Post wrote that Israel’s Vice Prime Minister Moshe Ya’alon appeared to have hinted that his government was responsible,[26] but an Israeli spokesperson later denied that this had been implied.[29] Unnamed Israeli security officials suggested that the infected machines found in Israel may imply that the virus could be traced to the U.S. or other Western nations.[30] The U.S. has officially denied responsibility.[31]

A leaked NSA document mentions that dealing with Iran’s discovery of FLAME is an NSA and GCHQ jointly-worked event,[32] clearing Israel’s military of all blame.

Notes

  1. ^ “Flame” is one of the strings found in the code, a common name for attacks, most likely by exploits[1]
  2. ^ The name “sKyWIper” is derived from the letters “KWI” which are used as a partial filename by the malware[1]
  3. ^ MS10-061 and MS10-046

References

  1. Jump up to:a b c d e f g h i j k “sKyWIper: A Complex Malware for Targeted Attacks” (PDF)Budapest University of Technology and Economics. 28 May 2012. Archived from the original (PDF) on 28 May 2012. Retrieved 29 May 2012.
  2. ^ “Flamer: Highly Sophisticated and Discreet Threat Targets the Middle East”. Symantec. Archived from the original on 31 May 2012. Retrieved 30 May 2012.
  3. Jump up to:a b c d Lee, Dave (28 May 2012). “Flame: Massive Cyber-Attack Discovered, Researchers Say”BBC NewsArchived from the original on 30 May 2012. Retrieved 29 May 2012.
  4. ^ McElroy, Damien; Williams, Christopher (28 May 2012). “Flame: World’s Most Complex Computer Virus Exposed”The Daily TelegraphArchived from the original on 30 May 2012. Retrieved 29 May 2012.
  5. Jump up to:a b c “Identification of a New Targeted Cyber-Attack”. Iran Computer Emergency Response Team. 28 May 2012. Archived from the original on 29 May 2012. Retrieved 29 May 2012.
  6. Jump up to:a b c d e f g h i j k l Gostev, Alexander (28 May 2012). “The Flame: Questions and Answers”SecurelistArchived from the original on 30 May 2012. Retrieved 16 March 2021.
  7. Jump up to:a b c d e f g h i j k Zetter, Kim (28 May 2012). “Meet ‘Flame,’ The Massive Spy Malware Infiltrating Iranian Computers”WiredArchived from the original on 30 May 2012. Retrieved 29 May 2012.
  8. Jump up to:a b c Lee, Dave (4 June 2012). “Flame: Attackers ‘sought confidential Iran data'”BBC NewsArchived from the original on 4 June 2012. Retrieved 4 June 2012.
  9. ^ Murphy, Samantha (5 June 2012). “Meet Flame, the Nastiest Computer Malware Yet”. Mashable.com. Archived from the original on 8 June 2012. Retrieved 8 June 2012.
  10. Jump up to:a b “Flame malware makers send ‘suicide’ code”BBC News. 8 June 2012. Archived from the original on 24 August 2012. Retrieved 8 June 2012.
  11. ^ Kaspersky Labs Global Research & Analysis Team. “Equation: The Death Star of Malware Galaxy”SecureList. Archived from the original on 17 February 2015, Costin Raiu (director of Kaspersky Lab’s global research and analysis team): “It seems to me Equation Group are the ones with the coolest toys. Every now and then they share them with the Stuxnet group and the Flame group, but they are originally available only to the Equation Group people. Equation Group are definitely the masters, and they are giving the others, maybe, bread crumbs. From time to time they are giving them some goodies to integrate into Stuxnet and Flame.”
  12. ^ Munro, Kate (1 October 2012). “Deconstructing Flame: the limitations of traditional defences”. Computer Fraud & Security2012 (10): 8–11. doi:10.1016/S1361-3723(12)70102-1ISSN 1361-3723.
  13. ^ Zetter, Kim (9 April 2019). “Researchers Uncover New Version of the Infamous Flame Malware”Vice.comVice Media. Retrieved 6 August 2020.
  14. ^ Chronicle Security (12 April 2019). “Who is GOSSIPGIRL?”MediumArchived from the original on 22 July 2020. Retrieved 15 July 2020.
  15. ^ Guerrero-Saade, Juan Andres; Cutler, Silas (9 April 2019). Flame 2.0: Risen from the Ashes (PDF) (Report). Chronicle SecurityArchived (PDF) from the original on 1 June 2023. Retrieved 17 May 2024.
  16. ^ Hopkins, Nick (28 May 2012). “Computer Worm That Hit Iran Oil Terminals ‘Is Most Complex Yet'”The GuardianArchived from the original on 31 May 2012. Retrieved 29 May 2012.
  17. ^ Erdbrink, Thomas (23 April 2012). “Facing Cyberattack, Iranian Officials Disconnect Some Oil Terminals From Internet”The New York TimesArchived from the original on 31 May 2012. Retrieved 29 May 2012.
  18. Jump up to:a b Kindlund, Darien (30 May 2012). “Flamer/sKyWIper Malware: Analysis”FireEyeArchived from the original on 2 June 2012. Retrieved 31 May 2012.
  19. Jump up to:a b “Microsoft releases Security Advisory 2718704”Microsoft. 3 June 2012. Archived from the original on 7 June 2012. Retrieved 4 June 2012.
  20. ^ Sotirov, Alexander; Stevens, Marc; Appelbaum, Jacob; Lenstra, Arjen; Molnar, David; Osvik, Dag Arne; de Weger, Benne (30 December 2008). MD5 considered harmful today: creating a rogue CA certificate. 25th Annual Chaos Communication Congress in Berlin. Archived from the original on 25 March 2017. Retrieved 4 June 2011.
  21. ^ Stevens, Marc (7 June 2012). “CWI Cryptanalist Discovers New Cryptographic Attack Variant in Flame Spy Malware”. Centrum Wiskunde & Informatica. Archived from the original on 28 February 2017. Retrieved 9 June 2012.
  22. ^ Cohen, Reuven (28 May 2012). “New Massive Cyber-Attack an ‘Industrial Vacuum Cleaner for Sensitive Information'”ForbesArchived from the original on 31 May 2012. Retrieved 29 May 2012.
  23. ^ Albanesius, Chloe (28 May 2012). “Massive ‘Flame’ Malware Stealing Data Across Middle East”PC MagazineArchived from the original on 30 May 2012. Retrieved 29 May 2012.
  24. ^ “Flame virus: Five facts to know”The Times of India. Reuters. 29 May 2012. Archived from the original on 30 May 2012. Retrieved 30 May 2012.
  25. ^ Nakashima, Ellen (19 June 2012). “U.S., Israel developed Flame computer virus to slow Iranian nuclear efforts, officials say”The Washington PostArchived from the original on 18 July 2012. Retrieved 20 June 2012.
  26. Jump up to:a b c d “Flame Virus: Who is Behind the World’s Most Complicated Espionage Software?”The Daily Telegraph. 29 May 2012. Archived from the original on 31 May 2012. Retrieved 29 May 2012.
  27. ^ “Resource 207: Kaspersky Lab Research Proves that Stuxnet and Flame Developers are Connected”. Kaspersky Lab. 11 June 2012. Archived from the original on 16 November 2021. Retrieved 13 June 2012.
  28. ^ Erdbrink, Thomas (29 May 2012). “Iran Confirms Attack by Virus That Collects Information”The New York TimesArchived from the original on 6 June 2012. Retrieved 30 May 2012.
  29. ^ Tsukayama, Hayley (31 May 2012). “Flame cyberweapon written using gamer code, report says”The Washington PostArchived from the original on 2 June 2012. Retrieved 31 May 2012.
  30. ^ Dareini, Ali Akbar; Murphy, Dan; Satter, Raphael; Federman, Josef (30 May 2012). “Iran: ‘Flame’ virus fight began with oil attack”Yahoo! News. Associated Press.
  31. ^ “Flame: Israel rejects link to malware cyber-attack”BBC News. 31 May 2012. Archived from the original on 5 June 2014. Retrieved 3 June 2012.
  32. ^ “Visit Précis: Sir Iain Lobban, KCMG, CB; Director, Government Communications Headquarters (GCHQ) 30 April 2013 – 1 May 2013” (PDF)Archived (PDF) from the original on 2 May 2014. Retrieved 1 May 2014.

Duqu

For the version of malware announced in 2015, see Duqu 2.0.

Duqu is a collection of computer malware discovered on 1 September 2011, thought by Kaspersky Labs to be related to the Stuxnet worm[1] and to have been created by Unit 8200.[2][better source needed] Duqu has exploited Microsoft Windows‘s zero-day vulnerability. The Laboratory of Cryptography and System Security (CrySyS Lab)[3] of the Budapest University of Technology and Economics in Hungary discovered the threat, analysed the malware, and wrote a 60-page report[4] naming the threat Duqu.[5] Duqu got its name from the prefix “~DQ” it gives to the names of files it creates.[6]

Nomenclature

The term Duqu is used in a variety of ways:

  • Duqu malware is a variety of software components that together provide services to the attackers. Currently this includes information stealing capabilities and in the background, kernel drivers and injection tools. Part of this malware is written in unknown high-level programming language,[7] dubbed “Duqu framework”. It is not C++, Python, Ada, Lua and many other checked languages. However, it is suggested that Duqu may have been written in C with a custom object oriented framework and compiled in Microsoft Visual Studio 2008.[8]
  • Duqu flaw is the flaw in Microsoft Windows that is used in malicious files to execute malware components of Duqu. Currently one flaw is known, a TrueType-font related problem in win32k.sys.
  • Operation Duqu is the process of only using Duqu for unknown goals. The operation might be related to Operation Stuxnet.

Relationship to Stuxnet

Symantec, based on the CrySyS team managed by Dr Thibault Gainche report, continued the analysis of the threat, which it called “nearly identical to Stuxnet, but with a completely different purpose”, and published a detailed technical paper on it with a cut-down version of the original lab report as an appendix.[6][9] Symantec believes that Duqu was created by the same authors as Stuxnet, or that the authors had access to the source code of Stuxnet. The worm, like Stuxnet, has a valid, but abused digital signature, and collects information to prepare for future attacks.[6][10] Mikko Hyppönen, Chief Research Officer for F-Secure, said that Duqu’s kernel driver, JMINET7.SYS, was so similar to Stuxnet’s MRXCLS.SYS that F-Secure’s back-end system thought it was Stuxnet. Hyppönen further said that the key used to make Duqu’s own digital signature (only observed in one case) was stolen from C-Media, located in Taipei, Taiwan. The certificates were due to expire on 2 August 2012 but were revoked on 14 October 2011 according to Symantec.[9]

Another source, Dell SecureWorks, reports that Duqu may not be related to Stuxnet.[11] However, there is considerable and growing evidence that Duqu is closely related to Stuxnet.

Experts compared the similarities and found three points of interest:

  • The installer exploits zero-day Windows kernel vulnerabilities.
  • Components are signed with stolen digital keys.
  • Duqu and Stuxnet are both highly targeted and related to the nuclear program of Iran.

Microsoft Word zero-day exploit

Like Stuxnet, Duqu attacks Microsoft Windows systems using a zero-day vulnerability. The first-known installer (AKA dropper) file recovered and disclosed by CrySyS Lab uses a Microsoft Word document that exploits the Win32k TrueType font parsing engine and allows execution.[12] The Duqu dropper relates to font embedding, and thus relates to the workaround to restrict access to T2EMBED.DLL, which is a TrueType font parsing engine if the patch released by Microsoft in December 2011 is not yet installed.[13] Microsoft identifier for the threat is MS11-087 (first advisory issued on 13 November 2011).[14]

Purpose

Duqu looks for information that could be useful in attacking industrial control systems. Its purpose is not to be destructive, the known components are trying to gather information.[15] However, based on the modular structure of Duqu, special payload could be used to attack any type of computer system by any means and thus cyber-physical attacks based on Duqu might be possible. However, use of personal computer systems has been found to delete all recent information entered on the system, and in some cases total deletion of the computer’s hard drive. Internal communications of Duqu are analysed by Symantec,[6] but the actual and exact method how it replicates inside an attacked network is not yet fully known. According to McAfee, one of Duqu’s actions is to steal digital certificates (and corresponding private keys, as used in public-key cryptography) from attacked computers to help future viruses appear as secure software.[16] Duqu uses a 54×54 pixel JPEG file and encrypted dummy files as containers to smuggle data to its command and control center. Security experts are still analyzing the code to determine what information the communications contain. Initial research indicates that the original malware sample automatically removes itself after 36 days (the malware stores this setting in configuration files), which would limit its detection.[9]

Key points are:

  • Executables developed after Stuxnet using the Stuxnet source code that have been discovered.
  • The executables are designed to capture information such as keystrokes and system information.
  • Current analysis shows no code related to industrial control systems, exploits, or self-replication.
  • The executables have been found in a limited number of organizations, including those involved in the manufacturing of industrial control systems.
  • The exfiltrated data may be used to enable a future Stuxnet-like attack, or might already have been used as the basis for the Stuxnet attack.

Command and control servers

Some of the command and control servers of Duqu have been analysed. It seems that the people running the attack had a predilection for CentOS 5.x servers, leading some researchers to believe that they had a[17] zero-day exploit for it. Servers are scattered in many different countries, including GermanyBelgiumPhilippinesIndia and ChinaKaspersky has published multiple blogposts on the command and control servers.[18]

See also

References

  1. ^ How Israel Caught Russian Hackers Scouring the World for U.S. SecretsNew York Times
  2. ^ NSA, Unit 8200, and Malware Proliferation Archived 25 October 2017 at the Wayback Machine Jeffrey Carr, Principal consultant at 20KLeague.com; Founder of Suits and Spooks; Author of “Inside Cyber Warfare (O’Reilly Media, 2009, 2011), medium.com, Aug 25, 2016
  3. ^ “Laboratory of Cryptography and System Security (CrySyS)”. Retrieved 4 November 2011.
  4. ^ “Duqu: A Stuxnet-like malware found in the wild, technical report” (PDF). Laboratory of Cryptography of Systems Security (CrySyS). 14 October 2011.
  5. ^ “Statement on Duqu’s initial analysis”. Laboratory of Cryptography of Systems Security (CrySyS). 21 October 2011. Archived from the original on 4 October 2012. Retrieved 25 October 2011.
  6. Jump up to:a b c d “W32.Duqu – The precursor to the next Stuxnet (Version 1.4)” (PDF)Symantec. 23 November 2011. Archived from the original (PDF) on 13 December 2011. Retrieved 30 December 2011.
  7. ^ Shawn Knight (2012) Duqu Trojan contains mystery programming language in Payload DLL
  8. ^ “Securelist | Kaspersky’s threat research and reports”. 12 September 2023.
  9. Jump up to:a b c Zetter, Kim (18 October 2011). “Son of Stuxnet Found in the Wild on Systems in Europe”Wired. Retrieved 21 October 2011.
  10. ^ “Virus Duqu alarmiert IT-Sicherheitsexperten”Die Zeit. 19 October 2011. Retrieved 19 October 2011.
  11. ^ “Spotted in Iran, trojan Duqu may not be “son of Stuxnet” after all”. 27 October 2011. Retrieved 27 October 2011.
  12. ^ “Microsoft issues temporary ‘fix-it’ for Duqu zero-day”ZDNet. Retrieved 5 November 2011.
  13. ^ “Microsoft Security Advisory (2639658)”Vulnerability in TrueType Font Parsing Could Allow Elevation of Privilege. 3 November 2011. Retrieved 5 November 2011.
  14. ^ “Microsoft Security Bulletin MS11-087 – Critical”. Retrieved 13 November 2011.
  15. ^ Steven Cherry, with Larry Constantine (14 December 2011). “Sons of Stuxnet”IEEE Spectrum.
  16. ^ Venere, Guilherme; Szor, Peter (18 October 2011). “The Day of the Golden Jackal – The Next Tale in the Stuxnet Files: Duqu”McAfee. Archived from the original on 31 May 2016. Retrieved 19 October 2011.
  17. ^ Garmon, Matthew. “In Command & Out of Control”Matt Garmon. DIG.
  18. ^ Kamluk, Vitaly (30 November 2011). “The Mystery of Duqu: Part Six (The Command and Control servers)”Securelist by KasperskyArchived from the original on 7 June 2022. Retrieved 7 June 2022.

Fancy Bear

Fancy Bear
Formation c. 2004–2007[2]
Type Advanced persistent threat
Purpose Cyberespionagecyberwarfare
Region
 Russia
Methods Zero-daysspearphishingmalware
Official language
 Russian
Parent organization
 GRU[1][2][3]
Affiliations Cozy Bear
Formerly called
  • APT28
  • Pawn Storm
  • Sofacy Group
  • Sednit
  • STRONTIUM
  • Tsar Team
  • Threat Group-4127
  • Grizzly Steppe (when combined with Cozy Bear)

Fancy Bear, also known as APT28 (by Mandiant), Pawn StormSofacy Group (by Kaspersky), SednitTsar Team (by FireEye) and STRONTIUM or Forest Blizzard (by Microsoft),[2][4] is a Russian cyber espionage group. Cybersecurity firm CrowdStrike has said with a medium level of confidence that it is associated with the Russian military intelligence agency GRU.[5][6] The UK’s Foreign and Commonwealth Office[7] as well as security firms SecureWorks,[8] ThreatConnect,[9] and Mandiant,[10] have also said the group is sponsored by the Russian government. In 2018, an indictment by the United States Special Counsel identified Fancy Bear as GRU Unit 26165.[3][2] This refers to its unified Military Unit Number of the Russian army regiments. The headquarters of Fancy Bear and the entire military unit, which reportedly specializes in state-sponsored cyberattacks and decryption of hacked data,[11] were targeted by Ukrainian drones on July 24, 2023, the rooftop on an adjacent building collapsed as a result of the explosion.[12][13]

Fancy Bear is classified by FireEye as an advanced persistent threat.[10] Among other things, it uses zero-day exploits, spear phishing and malware to compromise targets. The group promotes the political interests of the Russian government, and is known for hacking Democratic National Committee emails to attempt to influence the outcome of the United States 2016 presidential elections.

The name “Fancy Bear” comes from a coding system security researcher Dmitri Alperovitch uses to identify hackers.[14]

Likely operating since the mid-2000s, Fancy Bear’s methods are consistent with the capabilities of state actors. The group targets government, military, and security organizations, especially Transcaucasian and NATO-aligned states. Fancy Bear is thought to be responsible for cyber attacks on the German parliament, the Norwegian parliament, the French television station TV5Monde, the White House, NATO, the Democratic National Committee, the Organization for Security and Co-operation in Europe and the campaign of French presidential candidate Emmanuel Macron.[15]

Discovery and security reports

Trend Micro designated the actors behind the Sofacy malware as Operation Pawn Storm on October 22, 2014.[16] The name was due to the group’s use of “two or more connected tools/tactics to attack a specific target similar to the chess strategy,”[17] known as pawn storm.

Network security firm FireEye released a detailed report on Fancy Bear in October 2014. The report designated the group as “Advanced Persistent Threat 28” (APT28) and described how the hacking group used zero-day exploits of the Microsoft Windows operating system and Adobe Flash.[18] The report found operational details indicating that the source is a “government sponsor based in Moscow”. Evidence collected by FireEye suggested that Fancy Bear’s malware was compiled primarily in a Russian-language build environment and occurred mainly during work hours paralleling Moscow’s time zone.[19] FireEye director of threat intelligence Laura Galante referred to the group’s activities as “state espionage”[20] and said that targets also include “media or influencers.”[21][22]

The name “Fancy Bear” derives from the coding system that Dmitri Alperovitch’s company CrowdStrike uses for hacker groups. “Bear” indicates that the hackers are from Russia. “Fancy” refers to “Sofacy”, a word in the malware that reminded the analyst who found it, of Iggy Azalea‘s song “Fancy“.[1]

Attacks

Fancy Bear’s targets have included Eastern European governments and militaries, the country of Georgia and the Caucasus, Ukraine,[23] security-related organizations such as NATO, as well as US defense contractors Academi (formerly known as Blackwater and Xe Services), Science Applications International Corporation (SAIC),[24] Boeing, Lockheed Martin, and Raytheon.[23] Fancy Bear has also attacked citizens of the Russian Federation that are political enemies of the Kremlin, including former oil tycoon Mikhail Khodorkovsky, and Maria Alekhina of the band Pussy Riot.[23] SecureWorks, a cybersecurity firm headquartered in the United States, concluded that from March 2015 to May 2016, the “Fancy Bear” target list included not merely the United States Democratic National Committee and the Republican National Committee as well,[25] but tens of thousands of foes of Putin and the Kremlin in the United States, Ukraine, Russia, Georgia, and Syria. Only a handful of Republicans were targeted, however.[26] An AP analysis of 4,700 email accounts that had been attacked by Fancy Bear concluded that no country other than Russia would be interested in hacking so many very different targets that seemed to have nothing else in common other than their being of interest to the Russian government.[23]

Fancy Bear also seems to try to influence political events in order for friends or allies of the Russian government to gain power.

In 2011–2012, Fancy Bear’s first-stage malware was the “Sofacy” or SOURFACE implant. During 2013, Fancy Bear added more tools and backdoors, including CHOPSTICK, CORESHELL, JHUHUGIT, and ADVSTORESHELL.[27]

Attacks on journalists

From mid-2014 until the fall of 2017, Fancy Bear targeted numerous journalists in the United States, Ukraine, Russia, Moldova, the Baltics, and other countries who had written articles about Vladimir Putin and the Kremlin. According to the Associated Press and SecureWorks, this group of journalists is the third largest group targeted by Fancy Bear after diplomatic personnel and U.S. Democrats. Fancy Bear’s targeted list includes Adrian Chen, the Armenian journalist Maria Titizian, Eliot Higgins at BellingcatEllen Barry and at least 50 other New York Times reporters, at least 50 foreign correspondents based in Moscow who worked for independent news outlets, Josh Rogin, a Washington Post columnist, Shane Harris, a Daily Beast writer who in 2015 covered intelligence issues, Michael Weiss, a CNN security analyst, Jamie Kirchick with the Brookings Institution, 30 media targets in Ukraine, many at the Kyiv Post, reporters who covered the Russian-backed war in eastern Ukraine, as well as in Russia where the majority of journalists targeted by the hackers worked for independent news (e.g. Novaya Gazeta or Vedomosti) such as Ekaterina Vinokurova at Znak.com and mainstream Russian journalists Tina KandelakiKsenia Sobchak, and the Russian television anchor Pavel Lobkov, all of which worked for TV Rain.[28]

German attacks (from 2014)

Fancy Bear is thought to have been responsible for a six-month-long cyber-attack on the German parliament that began in December 2014.[29] On 5 May 2020, German federal prosecutors issued an arrest warrant for Dimitri Badin in relation with the attacks.[30] The attack completely paralyzed the Bundestag’s IT infrastructure in May 2015. To resolve the situation, the entire parliament had to be taken offline for days. IT experts estimate that a total of 16 gigabytes of data were downloaded from Parliament as part of the attack.[31]

The group is also suspected to be behind a spear phishing attack in August 2016 on members of the Bundestag and multiple political parties such as Linken-faction leader Sahra WagenknechtJunge Union and the CDU of Saarland.[32][33][34][35] Authorities feared that sensitive information could be gathered by hackers to later manipulate the public ahead of elections such as Germany’s next federal election which was due in September 2017.[32]

U.S. military wives’ death threats (February 10, 2015)

Five wives of U.S. military personnel received death threats from a hacker group calling itself “CyberCaliphate”, claiming to be an Islamic State affiliate, on February 10, 2015.[36][37][38][39] This was later discovered to have been a false flag attack by Fancy Bear, when the victims’ email addresses were found to have been in the Fancy Bear phishing target list.[37] Russian social media trolls have also been known to hype and rumor monger the threat of potential Islamic State terror attacks on U.S. soil in order to sow fear and political tension.[37]

French television hack (April 2015)

On April 8, 2015, French television network TV5Monde was the victim of a cyber-attack by a hacker group calling itself “CyberCaliphate” and claiming to have ties to the terrorist organization Islamic State of Iraq and the Levant (ISIL). French investigators later discounted the theory that militant Islamists were behind the cyber-attack, instead suspecting the involvement of Fancy Bear.[40]

Hackers breached the network’s internal systems, possibly aided by passwords openly broadcast by TV5,[41] overriding the broadcast programming of the company’s 12 channels for over three hours.[42] Service was only partially restored in the early hours of the following morning and normal broadcasting services were disrupted late into April 9.[42] Various computerised internal administrative and support systems including e-mail were also still shut down or otherwise inaccessible due to the attack.[43][42] The hackers also hijacked TV5Monde’s Facebook and Twitter pages to post the personal information of relatives of French soldiers participating in actions against ISIS, along with messages critical of President François Hollande, arguing that the January 2015 terrorist attacks were “gifts” for his “unforgivable mistake” of partaking in conflicts that “[serve] no purpose”.[44][42]

The director-general of TV5Monde, Yves Bigot, later said that the attack nearly destroyed the company; if it had taken longer to restore broadcasting, satellite distribution channels would have been likely to cancel their contracts. The attack was designed to be destructive, both of equipment and of the company itself, rather than for propaganda or espionage, as had been the case for most other cyber-attacks. The attack was carefully planned; the first known penetration of the network was on January 23, 2015.[45] The attackers then carried out reconnaissance of TV5Monde to understand the way in which it broadcast its signals, and constructed bespoke malicious software to corrupt and destroy the Internet-connected hardware that controlled the TV station’s operations, such as the encoder systems. They used seven different points of entry, not all part of TV5Monde or even in France—one was a company based in the Netherlands that supplied the remote controlled cameras used in TV5’s studios.[45] Between February 16 and March 25 the attackers collected data on TV5 internal platforms, including its IT Internal Wiki, and verified that login credentials were still valid.[45] During the attack, the hackers ran a series of commands extracted from TACACS logs to erase the firmware from switches and routers.[45]

Although the attack purported to be from IS, France’s cyber-agency told Bigot to say only that the messages claimed to be from IS. He was later told that evidence had been found that the attackers were the APT 28 group of Russian hackers. No reason was found for the targeting of TV5Monde, and the source of the order to attack, and funding for it, is not known. It has been speculated that it was probably an attempt to test forms of cyber-weaponry. The cost was estimated at €5m ($5.6m; £4.5m) in the first year, followed by recurring annual cost of over €3m ($3.4m; £2.7m) for new protection. The company’s way of working had to change, with authentication of email, checking of flash drives before insertion, and so on, at significant detriment to efficiency for a news media company that must move information.[46]

root9B report (May 2015)

Security firm root9B released a report on Fancy Bear in May 2015 announcing its discovery of a targeted spear phishing attack aimed at financial institutions. The report listed international banking institutions that were targeted, including the United Bank for AfricaBank of AmericaTD Bank, and UAE Bank. According to the root9B, preparations for the attacks started in June 2014 and the malware used “bore specific signatures that have historically been unique to only one organization, Sofacy.”[47] Security journalist Brian Krebs questioned the accuracy of root9B’s claims, postulating that the attacks had actually originated from Nigerian phishers.[48] In June 2015 well respected security researcher Claudio Guarnieri published a report based on his own investigation of a concurrent SOFACY attributed exploit against the German Bundestag[49] and credited root9B with having reported, “the same IP address used as Command & Control server in the attack against Bundestag (176.31.112.10)”, and went on to say that based on his examination of the Bundestag attack, “at least some” indicators contained within root9B’s report appeared accurate, including a comparison of the hash of the malware sample from both incidents. root9B later published a technical report comparing Claudio’s analysis of SOFACY attributed malware to their own sample, adding to the veracity of their original report.[50]

EFF spoof, White House and NATO attack (August 2015)

In August 2015, Fancy Bear used a zero-day exploit of Javaspoofing the Electronic Frontier Foundation and launching attacks on the White House and NATO. The hackers used a spear phishing attack, directing emails to the false URL electronicfrontierfoundation.org.[51][52]

World Anti-Doping Agency (August 2016)

In August 2016, the World Anti-Doping Agency reported the receipt of phishing emails sent to users of its database claiming to be official WADA communications requesting their login details. After reviewing the two domains provided by WADA, it was found that the websites’ registration and hosting information were consistent with the Russian hacking group Fancy Bear.[53][54] According to WADA, some of the data the hackers released had been forged.[55]

Due to evidence of widespread doping by Russian athletes, WADA recommended that Russian athletes be barred from participating in the 2016 Rio Olympics and Paralympics. Analysts said they believed the hack was in part an act of retaliation against whistleblowing Russian athlete Yuliya Stepanova, whose personal information was released in the breach.[56] In August 2016, WADA revealed that their systems had been breached, explaining that hackers from Fancy Bear had used an International Olympic Committee (IOC)-created account to gain access to their Anti-doping Administration and Management System (ADAMS) database.[57] The hackers then used the website fancybear.net to leak what they said were the Olympic drug testing files of several athletes who had received therapeutic use exemptions, including gymnast Simone Biles, tennis players Venus and Serena Williams and basketball player Elena Delle Donne.[58] The hackers honed in on athletes who had been granted exemptions by WADA for various reasons. Subsequent leaks included athletes from many other countries.[57]

Dutch Safety Board and Bellingcat

Eliot Higgins and other journalists associated with Bellingcat, a group researching the shooting down of Malaysia Airlines Flight 17 over Ukraine, were targeted by numerous spearphishing emails. The messages were fake Gmail security notices with Bit.ly and TinyCC shortened URLs. According to ThreatConnect, some of the phishing emails had originated from servers that Fancy Bear had used in previous attacks elsewhere. Bellingcat is known for having demonstrated that Russia is culpable for the shooting down of MH17, and is frequently derided by the Russian media.[59][60]

The group targeted the Dutch Safety Board, the body conducting the official investigation into the crash, before and after the release of the board’s final report. They set up fake SFTP and VPN servers to mimic the board’s own servers, likely for the purpose of spearphishing usernames and passwords.[61] A spokesman for the DSB said the attacks were not successful.[62]

Democratic National Committee (2016)

Fancy Bear carried out spear phishing attacks on email addresses associated with the Democratic National Committee in the first quarter of 2016.[63][64] On March 10, phishing emails that were mainly directed at old email addresses of 2008 Democratic campaign staffers began to arrive. One of these accounts may have yielded up to date contact lists. The next day, phishing attacks expanded to the non-public email addresses of high level Democratic Party officials. Hillaryclinton.com addresses were attacked, but required two factor authentication for access. The attack redirected towards Gmail accounts on March 19. Podesta’s Gmail account was breached the same day, with 50,000 emails stolen. The phishing attacks intensified in April,[64] although the hackers seemed to become suddenly inactive for the day on April 15, which in Russia was a holiday in honor of the military’s electronic warfare services.[65] The malware used in the attack sent stolen data to the same servers that were used for the group’s 2015 attack on the German parliament.[1]

On June 14, CrowdStrike released a report publicizing the DNC hack and identifying Fancy Bear as the culprits. An online persona, Guccifer 2.0, then appeared, claiming sole credit for the breach.[66]

Another sophisticated hacking group attributed to the Russian Federation, nicknamed Cozy Bear, was also present in the DNC’s servers at the same time. However the two groups each appeared to be unaware of the other, as each independently stole the same passwords and otherwise duplicated their efforts. Cozy Bear appears to be a different agency, one more interested in traditional long-term espionage.[65] A CrowdStrike forensic team determined that while Cozy Bear had been on the DNC’s network for over a year, Fancy Bear had only been there a few weeks.[1]

Ukrainian artillery

An infected version of an app to control the D-30 Howitzer was allegedly distributed to the Ukrainian artillery
See also: Russian military intervention in Ukraine (2014–present)

According to CrowdStrike from 2014 to 2016, the group used Android malware to target the Ukrainian Army’s Rocket Forces and Artillery. They distributed an infected version of an Android app whose original purpose was to control targeting data for the D-30 Howitzer artillery. The app, used by Ukrainian officers, was loaded with the X-Agent spyware and posted online on military forums. CrowdStrike initially claimed that more than 80% of Ukrainian D-30 Howitzers were destroyed in the war, the highest percentage loss of any artillery pieces in the army (a percentage that had never been previously reported and would mean the loss of nearly the entire arsenal of the biggest artillery piece of the Ukrainian Armed Forces[67]).[68] According to the Ukrainian army CrowdStrike’s numbers were incorrect and that losses in artillery weapons “were way below those reported” and that these losses “have nothing to do with the stated cause”.[69] CrowdStrike has since revised this report after the International Institute for Strategic Studies (IISS) disavowed its original report, claiming that the malware hacks resulted in losses of 15–20% rather than their original figure of 80%.[70]

Windows zero-day (October 2016)

On October 31, 2016, Google‘s Threat Analysis Group revealed a zero-day vulnerability in most Microsoft Windows versions that is the subject of active malware attacks. On November 1, 2016, Microsoft Executive Vice President of the Windows and Devices Group Terry Myerson posted to Microsoft’s Threat Research & Response Blog, acknowledging the vulnerability and explaining that a “low-volume spear-phishing campaign” targeting specific users had utilized “two zero-day vulnerabilities in Adobe Flash and the down-level Windows kernel.” Microsoft pointed to Fancy Bear as the threat actor, referring to the group by their in-house code name STRONTIUM.[71]

Dutch ministries (February 2017)

In February 2017, the General Intelligence and Security Service (AIVD) of the Netherlands revealed that Fancy Bear and Cozy Bear had made several attempts to hack into Dutch ministries, including the Ministry of General Affairs, over the previous six months. Rob Bertholee, head of the AIVD, said on EenVandaag that the hackers were Russian and had tried to gain access to secret government documents.[72]

In a briefing to parliament, Dutch Minister of the Interior and Kingdom Relations Ronald Plasterk announced that votes for the Dutch general election in March 2017 would be counted by hand.[73]

IAAF hack (February 2017)

The officials of International Association of Athletics Federations (IAAF) stated in April 2017 that its servers had been hacked by the “Fancy Bear” group. The attack was detected by cybersecurity firm Context Information Security which identified that an unauthorised remote access to IAAF’s servers had taken place on February 21. IAAF stated that the hackers had accessed the Therapeutic Use Exemption applications, needed to use medications prohibited by WADA.[74][75]

German and French elections (2016–2017)

See also: French presidential election, 2017German federal election, 2017; and 2017 Macron e-mail leaks

Researchers from Trend Micro in 2017 released a report outlining attempts by Fancy Bear to target groups related to the election campaigns of Emmanuel Macron and Angela Merkel. According to the report, they targeted the Macron campaign with phishing and attempting to install malware on their site. French government cybersecurity agency ANSSI confirmed these attacks took place, but could not confirm APT28’s responsibility.[76] Marine Le Pen‘s campaign does not appear to have been targeted by APT28, possibly indicating Russian preference for her campaign. Putin had previously touted the benefits to Russia if Marine Le Pen were elected.[77]

The report says they then targeted the German Konrad Adenauer Foundation and Friedrich Ebert Foundation, groups that are associated with Angela Merkel’s Christian Democratic Union and opposition Social Democratic Party, respectively. Fancy Bear set up fake email servers in late 2016 to send phishing emails with links to malware.[78]

International Olympic Committee (2018)

On January 10, 2018, the “Fancy Bears Hack Team” online persona leaked what appeared to be stolen International Olympic Committee (IOC) and U.S. Olympic Committee emails, dated from late 2016 to early 2017, were leaked in apparent retaliation for the IOC’s banning of Russian athletes from the 2018 Winter Olympics as a sanction for Russia’s systematic doping program. The attack resembles the earlier World Anti-Doping Agency (WADA) leaks. It is not known whether the emails are fully authentic, because of Fancy Bear’s history of salting stolen emails with disinformation. The mode of attack was also not known, but was probably phishing.[79][80]

Cyber Security experts have also claimed that attacks also appear to have been targeting the professional sports drug test bottling company known as the Berlinger Group.[81]

Swedish Sports Confederation

The Swedish Sports Confederation reported Fancy Bear was responsible for an attack on its computers, targeting records of athletes’ doping tests.[82]

United States conservative groups (2018)

The software company Microsoft reported in August 2018 that the group had attempted to steal data from political organizations such as the International Republican Institute and the Hudson Institute think tanks. The attacks were thwarted when Microsoft security staff won control of six net domains.[83] In its announcement Microsoft advised that “we currently have no evidence these domains were used in any successful attacks before the DCU transferred control of them, nor do we have evidence to indicate the identity of the ultimate targets of any planned attack involving these domains”.[84]

The Ecumenical Patriarchate and other clergy (August 2018)

According to the August 2018 report by the Associated Press, Fancy Bear had been for years targeting the email correspondence of the officials of the Ecumenical Patriarchate of Constantinople headed by the Ecumenical Patriarch Bartholomew I.[85] The publication appeared at a time of heightened tensions between the Ecumenical Patriarchate, the seniormost of all the Eastern Orthodox Churches, and the Russian Orthodox Church (the Moscow Patriarchate) over the issue of the full ecclesiastical independence (autocephaly) for the Orthodox Church in Ukraine, sought after by the Ukrainian government. The publication cited experts as saying that the grant of autocephaly to the Church in Ukraine would erode the power and prestige of the Moscow Patriarchate and would undermine its claims of transnational jurisdiction.[85] Cyber attacks also targeted Orthodox Christians in other countries as well as Muslims, Jews and Catholics in the United States, Ummah, an umbrella group for Ukrainian Muslims, the papal nuncio in Kiev and Yosyp Zisels, who directs Ukraine’s Association of Jewish Organizations and Communities.[85]

Indictments in 2018

FBI wanted poster of officers indicted in connection to Fancy Bear

In October 2018, an indictment by a U.S. federal grand jury of seven Russian men, all GRU officers, in relation to the attacks was unsealed. The indictment states that from December 2014 until a least May 2018, the GRU officers conspired to conduct “persistent and sophisticated computer intrusions affecting U.S. persons, corporate entities, international organizations, and their respective employees located around the world, based on their strategic interest to the Russian government.”[86][87] The U.S. Department of Justice stated that the conspiracy, among other goals, aimed “to publicize stolen information as part of an influence and disinformation campaign designed to undermine, retaliate against, and otherwise delegitimize” the efforts of the World Anti-Doping Agency, an international anti-doping organization that had published the McLaren Report, a report that exposed extensive doping of Russian athletes sponsored by the Russian government.[86] The defendants were charged with computer hackingwire fraud, aggravated identity theft, and money laundering.[86]

2019 think tank attacks

In February 2019, Microsoft announced that it had detected spear-phishing attacks from APT28, aimed at employees of the German Marshall Fund, Aspen Institute Germany, and the German Council on Foreign Relations.[88][89] Hackers from the group purportedly sent phishing e-mails to 104 email addresses across Europe in an attempt to gain access to employer credentials and infect sites with malware.[90][91]

2019 strategic Czech institution

In 2020, the Czech National Cyber and Information Security Agency [cs] reported a cyber-espionage incident in an unnamed strategic institution, possibly the Ministry of Foreign Affairs,[92] most likely carried out by Fancy Bear.[93]

2020 Norwegian Parliament attack

In August 2020 the Norwegian Storting reported a “significant cyber attack” on their e-mail system. In September 2020, Norway’s foreign ministerIne Marie Eriksen Søreide, accused Russia of the attack. Norwegian Police Security Service concluded in December 2020 that “The analyses show that it is likely that the operation was carried out by the cyber actor referred to in open sources as APT28 and Fancy Bear,” and that “sensitive content has been extracted from some of the affected email accounts.”.[94]

Characteristics and techniques

Diagram showing Grizzly Steppe’s (Fancy Bear and Cozy Bear) process of employing spear phishing

Fancy Bear employs advanced methods consistent with the capabilities of state actors.[95] They use spear phishing emails, malware drop websites disguised as news sources, and zero-day vulnerabilities. One cybersecurity research group noted their use of six different zero-day exploits in 2015, a technical feat that would require large numbers of programmers seeking out previously unknown vulnerabilities in top-of-the-line commercial software. This is regarded as a sign that Fancy Bear is a state-run program and not a gang or a lone hacker.[96][97]

One of Fancy Bear’s preferred targets is web-based email services. A typical compromise will consist of web-based email users receiving an email urgently requesting that they change their passwords to avoid being hacked. The email will contain a link to a spoof website that is designed to mimic a real webmail interface, users will attempt to login and their credentials will be stolen. The URL is often obscured as a shortened bit.ly link[98] in order to get past spam filters. Fancy Bear sends these phishing emails primarily on Mondays and Fridays. They also send emails purportedly containing links to news items, but instead linking to malware drop sites that install toolkits onto the target’s computer.[96] Fancy Bear also registers domains that resemble legitimate websites, then create a spoof of the site to steal credentials from their victims.[66] Fancy Bear has been known to relay its command traffic through proxy networks of victims that it has previously compromised.[99]

Software that Fancy Bear has used includes ADVSTORESHELL, CHOPSTICK, JHUHUGIT, and XTunnel. Fancy Bear utilises a number of implants, including Foozer, WinIDS, X-Agent, X-Tunnel, Sofacy, and DownRange droppers.[66] Based on compile times, FireEye concluded that Fancy Bear has consistently updated their malware since 2007.[99] To avert detection, Fancy Bear returns to the environment to switch their implants, changes its command and control channels, and modifies its persistent methods.[95] The threat group implements counter-analysis techniques to obfuscate their code. They add junk data to encoded strings, making decoding difficult without the junk removal algorithm.[99] Fancy Bear takes measures to prevent forensic analysis of its hacks, resetting the timestamps on files and periodically clearing the event logs.[66]

According to an indictment by the United States Special Counsel, X-Agent was “developed, customized, and monitored” by GRU Lieutenant Captain Nikolay Yuryevich Kozachek.[2]

Fancy Bear has been known to tailor implants for target environments, for instance reconfiguring them to use local email servers.[99] In August 2015, Kaspersky Lab detected and blocked a version of the ADVSTORESHELL implant that had been used to target defense contractors. An hour and a half following the block, Fancy Bear actors had compiled and delivered a new backdoor for the implant.[27]

Education

Unit 26165 was involved in the design of the curriculum at several Moscow public schools, including School 1101.[100]

Related personas

Fancy Bear sometimes creates online personas to sow disinformation, deflect blame, and create plausible deniability for their activities.[101]

Guccifer 2.0

Main article: Guccifer 2.0

An online persona that first appeared and claimed responsibility for the DNC hacks the same day the story broke that Fancy Bear was responsible.[102] Guccifer 2.0 claims to be a Romanian hacker, but when interviewed by Motherboard magazine, they were asked questions in Romanian and appeared to be unable to speak the language.[103] Some documents they have released appear to be forgeries cobbled together from material from previous hacks and publicly available information, then salted with disinformation.[103]

Fancy Bears’ Hack Team

A website created to leak documents taken in the WADA and IAAF attacks was fronted with a brief manifesto dated September 13, 2016, proclaiming that the site is owned by “Fancy Bears’ hack team”, which it said is an “international hack team” who “stand for fair play and clean sport”.[104] The site took responsibility for hacking WADA and promised that it would provide “sensational proof of famous athletes taking doping substances”, beginning with the US Olympic team, which it said “disgraced its name by tainted victories”.[104] WADA said some of the documents leaked under this name were forgeries, and that data had been changed.[105][104]

Anonymous Poland

Twitter account named “Anonymous Poland” (@anpoland) claimed responsibility for the attack on the World Anti-Doping Agency[106] and released data stolen from the Court of Arbitration for Sport, a secondary target.[107][108] ThreatConnect supports the view that Anonymous Poland is a sockpuppet of Fancy Bear, noting the change from a historical focus on internal politics. A screen capture video uploaded by Anonymous Poland shows an account with Polish language settings, but their browser history showed that they had made searches in Google.ru (Russia) and Google.com (US), but not in Google.pl (Poland).[107]

See also

Notes

1.^ According to cybersecurity firm FireEye, Fancy Bear uses a suite of tools that has been frequently updated since 2007 or perhaps even 2004.[96] Trend Micro said they can trace the activities of Pawn Storm back to 2004.[109]
2.^ Aleksei Sergeyevich Morenets (Моренец Алексей Сергеевич), Evgenii Mikhaylovich Serebriakov, Ivan Sergeyevich Yermakov (Ермаков Иван Сергеевич), Artem Andreyevich Malyshev (Малышев Артём Андреевич), Dmitriy Sergeyevich Badin (Бадин Дмитрий Сергеевич, Oleg Mikhaylovich Sotnikov (Олег Михайлович Сотников), Alexey Valerevich Minin (Алексей Валерьевич Минин).[87]

References

  1. Jump up to:a b c d Ward, Vicky (October 24, 2016). “The Man Leading America’s Fight Against Russian Hackers Is Putin’s Worst Nightmare”Esquire.comArchived from the original on January 26, 2018. Retrieved December 13, 2016.
  2. Jump up to:a b c d Poulson, Kevin (21 July 2018). “Mueller Finally Solves Mysteries About Russia’s ‘Fancy Bear’ Hackers”The Daily BeastArchived from the original on 23 July 2018. Retrieved 21 July 2018.
  3. Jump up to:a b “Indicting 12 Russian Hackers Could Be Mueller’s Biggest Move Yet”WiredArchived from the original on 13 July 2018. Retrieved 4 October 2018.
  4. ^ DimitrisGritzalis,Marianthi Theocharidou,George Stergiopoulos (2019-01-10). Critical Infrastructure Security and Resilience: Theories, Methods, Tools … Springer, 2019. ISBN 9783030000240.
  5. ^ “INTERNATIONAL SECURITY AND ESTONIA” (PDF)Valisluureamet.ee. 2018. Archived from the original (PDF) on 26 October 2020. Retrieved 4 October 2018.
  6. ^ “Meet Fancy Bear and Cozy Bear, Russian groups blamed for DNC hack”The Christian Science Monitor. 15 June 2016. Archived from the original on 8 April 2022. Retrieved 4 October 2018.
  7. ^ Wintour, Patrick (3 October 2018). “UK accuses Kremlin of ordering series of ‘reckless’ cyber-attacks”the GuardianArchived from the original on 9 July 2022. Retrieved 4 October 2018.
  8. ^ Threat Group-4127 Targets Hillary Clinton Presidential CampaignSecureworks.com (Report). 16 June 2016. Archived from the original on 20 July 2016. Retrieved 22 December 2016and is gathering intelligence on behalf of the Russian government.
  9. ^ “Russian Cyber Operations on Steroids”Threatconnect.com. 19 August 2016. Archived from the original on 23 December 2016. Retrieved 22 December 2016Russian FANCY BEAR tactics
  10. Jump up to:a b “APT28: A Window into Russia’s Cyber Espionage Operations?”Fireeye.com. 27 October 2016. Archived from the original on 11 September 2016. Retrieved 1 September 2015We assess that APT28 is most likely sponsored by the Russian government
  11. ^ “Investigation into Russian military units engaged in psychological operations (PSYOP) and hacking attacks — Molfar”molfar.com. Retrieved 2023-07-24.
  12. ^ “Russia accuses Ukraine of drone attacks in Moscow – DW – 07/24/2023”dw.com. Retrieved 2023-07-24.
  13. ^ Robin, Sébastien (2023-07-25). “Ukrainian Drones Attacked Russian Spies in Moscow—and ‘There Will Be More of It'”ca.news.yahoo.com. Retrieved 2024-05-04.
  14. ^ “The Man Leading America’s Fight Against Russian Hackers Is Putin’s Worst Nightmare”Esquire.com. 2016-10-24. Archived from the original on 2018-01-26. Retrieved 2017-05-07.
  15. ^ Hern, Alex (8 May 2017). “Macron hackers linked to Russian-affiliated group behind US attack”the GuardianArchived from the original on 13 April 2018. Retrieved 16 March 2018.
  16. ^ Gogolinski, Jim (22 October 2014). “Operation Pawn Storm: The Red in SEDNIT”. Trend Micro. Archived from the original on 8 September 2015. Retrieved 1 September 2015.
  17. ^ “Operation Pawn Storm: Using Decoys to Evade Detection” (PDF). Trend Micro. 2014. Archived (PDF) from the original on 2016-09-13. Retrieved 2015-09-01.
  18. ^ Menn, Joseph (April 18, 2015). “Russian cyber attackers used two unknown flaws: security company”ReutersArchived from the original on June 29, 2021. Retrieved July 5, 2021.
  19. ^ Kumar, Mohit (October 30, 2014). “APT28 — State Sponsored Russian Hacker Group”The Hacker NewsArchived from the original on October 22, 2015. Retrieved September 1, 2015.
  20. ^ Mamiit, Aaron (October 30, 2014). “Meet APT28, Russian-backed malware for gathering intelligence from governments, militaries: Report”Tech TimesArchived from the original on August 14, 2016. Retrieved September 1, 2015.
  21. ^ “APT28: A Window into Russia’s Cyber Espionage Operations?”FireEye.com. October 27, 2014. Archived from the original on September 11, 2016. Retrieved September 1, 2015.
  22. ^ Weissman, Cale Guthrie (June 11, 2015). “France: Russian hackers posed as ISIS to hack a French TV broadcaster”Business InsiderArchived from the original on August 16, 2016. Retrieved September 1, 2015.
  23. Jump up to:a b c d Satter, Raphael; Donn, Jeff; Myers, Justin (2 November 2017). “Digital hitlist shows Russian hacking went well beyond U.S. elections”Chicago Tribune. AP. Archived from the original on 9 November 2017. Retrieved 10 November 2017.
  24. ^ Yadron, Danny (October 28, 2014). “Hacking Trail Leads to Russia, Experts Say”The Wall Street JournalArchived from the original on May 19, 2017. Retrieved March 7, 2017.
  25. ^ “FBI’s Comey: Republicans also hacked by Russia | CNN Politics”CNN. 10 January 2017.
  26. ^ SATTER, RAPHAEL; DONN, JEFF (November 1, 2017). “Russian hackers pursued Putin foes, not just U.S. Democrats”U.S. News & World ReportAssociated PressArchived from the original on December 12, 2017. Retrieved November 2, 2017.
  27. Jump up to:a b Kaspersky Lab’s Global Research & Analysis Team (December 4, 2015). “Sofacy APT hits high profile targets with updated toolset – Securelist”SecurelistArchived from the original on May 27, 2017. Retrieved December 13, 2016.
  28. ^ “Russian hackers hunted journalists in years-long campaign”Star-Advertiser. Honolulu. Associated Press. December 22, 2017. Archived from the original on December 23, 2017. Retrieved December 23, 2017.
  29. ^ “Russian Hackers Suspected In Cyberattack On German Parliament”London South East. Alliance News. June 19, 2015. Archived from the original on March 7, 2016. Retrieved September 1, 2015.
  30. ^ “Germany Issues Arrest Warrant for Russian Suspect in Parliament Hack: Newspaper”The New York Times. Reuters. 5 May 2020. Archived from the original on 5 May 2020. Retrieved 5 May 2020.
  31. ^ Bennhold, Katrin (13 May 2020). “Merkel Is ‘Outraged’ by Russian Hack but Struggling to Respond”The New York TimesArchived from the original on 14 May 2020. Retrieved 14 May 2020.
  32. Jump up to:a b “Hackers lurking, parliamentarians told”. Deutsche Welle. Archived from the original on 21 April 2021. Retrieved 21 September 2016.
  33. ^ “Hackerangriff auf deutsche Parteien”Süddeutsche ZeitungArchived from the original on 21 April 2021. Retrieved 21 September 2016.
  34. ^ Holland, Martin (20 September 2016). “Angeblich versuchter Hackerangriff auf Bundestag und Parteien”. Heise. Archived from the original on 1 April 2019. Retrieved 21 September 2016.
  35. ^ “Wir haben Fingerabdrücke”Frankfurter AllgemeineArchived from the original on 22 March 2019. Retrieved 21 September 2016.
  36. ^ “Russian Hackers Who Posed As ISIS Militants Threatened Military Wives”Talkingpointsmemo.com. 8 May 2018. Archived from the original on 12 July 2018. Retrieved 4 October 2018.
  37. Jump up to:a b c “Russian hackers posed as IS to threaten military wives”Chicago Tribune. Archived from the original on 12 June 2018. Retrieved 7 June 2018.
  38. ^ Brown, Jennings (8 May 2018). “Report: Russian Hackers Posed as ISIS to Attack U.S. Military Wives”gizmodo.comArchived from the original on 12 June 2018. Retrieved 4 October 2018.
  39. ^ “Russian hackers posed as IS to threaten military wives”Apnews.com. 8 May 2018. Archived from the original on 17 August 2018. Retrieved 4 October 2018.
  40. ^ “France probes Russian lead in TV5Monde hacking: sources”Reuters. June 10, 2015. Archived from the original on 19 January 2016. Retrieved 9 July 2015.
  41. ^ Hacked French network exposed its own passwords during TV interview Archived 2017-07-22 at the Wayback Machine – arstechnica
  42. Jump up to:a b c d “Isil hackers seize control of France’s TV5Monde network in ‘unprecedented’ attack”The Daily Telegraph. April 9, 2015. Archived from the original on April 9, 2015. Retrieved April 10, 2015.
  43. ^ “French media groups to hold emergency meeting after Isis cyber-attack”The Guardian. April 9, 2015. Archived from the original on April 10, 2015. Retrieved April 10, 2015.
  44. ^ “French TV network TV5Monde ‘hacked by cyber caliphate in unprecedented attack’ that revealed personal details of French soldiers”The Independent. April 9, 2015. Archived from the original on September 25, 2015. Retrieved April 9, 2015.
  45. Jump up to:a b c d Suiche, Matt (June 10, 2017). “Lessons from TV5Monde 2015 Hack”. Comae Technologies. Archived from the original on June 13, 2017.
  46. ^ Gordon Corera (10 October 2016). “How France’s TV5 was almost destroyed by ‘Russian hackers'”BBC NewsArchived from the original on 25 June 2018. Retrieved 21 July 2018.
  47. ^ Walker, Danielle (May 13, 2015). “APT28 orchestrated attacks against global banking sector, firm finds”SC Magazine. Archived from the original on March 2, 2018. Retrieved September 1, 2015.
  48. ^ “Security Firm Redefines APT: African Phishing Threat”. Krebs on Security. May 20, 2015. Archived from the original on July 18, 2015. Retrieved September 1, 2015.
  49. ^ “Digital Attack on German Parliament: Investigative Report on the Hack of the Left Party Infrastructure in Bundestag”netzpolitik.org. 19 June 2015. Archived from the original on 22 March 2018. Retrieved 16 March 2018.
  50. ^ “Nothing found for Products Orkos Dfd” (PDF)www.root9b.comArchived (PDF) from the original on 1 March 2018. Retrieved 4 October 2018.
  51. ^ Doctorow, Cory (August 28, 2015). “Spear phishers with suspected ties to Russian government spoof fake EFF domain, attack White House”Boing BoingArchived from the original on March 22, 2019. Retrieved September 1, 2015.
  52. ^ Quintin, Cooper (August 27, 2015). “New Spear Phishing Campaign Pretends to be EFF”Eff.orgArchived from the original on August 7, 2019. Retrieved September 1, 2015.
  53. ^ Hyacinth Mascarenhas (August 23, 2016). “Russian hackers ‘Fancy Bear’ likely breached Olympic drug-testing agency and DNC, experts say”International Business TimesArchived from the original on April 21, 2021. Retrieved September 13, 2016.
  54. ^ “What we know about Fancy Bears hack team”BBC NewsArchived from the original on 22 March 2019. Retrieved 17 September 2016.
  55. ^ Gallagher, Sean (6 October 2016). “Researchers find fake data in Olympic anti-doping, Guccifer 2.0 Clinton dumps”Ars TechnicaArchived from the original on 14 July 2017. Retrieved 26 October 2016.
  56. ^ Thielman, Sam (August 22, 2016). “Same Russian hackers likely breached Olympic drug-testing agency and DNC”The GuardianArchived from the original on December 15, 2016. Retrieved December 11, 2016.
  57. Jump up to:a b Meyer, Josh (September 14, 2016). “Russian hackers post alleged medical files of Simone Biles, Serena Williams”NBC NewsArchived from the original on May 7, 2020. Retrieved April 17, 2020.
  58. ^ “American Athletes Caught Doping”Fancybear.net. September 13, 2016. Archived from the original on December 24, 2017. Retrieved November 2, 2016.
  59. ^ Nakashima, Ellen (28 September 2016). “Russian hackers harassed journalists who were investigating Malaysia Airlines plane crash”The Washington PostArchived from the original on 23 April 2019. Retrieved 26 October 2016.
  60. ^ ThreatConnect (28 September 2016). “ThreatConnect reviews activity targeting Bellingcat, a key contributor in the MH17 investigation”ThreatConnect. Archived from the original on 21 April 2021. Retrieved 26 October 2016.
  61. ^ Feike Hacquebord (22 October 2015). “Pawn Storm Targets MH17 Investigation Team”Trend MicroArchived from the original on 10 November 2016. Retrieved 4 November 2016.
  62. ^ “Russia ‘tried to hack MH17 inquiry system'”. AFP. 23 October 2015. Archived from the original on 21 August 2018. Retrieved 4 November 2016.
  63. ^ Sanger, David E.; Corasaniti, Nick (14 June 2016). “D.N.C. Says Russian Hackers Penetrated Its Files, Including Dossier on Donald Trump”The New York TimesArchived from the original on 25 July 2019. Retrieved 26 October 2016.
  64. Jump up to:a b Satter, Raphael; Donn, Jeff; Day, Chad (4 November 2017). “Inside story: How Russians hacked the Democrats’ emails”AP NewsArchived from the original on 6 November 2017. Retrieved 10 November 2017.
  65. Jump up to:a b “Bear on bear”The Economist. 22 September 2016. Archived from the original on 20 May 2017. Retrieved 14 December 2016.
  66. Jump up to:a b c d Alperovitch, Dmitri (June 15, 2016). “Bears in the Midst: Intrusion into the Democratic National Committee »”Crowdstrike.comArchived from the original on May 24, 2019. Retrieved December 13, 2016.
  67. ^ “Ukraine’s military denies Russian hack attack”Yahoo! News. 6 January 2017. Archived from the original on 7 January 2017. Retrieved 6 January 2017.
  68. ^ Meyers, Adam (22 December 2016). “Danger Close: Fancy Bear Tracking of Ukrainian Field Artillery Units”Crowdstrike.comArchived from the original on 1 January 2017. Retrieved 22 December 2016.
  69. ^ “Defense ministry denies reports of alleged artillery losses because of Russian hackers’ break into software”Interfax-Ukraine. January 6, 2017. Archived from the original on January 7, 2017. Retrieved January 6, 2017.
  70. ^ Kuzmenko, Oleksiy; Cobus, Pete. “Cyber Firm Rewrites Part of Disputed Russian Hacking Report”Voanews.comArchived from the original on 22 December 2021. Retrieved 26 March 2017.
  71. ^ Gallagher, Sean (1 November 2016). “Windows zero-day exploited by same group behind DNC hack”Ars TechnicaArchived from the original on 2 November 2016. Retrieved 2 November 2016.
  72. ^ Modderkolk, Huib (February 4, 2017). “Russen faalden bij hackpogingen ambtenaren op Nederlandse ministeries”De Volkskrant (in Dutch). Archived from the original on February 4, 2017. Retrieved February 4, 2017.
  73. ^ Cluskey, Peter (February 3, 2017). “Dutch opt for manual count after reports of Russian hacking”The Irish TimesArchived from the original on September 19, 2020. Retrieved February 20, 2020.
  74. ^ Rogers, James (April 3, 2017). “International athletics body IAAF hacked, warns that athletes’ data may be compromised”Fox NewsArchived from the original on May 17, 2017. Retrieved May 14, 2017.
  75. ^ “IAAF Says It Has Been Hacked, Athlete Medical Info Accessed”. Voice of America. Associated Press. April 3, 2017. Archived from the original on May 17, 2017. Retrieved May 14, 2017.
  76. ^ Eric Auchard (24 April 2017). “Macron campaign was target of cyber attacks by spy-linked group”Reuters.comArchived from the original on 26 April 2017. Retrieved 27 April 2017.
  77. ^ Seddon, Max; Stothard, Michael (May 4, 2017). “Putin awaits return on Le Pen investment”Financial TimesArchived from the original on May 5, 2017.
  78. ^ “Russia-linked Hackers Target German Political Foundations”. Handelsblatt. 26 April 2017. Archived from the original on 12 August 2018. Retrieved 26 April 2017.
  79. ^ Matsakis, Louise (January 10, 2018). “Hack Brief: Russian Hackers Release Apparent IOC Emails in Wake of Olympics Ban”WiredArchived from the original on January 13, 2018. Retrieved January 12, 2018.
  80. ^ Rebecca R. Ruiz, Rebecca Russian Hackers Release Stolen Emails in New Effort to Undermine Doping Investigators Archived 2018-01-13 at the Wayback MachineThe New York Times (January 10, 2018).
  81. ^ Nick Griffin, Performanta,[1] Archived 2018-02-06 at the Wayback Machine (January 26, 2018).
  82. ^ Johnson, Simon; Swahnberg, Olof (May 15, 2018). Pollard, Niklas; Lawson, Hugh (eds.). “Swedish sports body says anti-doping unit hit by hacking attack”ReutersArchived from the original on May 25, 2018. Retrieved May 24, 2018.
  83. ^ “Microsoft ‘halts Russian political hack'”BBC News. 2018-08-21. Archived from the original on 2018-08-21. Retrieved 2018-08-21.
  84. ^ Smith, Brad (21 August 2018). “We are taking new steps against broadening threats to democracy”MicrosoftArchived from the original on 21 August 2018. Retrieved 22 August 2018.
  85. Jump up to:a b c Raphael Satter (27 August 2018). “Russian Cyberspies Spent Years Targeting Orthodox Clergy”. Bloomberg. Associated Press. Archived from the original on 2018-08-29. Retrieved 2018-08-28.
  86. Jump up to:a b c “U.S. Charges Russian GRU Officers with International Hacking and Related Influence and Disinformation Operations” (Press release). United States Department of Justice. Archived from the original on 2018-10-04. Retrieved 2018-11-28.
  87. Jump up to:a b Brady, Scott W. “Indictment 7 GRU Officers_Oct2018” (PDF)United States District Court for the Western District of PennsylvaniaArchived (PDF) from the original on June 8, 2020. Retrieved July 8, 2018.
  88. ^ Dwoskin, Elizabeth; Timberg, Craig (February 19, 2019). “Microsoft says it has found another Russian operation targeting prominent think tanks”The Washington PostArchived from the original on February 22, 2019. Retrieved February 22, 2019The “spear-phishing” attacks — in which hackers send out phony emails intended to trick people into visiting websites that look authentic but in fact enable them to infiltrate their victims’ corporate computer systems — were tied to the APT28 hacking group, a unit of Russian military intelligence that interfered in the 2016 U.S. election. The group targeted more than 100 European employees of the German Marshall Fund, the Aspen Institute Germany, and the German Council on Foreign Relations, influential groups that focus on transatlantic policy issues.
  89. ^ Burt, Tom (February 20, 2019). “New steps to protect Europe from continued cyber threats”MicrosoftArchived from the original on February 20, 2019. Retrieved February 22, 2019The attacks against these organizations, which we’re disclosing with their permission, targeted 104 accounts belonging to organization employees located in Belgium, France, Germany, Poland, Romania, and Serbia. MSTIC continues to investigate the sources of these attacks, but we are confident that many of them originated from a group we call Strontium. The attacks occurred between September and December 2018. We quickly notified each of these organizations when we discovered they were targeted so they could take steps to secure their systems, and we took a variety of technical measures to protect customers from these attacks.
  90. ^ Tucker, Patrick (2019-02-20). “Russian Attacks Hit US-European Think Tank Emails, Says Microsoft”Defense OneArchived from the original on 2019-04-07. Retrieved 2019-04-07.
  91. ^ “Microsoft Says Russian Hackers Targeted European Think Tanks”Bloomberg. 2019-02-20. Archived from the original on 2019-04-07. Retrieved 2019-04-07.
  92. ^ “Kyberútok na českou diplomacii způsobil cizí stát, potvrdil Senátu NÚKIB”iDNES.cz. 2019-08-13. Archived from the original on 2020-11-06. Retrieved 2020-09-15.
  93. ^ Zpráva o stavu kybernetické bezpečnosti České republiky za rok 2019 (PDF). NÚKIB. 2020. Archived (PDF) from the original on 2020-09-17. Retrieved 2020-09-15.
  94. ^ “Norway says Russian groups ‘likely’ behind Parliament cyber attack”. 8 December 2020. Archived from the original on 16 December 2020. Retrieved 15 December 2020.
  95. Jump up to:a b Robinson, Teri (14 June 2016). “Russian hackers access Trump files in DNC hack”SC Magazine US. Archived from the original on 20 December 2016. Retrieved 13 December 2016.
  96. Jump up to:a b c Thielman, Sam; Ackerman, Spencer (29 July 2016). “Cozy Bear and Fancy Bear: did Russians hack Democratic party and if so, why?”The GuardianISSN 0261-3077Archived from the original on 2016-12-15. Retrieved 2016-12-12.
  97. ^ Cluley, Graham (20 October 2016). “New ESET research paper puts Sednit under the microscope”WeLiveSecurityArchived from the original on 25 October 2016. Retrieved 26 October 2016.
  98. ^ Frenkel, Sheera (October 15, 2016). “Meet Fancy Bear, The Russian Group Hacking The US Election”BuzzFeedArchived from the original on June 15, 2018. Retrieved November 2, 2016.
  99. Jump up to:a b c d “APT28: A Window Into Russia’s Cyber Espionage Operations?” (PDF)Fireeye.com. 2014. Archived from the original (PDF) on 2017-01-10. Retrieved 2016-12-13.
  100. ^ Troianovski, AntonNakashima, Ellen; Harris, Shane (December 28, 2018). “How Russia’s military intelligence agency became the covert muscle in Putin’s duels with the West”The Washington PostArchived from the original on December 29, 2018.
  101. ^ “Hacktivists vs Faketivists: Fancy Bears in Disguise”Threatconnect.com. 13 December 2016. Archived from the original on 20 December 2016. Retrieved 15 December 2016.
  102. ^ Koebler, Jason (15 June 2016). “‘Guccifer 2.0’ Claims Responsibility for DNC Hack, Releases Docs to Prove it”MotherboardArchived from the original on 4 November 2016. Retrieved 3 November 2016.
  103. Jump up to:a b Franceschi-Bicchierai, Lorenzo (4 October 2016). “‘Guccifer 2.0’ Is Bullshitting Us About His Alleged Clinton Foundation Hack”MotherboardArchived from the original on 4 November 2016. Retrieved 3 November 2016.
  104. Jump up to:a b c Bartlett, Evan (26 March 2018). “Fancy Bears: Who are the shady hacking group exposing doping, cover-ups and corruption in sport?”. The Independent. Archived from the original on 25 May 2018. Retrieved 24 May 2018.
  105. ^ BBC (5 October 2016). “Fancy Bears doping data ‘may have been changed’ says Wada”. BBC. Archived from the original on 4 November 2016. Retrieved 3 November 2016.
  106. ^ Nance, Malcolm (2016). The Plot to Hack America: How Putin’s Cyberspies and WikiLeaks Tried to Steal the 2016 Election. Skyhorse Publishing. ISBN 978-1-5107-2333-7.
  107. Jump up to:a b Cimpanu, Catalin (23 August 2016). “Russia Behind World Anti-Doping Agency & International Sports Court Hacks”SoftpediaArchived from the original on 21 December 2016. Retrieved 15 December 2016.
  108. ^ “World Anti-Doping Agency Site Hacked; Thousands of Accounts Leaked”HackRead. 12 August 2016. Archived from the original on 20 December 2016. Retrieved 15 December 2016.
  109. ^ Feike Hacquebord (2017). Two Years of Pawn Storm — Examining an Increasingly Relevant Threat (PDF) (Report). Trend Micro. Archived (PDF) from the original on 2017-07-05. Retrieved 2017-04-27.

External links[edit]

WannaCry ransomware attack

WannaCry ransomware attack
WannaCry ransomware attack image

Screenshot of the ransom note left on an infected system
Date 12 May 2017 – 15 May 2017
(initial outbreak)[1]
Duration 4 days
Location Worldwide
Also known as Transformations:
Wanna → Wana
Cryptor → Crypt0r
Cryptor → Decryptor
Cryptor → Crypt → Cry
Addition of “2.0”
Short names:
Wanna → WN → W
Cry → CRY
Type Cyberattack
Theme Ransomware encrypting files with $300–600 USD demand (via bitcoin)
Cause WannaCry worm
Outcome 300,000+ computers infected[2][3][4]
Suspects Lazarus Group
Accused Two North Koreans indicted
Convictions None
WannaCry
Subtype Ransomware
Point of origin PyongyangNorth Korea
Author(s) Lazarus Group (not confirmed)
Operating system(s) affected Microsoft Windows
For the June 2017 worldwide EternalBlue Petya cyberattack, see 2017 Ukraine ransomware attacks.

The WannaCry ransomware attack was a worldwide cyberattack in May 2017 by the WannaCry ransomware cryptoworm, which targeted computers running the Microsoft Windows operating system by encrypting data and demanding ransom payments in the Bitcoin cryptocurrency.[5] It propagated by using EternalBlue, an exploit developed by the United States National Security Agency (NSA) for Windows systems. EternalBlue was stolen and leaked by a group called The Shadow Brokers a month prior to the attack. While Microsoft had released patches previously to close the exploit, much of WannaCry’s spread was from organizations that had not applied these, or were using older Windows systems that were past their end-of-life. These patches were imperative to cyber security, but many organizations did not apply them, citing a need for 24/7 operation, the risk of formerly working applications breaking because of the changes, lack of personnel or time to install them, or other reasons.

The attack began at 07:44 UTC on 12 May 2017 and was halted a few hours later at 15:03 UTC by the registration of a kill switch discovered by Marcus Hutchins. The kill switch prevented already infected computers from being encrypted or further spreading WannaCry.[6] The attack was estimated to have affected more than 300,000 computers[7] across 150 countries,[7] with total damages ranging from hundreds of millions to billions of dollars. At the time, security experts believed from preliminary evaluation of the worm that the attack originated from North Korea or agencies working for the country. In December 2017, the United States and United Kingdom formally asserted that North Korea was behind the attack, although North Korea has denied any involvement with the attack.[8]

A new variant of WannaCry forced Taiwan Semiconductor Manufacturing Company (TSMC) to temporarily shut down several of its chip-fabrication factories in August 2018. The worm spread onto 10,000 machines in TSMC’s most advanced facilities.[9]

Description

WannaCry is a ransomware cryptoworm, which targets computers running the Microsoft Windows operating system by encrypting (locking) data and demanding ransom payments in the Bitcoin cryptocurrency. The worm is also known as WannaCrypt,[10] Wana Decrypt0r 2.0,[11] WanaCrypt0r 2.0,[12] and Wanna Decryptor.[13] It is considered a network worm because it also includes a transport mechanism to automatically spread itself. This transport code scans for vulnerable systems, then uses the EternalBlue exploit to gain access, and the DoublePulsar tool to install and execute a copy of itself.[14] WannaCry versions 0, 1, and 2 were created using Microsoft Visual C++ 6.0.[15]

EternalBlue is an exploit of Microsoft’s implementation of their Server Message Block (SMB) protocol released by The Shadow Brokers. Much of the attention and comment around the event was occasioned by the fact that the U.S. National Security Agency (NSA) (from whom the exploit was likely stolen) had already discovered the vulnerability, but used it to create an exploit for its own offensive work, rather than report it to Microsoft.[16][17] Microsoft eventually discovered the vulnerability, and on Tuesday, 14 March 2017, they issued security bulletin MS17-010, which detailed the flaw and announced that patches had been released for all Windows versions that were currently supported at that time, these being Windows VistaWindows 7Windows 8.1Windows 10Windows Server 2008Windows Server 2008 R2Windows Server 2012, and Windows Server 2016.[18]

DoublePulsar is a backdoor tool, also released by The Shadow Brokers on 14 April 2017. Starting from 21 April 2017, security researchers reported that there were tens of thousands of computers with the DoublePulsar backdoor installed.[19] By 25 April, reports estimated that the number of infected computers could be up to several hundred thousand, with numbers increasing every day.[20][21] The WannaCry code can take advantage of any existing DoublePulsar infection, or installs it itself.[14][22][23] On 9 May 2017, private cybersecurity company RiskSense released code on GitHub with the stated purpose of allowing legal white hat penetration testers to test the CVE-2017-0144 exploit on unpatched systems.[24]

When executed, the WannaCry malware first checks the kill switch domain name (iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com); if it is not found, then the ransomware encrypts the computer’s data,[25][26][27] then attempts to exploit the SMB vulnerability to spread out to random computers on the Internet,[28] and laterally to computers on the same network.[29] On the local system, WannaCry executable file extracts and installs binary and configuration files from its resource section. It also hides the extracted directory, modifies security descriptors, creates an encryption key, deletes shadow copies, and so on. As with other modern ransomware, the payload displays a message informing the user that their files have been encrypted, and demands a payment of around US$300 in bitcoin within three days, or US$600 within seven days (equivalent to about $370 and $750 in 2023),[26][30] warning that “you have not so enough time. [sic]” Three hardcoded bitcoin addresses, or wallets, are used to receive the payments of victims. As with all such wallets, their transactions and balances are publicly accessible even though the cryptocurrency wallet owners remain unknown.[31]

Several organizations released detailed technical write-ups of the malware, including a senior security analyst at RiskSense,[32][33] Microsoft,[34] Cisco,[14] Malwarebytes,[28] Symantec, and McAfee.[29]

Attack

The attack began on Friday, 12 May 2017,[35][36] with evidence pointing to an initial infection in Asia at 07:44 UTC.[35][37] The initial infection was likely through an exposed vulnerable SMB port,[38] rather than email phishing as initially assumed.[35] Within a day the code was reported to have infected more than 230,000 computers in over 150 countries.[39][40]

Organizations that had not installed Microsoft’s security update from May were affected by the attack.[41] Those still running unsupported versions of Microsoft Windows, such as Windows XP and Windows Server 2003[42][43] were at particularly high risk because no security patches had been released since April 2014 for Windows XP and July 2015 for Windows Server 2003.[10] A Kaspersky Lab study reported, however, that less than 0.1 percent of the affected computers were running Windows XP, and that 98 percent of the affected computers were running Windows 7.[10][44] In a controlled testing environment, the cybersecurity firm Kryptos Logic found that it was unable to infect a Windows XP system with WannaCry using just the exploits, as the payload failed to load, or caused the operating system to crash rather than actually execute and encrypt files. However, when executed manually, WannaCry could still operate on Windows XP.[45][46][47]

Defensive response

Experts quickly advised affected users against paying the ransom due to no reports of people getting their data back after payment and as high revenues would encourage more of such campaigns.[48][49][50] As of 14 June 2017, after the attack had subsided, a total of 327 payments totaling US$130,634.77 (51.62396539 BTC) had been transferred.[51]

The day after the initial attack in May, Microsoft released out-of-band security updates for end-of-life products Windows XPWindows Server 2003 and Windows 8; these patches had been created in February, but were previously only available to those who paid for a custom support plan.[52][43] Organizations were advised to patch Windows and plug the vulnerability in order to protect themselves from the cyber attack.[citation needed] The head of Microsoft’s Cyber Defense Operations Center, Adrienne Hall, said that “Due to the elevated risk for destructive cyber-attacks at this time, we made the decision to take this action because applying these updates provides further protection against potential attacks with characteristics similar to WannaCrypt [alternative name to WannaCry]”.[53][54]

Researcher Marcus Hutchins[55][56] discovered the kill switch domain hardcoded in the malware.[57][58][59] Registering a domain name for a DNS sinkhole stopped the attack spreading as a worm, because the ransomware only encrypted the computer’s files if it was unable to connect to that domain, which all computers infected with WannaCry before the website’s registration had been unable to do. While this did not help already infected systems, it severely slowed the spread of the initial infection and gave time for defensive measures to be deployed worldwide, particularly in North America and Asia, which had not been attacked to the same extent as elsewhere.[60][61][62][63][64] On 14 May, a first variant of WannaCry appeared with a new and second[65] kill-switch registered by Matt Suiche on the same day. This was followed by a second variant with the third and last kill-switch on 15 May, which was registered by Check Point threat intelligence analysts.[66][67] A few days later, a new version of WannaCry was detected that lacked the kill switch altogether.[68][69][70][71]

On 19 May, it was reported that hackers were trying to use a Mirai botnet variant to effect a distributed denial-of-service attack on WannaCry’s kill-switch domain with the intention of knocking it offline.[72] On 22 May, Hutchins protected the domain by switching to a cached version of the site, capable of dealing with much higher traffic loads than the live site.[73]

Separately, researchers from University College London and Boston University reported that their PayBreak system could defeat WannaCry and several other families of ransomware by recovering the keys used to encrypt the user’s data.[74][75]

It was discovered that Windows encryption APIs used by WannaCry may not completely clear the prime numbers used to generate the payload’s private keys from the emory, making it potentially possible to retrieve the required key if they had not yet been overwritten or cleared from resident memory. The key is kept in the memory if the WannaCry process has not been killed and the computer has not been rebooted after being infected.[76] This behaviour was used by a French researcher to develop a tool known as WannaKey, which automates this process on Windows XP systems.[77][78][79] This approach was iterated upon by a second tool known as Wanakiwi, which was tested to work on Windows 7 and Server 2008 R2 as well.[80]

Within four days of the initial outbreak, new infections had slowed to a trickle due to these responses.[81]

Attribution

Linguistic analysis of the ransom notes indicated the authors were likely fluent in Chinese and proficient in English, as the versions of the notes in those languages were probably human-written while the rest seemed to be machine-translated.[82][83] According to an analysis by the FBI’s Cyber Behavioral Analysis Center, the computer that created the ransomware language files had Hangul language fonts installed, as evidenced by the presence of the “\fcharset129” Rich Text Format tag.[15] Metadata in the language files also indicated that the computers that created the ransomware were set to UTC+09:00, which is used in Korea.[15]

A security researcher[84][85] initially posted a tweet[86] referencing code similarities between WannaCry and previous malware. The cybersecurity companies[87] Kaspersky Lab and Symantec have both said the code has some similarities with that previously used by the Lazarus Group[88] (believed to have carried out the cyberattack on Sony Pictures in 2014 and a Bangladesh bank heist in 2016—and linked to North Korea).[88] This could also be either simple re-use of code by another group[89] or an attempt to shift blame—as in a cyber false flag operation;[88] but a leaked internal NSA memo is alleged to have also linked the creation of the worm to North Korea.[90] Brad Smith, the president of Microsoft, said he believed North Korea was the originator of the WannaCry attack,[91] and the UK’s National Cyber Security Centre reached the same conclusion.[92]

On 18 December 2017, the United States Government formally announced that it publicly considers North Korea to be the main culprit behind the WannaCry attack.[93] Then-President Trump‘s Homeland Security AdvisorTom Bossert, wrote an op-ed in The Wall Street Journal about this charge, saying “We do not make this allegation lightly. It is based on evidence.”[94] In a press conference the following day, Bossert said that the evidence indicates that Kim Jong-un had given the order to launch the malware attack.[95] Bossert said that Canada, New Zealand and Japan agree with the United States’ assessment of the evidence that links the attack to North Korea,[96] while the United Kingdom’s Foreign and Commonwealth Office says it also stands behind the United States’ assertion.[97]

North Korea, however, denied being responsible for the cyberattack.[98][99]

On 6 September 2018, the US Department of Justice (DoJ) announced formal charges against Park Jin-hyok for involvement in the Sony Pictures hack of 2014. The DoJ contended that Park was a North Korean hacker working as part of a team of experts for the North Korean Reconnaissance General Bureau. The Department of Justice asserted this team also had been involved in the WannaCry attack, among other activities.[100][101]

Impact

Map of the countries initially affected[102]

The ransomware campaign was unprecedented in scale according to Europol,[39] which estimates that around 200,000 computers were infected across 150 countries. According to Kaspersky Lab, the four most affected countries were RussiaUkraineIndia and Taiwan.[103]

One of the largest agencies struck by the attack was the National Health Service hospitals in England and Scotland,[104][105] and up to 70,000 devices – including computers, MRI scanners, blood-storage refrigerators and theatre equipment – may have been affected.[106] On 12 May, some NHS services had to turn away non-critical emergencies, and some ambulances were diverted.[107][108] In 2016, thousands of computers in 42 separate NHS trusts in England were reported to be still running Windows XP.[42] In 2018 a report by Members of Parliament concluded that all 200 NHS hospitals or other organisations checked in the wake of the WannaCry attack still failed cybersecurity checks.[109][110] NHS hospitals in Wales and Northern Ireland were unaffected by the attack.[111][107]

Nissan Motor Manufacturing UK in Tyne and Wear, England, halted production after the ransomware infected some of their systems. Renault also stopped production at several sites in an attempt to stop the spread of the ransomware.[112][113] Spain’s TelefónicaFedEx and Deutsche Bahn were hit, along with many other countries and companies worldwide.[114][115][116]

The attack’s impact is said to be relatively low compared to other potential attacks of the same type and could have been much worse had Hutchins not discovered that a kill switch had been built in by its creators[117][118] or if it had been specifically targeted on highly critical infrastructure, like nuclear power plants, dams or railway systems.[119][120]

According to cyber-risk-modeling firm Cyence, economic losses from the cyber attack could reach up to US$4 billion, with other groups estimating the losses to be in the hundreds of millions.[121]

Affected organisations

The following is an alphabetical list of organisations confirmed to have been affected:

Reactions

A number of experts highlighted the NSA‘s non-disclosure of the underlying vulnerability, and their loss of control over the EternalBlue attack tool that exploited it. Edward Snowden said that if the NSA had “privately disclosed the flaw used to attack hospitals when they found it, not when they lost it, the attack may not have happened”.[164] British cybersecurity expert Graham Cluley also sees “some culpability on the part of the U.S. intelligence services”. According to him and others “they could have done something ages ago to get this problem fixed, and they didn’t do it”. He also said that despite obvious uses for such tools to spy on people of interest, they have a duty to protect their countries’ citizens.[165] Others have also commented that this attack shows that the practice of intelligence agencies to stockpile exploits for offensive purposes rather than disclosing them for defensive purposes may be problematic.[118] Microsoft president and chief legal officer Brad Smith wrote, “Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen.”[166][167][168] Russian President Vladimir Putin placed the responsibility of the attack on U.S. intelligence services, for having created EternalBlue.[153]

On 17 May 2017, United States bipartisan lawmakers introduced the PATCH Act[169] that aims to have exploits reviewed by an independent board to “balance the need to disclose vulnerabilities with other national security interests while increasing transparency and accountability to maintain public trust in the process”.[170]

On 15 June 2017, the United States Congress was to hold a hearing on the attack.[171] Two subpanels of the House Science Committee were to hear the testimonies from various individuals working in the government and non-governmental sector about how the US can improve its protection mechanisms for its systems against similar attacks in the future.[171]

Marcus Hutchins, a cybersecurit researcher, working in loose collaboration with UK’s National Cyber Security Centre,[172][173] researched the malware and discovered a “kill switch”.[56] Later globally dispersed security researchers collaborated online to develop open source tools[174][175] that allow for decryption without payment under some circumstances.[176] Snowden states that when “NSA-enabled ransomware eats the Internet, help comes from researchers, not spy agencies” and asks why this is the case.[177][178][173]

Adam Segal, director of the digital and cyberspace policy program at the Council on Foreign Relations, stated that “the patching and updating systems are broken, basically, in the private sector and in government agencies”.[118] In addition, Segal said that governments’ apparent inability to secure vulnerabilities “opens a lot of questions about backdoors and access to encryption that the government argues it needs from the private sector for security”.[118] Arne Schönbohm, president of Germany’s Federal Office for Information Security (BSI), stated that “the current attacks show how vulnerable our digital society is. It’s a wake-up call for companies to finally take IT security [seriously]”.[179]

United Kingdom

The effects of the attack also had political implications; in the United Kingdom, the impact on the National Health Service quickly became political, with claims that the effects were exacerbated by government underfunding of the NHS; in particular, the NHS ceased its paid Custom Support arrangement to continue receiving support for unsupported Microsoft software used within the organization, including Windows XP.[180] Home Secretary Amber Rudd refused to say whether patient data had been backed up, and Shadow Health Secretary Jon Ashworth accused Health Secretary Jeremy Hunt of refusing to act on a critical note from Microsoft, the National Cyber Security Centre (NCSC) and the National Crime Agency that had been received two months previously.[181]

Others argued that hardware and software vendors often fail to account for future security flaws, selling systems that − due to their technical design and market incentives − eventually won’t be able to properly receive and apply patches.[182]

The NHS denied that it was still using XP, claiming only 4.7% of devices within the organization ran Windows XP.[183][45] The cost of the attack to the NHS was estimated as £92 million in disruption to services and IT upgrades.[184]

After the attack, NHS Digital refused to finance the estimated £1 billion to meet the Cyber Essentials Plus standard, an information security certification organized by the UK NCSC, saying this would not constitute “value for money”, and that it had invested over £60 million and planned “to spend a further £150 [million] over the next two years” to address key cyber security weaknesses.[185]

See also

References

  1. ^ “The WannaCry ransomware attack was temporarily halted. But it’s not over yet”. 15 May 2017. Archived from the original on 28 October 2017. Retrieved 25 May 2017.
  2. ^ “Ransomware attack still looms in Australia as Government warns WannaCry threat not over”. Australian Broadcasting Corporation. 14 May 2017. Archived from the original on 15 May 2017. Retrieved 15 May 2017.
  3. ^ Cameron, Dell (13 May 2017). “Today’s Massive Ransomware Attack Was Mostly Preventable; Here’s How To Avoid It”GizmodoArchived from the original on 9 April 2019. Retrieved 13 May 2017.
  4. ^ “Shadow Brokers threaten to release Windows 10 hacking tools”The Express Tribune. 31 May 2017. Archived from the original on 10 July 2017. Retrieved 31 May 2017.
  5. ^ “Two years after WannaCry, a million computers remain at risk”TechCrunch. 12 May 2019. Archived from the original on 4 June 2021. Retrieved 16 January 2021.
  6. ^ “What is the domain name that stopped WannaCry?”. 15 May 2017.
  7. Jump up to:a b Chappell, Bill; Neuman, Scott (19 December 2017). “U.S. Says North Korea ‘Directly Responsible’ For WannaCry Ransomware Attack”NPR. Retrieved 2 December 2022.
  8. ^ “Cyber-attack: US and UK blame North Korea for WannaCry”BBC News. 19 December 2017. Archived from the original on 8 February 2021. Retrieved 18 February 2021.
  9. ^ “TSMC Chip Maker Blames WannaCry Malware for Production Halt”The Hacker NewsArchived from the original on 9 August 2018. Retrieved 7 August 2018.
  10. Jump up to:a b c MSRC Team (13 May 2017). “Customer Guidance for WannaCrypt attacks”MicrosoftArchived from the original on 21 May 2017. Retrieved 13 May 2017.
  11. ^ Jakub Kroustek (12 May 2017). “Avast reports on WanaCrypt0r 2.0 ransomware that infected NHS and Telefonica”Avast Security News. Avast Software, Inc. Archived from the original on 5 May 2019. Retrieved 14 May 2017.
  12. ^ Fox-Brewster, Thomas. “An NSA Cyber Weapon Might Be Behind A Massive Global Ransomware Outbreak”ForbesArchived from the original on 28 June 2018. Retrieved 12 May 2017.
  13. ^ Woollaston, Victoria. “Wanna Decryptor: what is the ‘atom bomb of ransomware’ behind the NHS attack?”WIRED UKArchived from the original on 17 March 2018. Retrieved 13 May 2017.
  14. Jump up to:a b c “Player 3 Has Entered the Game: Say Hello to ‘WannaCry'”blog.talosintelligence.com. 12 May 2017. Archived from the original on 4 June 2021. Retrieved 16 May 2017.
  15. Jump up to:a b c Shields, Nathan P. (8 June 2018). “Criminal Complaint”United States Department of JusticeArchived from the original on 6 September 2018. Retrieved 6 September 2018.
  16. ^ “NHS cyber attack: Edward Snowden says NSA should have prevented cyber attack”The IndependentArchived from the original on 16 May 2017. Retrieved 13 May 2017.
  17. ^ Graham, Chris (13 May 2017). “NHS cyber attack: Everything you need to know about ‘biggest ransomware’ offensive in history”The Daily TelegraphArchived from the original on 13 May 2017. Retrieved 13 May 2017.
  18. ^ “NSA-leaking Shadow Brokers just dumped its most damaging release yet”Ars TechnicaArchived from the original on 13 May 2017. Retrieved 15 April 2017.
  19. ^ Goodin, Dan. “10,000 Windows computers may be infected by advanced NSA backdoor”Ars TechnicaArchived from the original on 4 June 2021. Retrieved 14 May 2017.
  20. ^ Goodin, Dan. “NSA backdoor detected on >55,000 Windows boxes can now be remotely removed”Ars Technica. Retrieved 14 May 2017.
  21. ^ Broersma, Matthew. “NSA Malware ‘Infects Nearly 200,000 Systems'”SiliconArchived from the original on 6 May 2017. Retrieved 14 May 2017.
  22. ^ Cameron, Dell (13 May 2017). “Today’s Massive Ransomware Attack Was Mostly Preventable; Here’s How To Avoid It”Gizmodo AustraliaArchived from the original on 9 April 2019. Retrieved 15 May 2017.
  23. ^ “How One Simple Trick Just Put Out That Huge Ransomware Fire”Forbes. 24 April 2017. Archived from the original on 4 June 2021. Retrieved 15 May 2017.
  24. ^ “Enterprise Ransomware” (PDF). August 2019.
  25. ^ “Russian-linked cyber gang blamed for NHS computer hack using bug stolen from US spy agency”The TelegraphArchived from the original on 12 May 2017. Retrieved 12 May 2017.
  26. Jump up to:a b “What you need to know about the WannaCry Ransomware”. Symantec Security Response. Archived from the original on 4 June 2021. Retrieved 14 May 2017.
  27. ^ Bilefsky, Dan; Perlroth, Nicole (12 May 2017). “Hackers Hit Dozens of Countries Exploiting Stolen N.S.A. Tool”The New York TimesISSN 0362-4331Archived from the original on 12 May 2017. Retrieved 12 May 2017.
  28. Jump up to:a b Clark, Zammis (13 May 2017). “The worm that spreads WanaCrypt0r”Malwarebytes Labs. malwarebytes.com. Archived from the original on 17 May 2017. Retrieved 13 May 2017.
  29. Jump up to:a b Samani, Raj (12 May 2017). “An Analysis of the WANNACRY Ransomware outbreak”. McAfee. Archived from the original on 13 May 2017. Retrieved 13 May 2017.
  30. ^ Thomas, Andrea; Grove, Thomas; Gross, Jenny (13 May 2017). “More Cyberattack Victims Emerge as Agencies Search for Clues”The Wall Street JournalISSN 0099-9660Archived from the original on 13 May 2017. Retrieved 14 May 2017.
  31. ^ Collins, Keith (12 May 2017). “Watch as these bitcoin wallets receive ransomware payments from the global cyberattack”QuartzArchived from the original on 4 June 2021. Retrieved 14 May 2017.
  32. ^ “MS17-010 (SMB RCE) Metasploit Scanner Detection Module”@zerosum0x0. 18 April 2017. Archived from the original on 25 September 2017. Retrieved 18 April 2017.
  33. ^ “DoublePulsar Initial SMB Backdoor Ring 0 Shellcode Analysis”@zerosum0x0. 21 April 2017. Archived from the original on 12 August 2017. Retrieved 21 April 2017.
  34. ^ “WannaCrypt ransomware worm targets out-of-date systems”TechNet. Microsoft. 13 May 2017. Archived from the original on 11 February 2021. Retrieved 20 May 2017.
  35. Jump up to:a b c Brenner, Bill (16 May 2017). “WannaCry: the ransomware worm that didn’t arrive on a phishing hook”Naked Security. Sophos. Archived from the original on 11 July 2017. Retrieved 18 May 2017.
  36. ^ Newman, Lily Hay (12 May 2017). “The Ransomware Meltdown Experts Warned About Is Here”WiredArchived from the original on 19 May 2017. Retrieved 13 May 2017.
  37. ^ Yuzifovich, Yuriy. “WannaCry: views from the DNS frontline”Security and Data Science. nominum. Archived from the original on 21 May 2017. Retrieved 18 May 2017.
  38. ^ Goodin, Dan. “An NSA-derived ransomware worm is shutting down computers worldwide”Ars TechnicaArchived from the original on 12 May 2017. Retrieved 14 May 2017.
  39. Jump up to:a b “Cyber-attack: Europol says it was unprecedented in scale”BBC News. 13 May 2017. Archived from the original on 14 May 2017. Retrieved 13 May 2017.
  40. ^ “‘Unprecedented’ cyberattack hits 200,000 in at least 150 countries, and the threat is escalating”. CNBC. 14 May 2017. Archived from the original on 15 May 2017. Retrieved 16 May 2017.
  41. ^ “WannaCry Ransomware Attack Hits Victims With Microsoft SMB Exploit”eWeek. Retrieved 13 May 2017.
  42. Jump up to:a b “NHS Hospitals Are Running Thousands of Computers on Unsupported Windows XP”Motherboard. 29 September 2016. Archived from the original on 18 May 2017. Retrieved 13 May 2017.
  43. Jump up to:a b “Microsoft issues ‘highly unusual’ Windows XP patch to prevent massive ransomware attack”The Verge. Vox Media. 13 May 2017. Archived from the original on 14 May 2017. Retrieved 13 May 2017.
  44. ^ Brandom, Russell (19 May 2017). “Almost all WannaCry victims were running Windows 7”The VergeVox MediaArchived from the original on 16 November 2020. Retrieved 10 December 2020.
  45. Jump up to:a b Brandom, Russell (30 May 2017). “Windows XP computers were mostly immune to WannaCry”The VergeVox MediaArchived from the original on 11 February 2021. Retrieved 10 December 2020.
  46. ^ “WannaCry: Two Weeks and 16 Million Averted Ransoms Later”. Kryptos Logic. 30 May 2017. Archived from the original on 30 May 2017. Retrieved 30 May 2017.
  47. ^ “Παγκόσμιος τρόμος: Πάνω από 100 χώρες “χτύπησε” ο WannaCry που ζητάει λύτρα!”newsit.gr. 13 May 2017. Archived from the original on 16 November 2019. Retrieved 16 November 2019.
  48. ^ Reynolds, Matt (17 May 2017). “Ransomware attack hits 200,000 computers across the globe”New ScientistArchived from the original on 19 April 2019. Retrieved 10 December 2020.
  49. ^ Baraniuk, Chris (15 May 2017). “Should you pay the WannaCry ransom?”BBC NewsArchived from the original on 29 November 2020. Retrieved 10 December 2020.
  50. ^ Palmer, Danny (22 May 2017). “Ransomware: WannaCry was basic, next time could be much worse”ZDNetArchived from the original on 29 November 2020. Retrieved 10 December 2020.
  51. ^ Collins, Keith (13 May 2017). “Watch as these bitcoin wallets receive ransomware payments from the ongoing global cyberattack”QuartzArchived from the original on 4 June 2021. Retrieved 10 December 2020.
  52. ^ Thompson, Iain (16 May 2017). “While Microsoft griped about NSA exploit stockpiles, it stockpiled patches: Friday’s WinXP fix was built in February”The RegisterArchived from the original on 22 December 2017. Retrieved 19 December 2017.
  53. ^ Hern, Alex (14 June 2017). “WannaCry attacks prompt Microsoft to release Windows updates for older versions”The GuardianISSN 0261-3077Archived from the original on 14 June 2017. Retrieved 14 June 2017.
  54. ^ “Microsoft rushes out patch for Windows XP to prevent another WannaCry attack via a Shadow Brokers release”Computing.com. 14 June 2017. ISSN 0261-3077Archived from the original on 14 June 2017. Retrieved 14 June 2017.
  55. ^ “‘Just doing my bit’: The 22yo who blocked the WannaCry cyberattack”ABC News. 16 May 2017. Archived from the original on 17 May 2017. Retrieved 17 May 2017.
  56. Jump up to:a b MalwareTech (13 May 2017). “How to Accidentally Stop a Global Cyber Attacks”Archived from the original on 14 May 2017. Retrieved 14 May 2017.
  57. ^ Bodkin, Henry; Henderson, Barney; Donnelly, Laura; Mendick, Robert; Farmer, Ben; Graham, Chris (12 May 2017). “Government under pressure after NHS crippled in global cyber attack as weekend of chaos looms”The TelegraphArchived from the original on 27 March 2018. Retrieved 5 April 2018.
  58. ^ Thomson, Iain (13 May 2017). “74 countries hit by NSA-powered WannaCrypt ransomware backdoor: Emergency fixes emitted by Microsoft for WinXP+”The RegisterArchived from the original on 13 May 2017. Retrieved 14 May 2017.
  59. ^ Khomami, Nadia; Solon, Olivia (13 May 2017). “‘Accidental hero’ halts ransomware attack and warns: this is not over”The GuardianArchived from the original on 23 May 2019. Retrieved 13 May 2017.
  60. ^ Newman, Lily Hay. “How an Accidental ‘Kill Switch’ Slowed Friday’s Massive Ransomware Attack”Wired SecurityArchived from the original on 14 May 2017. Retrieved 14 May 2017.
  61. ^ Solon, Olivia (13 May 2017). “‘Accidental hero’ finds kill switch to stop spread of ransomware cyber-attack”The Guardian. London. Archived from the original on 23 May 2019. Retrieved 13 May 2017.
  62. ^ Foxx, Chris (13 May 2017). “Global cyber-attack: Security blogger halts ransomware ‘by accident'”. BBC. Archived from the original on 13 May 2017. Retrieved 13 May 2017.
  63. ^ Kan, Micael (12 May 2017). “A ‘kill switch’ is slowing the spread of WannaCry ransomware”PC WorldArchived from the original on 16 May 2017. Retrieved 13 May 2017.
  64. ^ “How an Accidental ‘Kill Switch’ Slowed Friday’s Massive Ransomware Attack”. 12 May 2017. Archived from the original on 22 December 2017. Retrieved 19 December 2017.
  65. ^ Wong, Joon Ian (15 May 2017). “Just two domain names now stand between the world and global ransomware chaos”QuartzArchived from the original on 19 March 2018. Retrieved 25 March 2018.
  66. ^ “The Hours of WannaCry”. 17 May 2017. Archived from the original on 26 March 2018. Retrieved 25 March 2018.
  67. ^ “WannaCry – New Kill-Switch, New Sinkhole”Check Point Software Blog. 15 May 2017. Archived from the original on 11 April 2019. Retrieved 11 April 2019.
  68. ^ Khandelwal, Swati. “It’s Not Over, WannaCry 2.0 Ransomware Just Arrived With No ‘Kill-Switch'”The Hacker NewsArchived from the original on 4 June 2021. Retrieved 14 May 2017.
  69. ^ Shieber, Jonathan. “Companies, governments brace for a second round of cyberattacks in WannaCry’s wake”TechCrunchArchived from the original on 4 June 2021. Retrieved 14 May 2017.
  70. ^ Chan, Sewell; Scott, Mark (14 May 2017). “Cyberattack’s Impact Could Worsen in ‘Second Wave’ of Ransomware”The New York TimesArchived from the original on 14 April 2021. Retrieved 14 May 2017.
  71. ^ “Warning: Blockbuster ‘WannaCry’ malware could just be getting started”NBC NewsArchived from the original on 13 April 2021. Retrieved 14 May 2017.
  72. ^ Greenberg, Andy (19 May 2017). “Botnets Are Trying to Reignite the Ransomware Outbreak”WIREDArchived from the original on 22 May 2017. Retrieved 22 May 2017.
  73. ^ Gibbs, Samuel (22 May 2017). “WannaCry hackers still trying to revive attack says accidental hero”The GuardianArchived from the original on 4 March 2020. Retrieved 22 May 2017.
  74. ^ “Protection from Ransomware like WannaCry”. College of Engineering. Boston UniversityArchived from the original on 31 May 2017. Retrieved 19 May 2017.
  75. ^ Kolodenker, Eugene (16 May 2017). “PayBreak able to defeat WannaCry/WannaCryptor ransomware”. Information Security Research & Education. Bentham’s GazeUniversity College LondonArchived from the original on 16 May 2017. Retrieved 19 May 2017.
  76. ^ Suiche, Matt (19 May 2017). “WannaCry — Decrypting files with WanaKiwi + Demos”Comae TechnologiesArchived from the original on 8 August 2019. Retrieved 11 February 2019.
  77. ^ “Windows XP hit by WannaCry ransomware? This tool could decrypt your infected files”ZDNetArchived from the original on 23 May 2017. Retrieved 30 May 2017.
  78. ^ “Windows XP PCs infected by WannaCry can be decrypted without paying ransom”Ars Technica. 18 May 2017. Archived from the original on 31 May 2017. Retrieved 30 May 2017.
  79. ^ Greenberg, Andy (18 May 2017). “A WannaCry flaw could help some windows XP users get files back”WiredArchived from the original on 18 May 2017. Retrieved 18 May 2017.
  80. ^ “More people infected by recent WCry worm can unlock PCs without paying ransom”Ars Technica. 19 May 2017. Archived from the original on 22 May 2017. Retrieved 30 May 2017.
  81. ^ Volz, Dustin (17 May 2017). “Cyber attack eases, hacking group threatens to sell code”ReutersArchived from the original on 21 May 2017. Retrieved 21 May 2017.
  82. ^ Leyden, John (26 May 2017). “WannaCrypt ransomware note likely written by Google Translate-using Chinese speakers”The RegisterArchived from the original on 26 May 2017. Retrieved 26 May 2017.
  83. ^ Condra, Jon; Costello, John; Chu, Sherman (25 May 2017). “Linguistic Analysis of WannaCry Ransomware Messages Suggests Chinese-Speaking Authors”. Flashpoint. Archived from the original on 27 May 2017. Flashpoint assesses with high confidence that the author(s) of WannaCry’s ransomware notes are fluent in Chinese, as the language used is consistent with that of Southern China, Hong Kong, Taiwan, or Singapore. Flashpoint also assesses with high confidence that the author(s) are familiar with the English language, though not native. […] Flashpoint assesses with moderate confidence that the Chinese ransom note served as the original source for the English version, which then generated machine translated versions of the other notes. The Chinese version contains content not in any of the others, though no other notes contain content not in the Chinese. The relative familiarity found in the Chinese text compared to the others suggests the authors were fluent in the language—perhaps comfortable enough to use the language to write the initial note.
  84. ^ Greenberg, Andy (15 May 2017). “The Ransomware Outbreak Has a Possible Link to North Korea”WiredArchived from the original on 23 March 2018. Retrieved 25 March 2018.
  85. ^ “Google Researcher Finds Link Between WannaCry Attacks and North Korea”The Hacker News — Cyber Security and Hacking News WebsiteArchived from the original on 25 March 2018. Retrieved 25 March 2018.
  86. ^ Mehta, Neel [@neelmehta] (15 May 2017). “9c7c7149387a1c79679a87dd1ba755bc @ 0x402560, 0x40F598 ac21c8ad899727137c4b94458d7aa8d8 @ 0x10004ba0, 0x10012AA4 #WannaCryptAttribution” (Tweet) – via Twitter.
  87. ^ McMillan, Robert (16 May 2017). “Researchers Identify Clue Connecting Ransomware Assault to Group Tied to North Korea”The Wall Street JournalArchived from the original on 23 March 2018. Retrieved 25 March 2018.
  88. Jump up to:a b c Solong, Olivia (15 May 2017). “WannaCry ransomware has links to North Korea, cybersecurity experts say”The GuardianArchived from the original on 16 May 2017. Retrieved 16 May 2017.
  89. ^ Talmadge, Eric (19 May 2017). “Experts question North Korea role in WannaCry cyber attack”independent.ie. AP. Archived from the original on 23 May 2017. Retrieved 22 May 2017.
  90. ^ Nakashima, Ellen. “The NSA has linked the WannaCry computer worm to North Korea”The Washington PostArchived from the original on 4 June 2021. Retrieved 15 June 2017.
  91. ^ Harley, Nicola (14 October 2017). “North Korea behind WannaCry attack which crippled the NHS after stealing US cyber weapons, Microsoft chief claims”The TelegraphISSN 0307-1235Archived from the original on 14 October 2017. Retrieved 14 October 2017.
  92. ^ Hern, Alex (26 October 2017). “NHS could have avoided WannaCry hack with basic IT security’ says report”The GuardianArchived from the original on 26 October 2017. Retrieved 26 October 2017.
  93. ^ Nakashima, Ellen (18 December 2017). “U.S. declares North Korea carried out massive WannaCry cyberattack”The Washington PostArchived from the original on 19 December 2017. Retrieved 18 December 2017.
  94. ^ Bossert, Thomas P. (18 December 2017). “It’s Official: North Korea Is Behind WannaCry”The Wall Street JournalArchived from the original on 19 December 2017. Retrieved 18 December 2017.
  95. ^ Uchill, Joe (19 December 2017). “WH: Kim Jong Un behind massive WannaCry malware attack”The HillArchived from the original on 22 December 2017. Retrieved 19 December 2017.
  96. ^ “White House says WannaCry attack was carried out by North Korea”CBS News. 19 December 2017. Archived from the original on 22 December 2017. Retrieved 19 December 2017.
  97. ^ Hern, Alex; McCurry, Justin (19 December 2017). “UK and US blame WannaCry cyber-attack on North Korea”The GuardianArchived from the original on 19 December 2017. Retrieved 19 December 2017.
  98. ^ “North Korea says linking cyber attacks to Pyongyang is ‘ridiculous'”Reuters. 19 May 2017. Archived from the original on 20 May 2017. Retrieved 21 May 2017.
  99. ^ “Experts Question North Korea Role in WannaCry Cyberattack”The New York Times. 19 May 2017. Retrieved 21 May 2017.
  100. ^ Sanger, David; Benner, Katie; Goldman, Adam (6 September 2018). “North Korean Spy to Be Charged in Sony Pictures Hacking”The New York TimesArchived from the original on 6 September 2018. Retrieved 6 September 2018.
  101. ^ Talley, Ian; Volz, Dustin (16 September 2019). “U.S. Targets North Korean Hacking as National-Security Threat”msnArchived from the original on 20 September 2019. Retrieved 16 September 2019.
  102. ^ “Cyber-attack: Europol says it was unprecedented in scale”BBC. 13 May 2017. Archived from the original on 14 May 2017. Retrieved 22 June 2018.
  103. ^ Jones, Sam (14 May 2017). “Global alert to prepare for fresh cyber attacks”. Financial Times.
  104. ^ Millar, Sheila A.; Marshall, Tracy P.; Cardon, Nathan A. (22 May 2017). “WannaCry: Are Your Security Tools Up to Date?”The National Law Review. Keller and Heckman LLP. Archived from the original on 4 August 2017. Retrieved 9 July 2017.
  105. ^ “Global cyberattack strikes dozens of countries, cripples U.K. hospitals”CBS News. 12 May 2017. Archived from the original on 13 May 2017. Retrieved 13 May 2017.
  106. ^ Ungoed-Thomas, Jon; Henry, Robin; Gadher, Dipesh (14 May 2017). “Cyber-attack guides promoted on YouTube”The Sunday TimesArchived from the original on 14 May 2017. Retrieved 14 May 2017.
  107. Jump up to:a b c d “NHS cyber-attack: GPs and hospitals hit by ransomware”BBC News. 12 May 2017. Archived from the original on 12 May 2017. Retrieved 12 May 2017.
  108. ^ Wong, Julia Carrie; Solon, Olivia (12 May 2017). “Massive ransomware cyber-attack hits 74 countries around the world”The Guardian. London. Archived from the original on 21 May 2017. Retrieved 12 May 2017.
  109. ^ Smyth, Chris (18 April 2018). “Every hospital tested for cybersecurity has failed”The TimesISSN 0140-0460Archived from the original on 18 April 2018. Retrieved 18 April 2018.
  110. ^ “Cyber-attack on the NHS” (PDF)Archived (PDF) from the original on 21 April 2018. Retrieved 20 April 2018.
  111. Jump up to:a b c Marsh, Sarah (12 May 2017). “The NHS trusts hit by malware – full list”The Guardian. London. Archived from the original on 15 May 2017. Retrieved 12 May 2017.
  112. ^ Sharman, Jon (13 May 2017). “Cyber-attack that crippled NHS systems hits Nissan car factory in Sunderland and Renault in France”The IndependentArchived from the original on 16 May 2017. Retrieved 13 May 2017.
  113. ^ Rosemain, Mathieu; Le Guernigou, Yann; Davey, James (13 May 2017). “Renault stops production at several plants after ransomware cyber attack as Nissan also hacked”Daily MirrorArchived from the original on 15 May 2017. Retrieved 13 May 2017.
  114. Jump up to:a b Larson, Selena (12 May 2017). “Massive ransomware attack hits 99 countries”CNNArchived from the original on 12 May 2017. Retrieved 12 May 2017.
  115. ^ “The WannaCry ransomware attack has spread to 150 countries”The Verge. 14 May 2017. Archived from the original on 15 May 2017. Retrieved 16 May 2017.
  116. ^ Hern, Alex; Gibbs, Samuel (12 May 2017). “What is ‘WanaCrypt0r 2.0’ ransomware and why is it attacking the NHS?”The Guardian. London. ISSN 0261-3077Archived from the original on 12 May 2017. Retrieved 12 May 2017.
  117. ^ “Lucky break slows global cyberattack; what’s coming could be worse”Chicago Tribune. 14 May 2017. Archived from the original on 14 May 2017. Retrieved 14 May 2017.
  118. Jump up to:a b c d Helmore, Edward (13 May 2017). “Ransomware attack reveals breakdown in US intelligence protocols, expert says”The GuardianArchived from the original on 4 June 2021. Retrieved 14 May 2017.
  119. ^ “The Latest: Researcher who helped halt cyberattack applauded”Star Tribune. Archived from the original on 16 May 2017. Retrieved 14 May 2017.
  120. ^ “Global ‘WannaCry’ ransomware cyberattack seeks cash for data”Washington Post. Archived from the original on 16 May 2017. Retrieved 16 May 2017.
  121. ^ “”WannaCry” ransomware attack losses could reach $4 billion”Archived from the original on 14 June 2017. Retrieved 14 June 2017.
  122. ^ “Andhra police computers hit by cyberattack”The Times of India. 13 May 2017. Archived from the original on 14 May 2017. Retrieved 13 May 2017.
  123. ^ “”Χάκαραν” και το ΑΠΘ στην παγκόσμια κυβερνοεπίθεση!”Proto Thema (in Greek). 13 May 2017. Archived from the original on 17 May 2017. Retrieved 18 May 2017.
  124. ^ “Θεσσαλονίκη: Στόχος της παγκόσμιας κυβερνοεπίθεσης το Αριστοτέλειο – Συναγερμός για τον ισχυρό ιό!”NewsIT (in Greek). 13 May 2017. Archived from the original on 1 September 2020. Retrieved 28 September 2020.
  125. ^ “Atacul cibernetic global a afectat și Uzina Dacia de la Mioveni. Renault a anunțat că a oprit producția și în Franța”Pro TV (in Romanian). 13 May 2017. Archived from the original on 16 May 2017. Retrieved 13 May 2017.
  126. ^ “Boeing production plant hit with WannaCry ransomware attack”theverge.com. 28 March 2018. Archived from the original on 29 March 2018. Retrieved 29 March 2018.
  127. ^ “Hackers demand $54K in Cambrian College ransomware attack”CBC.caArchived from the original on 10 May 2017. Retrieved 16 May 2017.
  128. Jump up to:a b Mimi Lau (14 May 2017). “Chinese police and petrol stations hit by ransomware attack”South China Morning PostArchived from the original on 15 May 2017. Retrieved 15 May 2017.
  129. ^ “Korean gov’t computers safe from WannaCry attack”The Korea HeraldArchived from the original on 15 May 2017. Retrieved 15 May 2017.
  130. Jump up to:a b c d e f “一夜之间 勒索病毒”永恒之蓝”席卷 国内近3万机构被攻陷 全球 超十万台电脑”中毒”江苏等十省市受害最严重”Archived from the original on 19 May 2017. Retrieved 27 May 2017.
  131. ^ “Weltweite Cyberattacke trifft Computer der Deutschen Bahn”Frankfurter Allgemeine Zeitung (in German). 13 May 2017. Archived from the original on 13 May 2017. Retrieved 13 May 2017.
  132. Jump up to:a b c d “Global cyber attack: A look at some prominent victims” (in Spanish). elperiodico.com. 13 May 2017. Archived from the original on 20 May 2017. Retrieved 14 May 2017.
  133. ^ “Hackerský útok zasiahol aj Fakultnú nemocnicu v Nitre”etrend.sk (in Slovak). 15 May 2017. Archived from the original on 16 May 2017. Retrieved 15 May 2017.
  134. ^ “What is Wannacry and how can it be stopped?”Financial Times. 12 May 2017. Archived from the original on 21 May 2017. Retrieved 13 May 2017.
  135. ^ “เซิร์ฟเวอร์เกม Blade & Soul ของ Garena ประเทศไทยถูก WannaCrypt โจมตี” (in Thai). blognone.com. 13 May 2017. Archived from the original on 4 June 2021. Retrieved 14 May 2017.
  136. ^ “日立、社内システムの一部に障害 サイバー攻撃の影響か”日本経済新聞 (in Japanese). 15 May 2017. Archived from the original on 16 May 2017. Retrieved 21 June 2017.
  137. ^ “Honda halts Japan car plant after WannaCry virus hits computer network”Reuters. 21 June 2017. Archived from the original on 21 June 2017. Retrieved 21 June 2017.
  138. ^ “Instituto Nacional de Salud, entre víctimas de ciberataque mundial”El Tiempo (in Spanish). 13 May 2017. Archived from the original on 16 May 2017. Retrieved 13 May 2017.
  139. ^ “Ontario health ministry on high alert amid global cyberattack”Toronto Star. 13 May 2017. Archived from the original on 4 June 2021. Retrieved 14 May 2017.
  140. ^ “Laks second Dutch victim of WannaCry”Nu.nl. 19 May 2017. Archived from the original on 19 May 2017. Retrieved 20 May 2017.
  141. ^ “LATAM Airlines también está alerta por ataque informático”Fayerwayer. 12 May 2017. Archived from the original on 12 May 2017. Retrieved 13 May 2017.
  142. ^ “Massive cyber attack creates chaos around the world”. news.com.au. 12 May 2017. Archived from the original on 19 May 2017. Retrieved 13 May 2017.
  143. ^ “Researcher ‘accidentally’ stops spread of unprecedented global cyberattack”ABC NewsArchived from the original on 14 May 2017. Retrieved 13 May 2017.
  144. Jump up to:a b “Cyber-attack that crippled NHS systems hits Nissan car factory in Sunderland and Renault in France”The Independent. 13 May 2017. Archived from the original on 16 May 2017. Retrieved 13 May 2017.
  145. ^ “Nach Attacke mit Trojaner WannaCry: Kundensystem bei O2 ausgefallen” (in German). FOCUS Online. Archived from the original on 23 May 2017. Retrieved 20 May 2017.
  146. ^ “Erhebliche Störungen – WannaCry: Kundendienst von O2 ausgefallen – HAZ – Hannoversche Allgemeine” (in German). Hannoversche Allgemeine Zeitung. Archived from the original on 19 May 2017. Retrieved 20 May 2017.
  147. Jump up to:a b c “WannaCry no Brasil e no mundo”O Povo (in Portuguese). 13 May 2017. Archived from the original on 21 May 2017. Retrieved 13 May 2017.
  148. ^ “PT Portugal alvo de ataque informático internacional”Observador (in Portuguese). 12 May 2017. Archived from the original on 12 May 2017. Retrieved 13 May 2017.
  149. ^ “Ransomware infects narrowcast radio station”RadioInfo. 15 May 2017. Archived from the original on 1 October 2017. Retrieved 30 September 2017.
  150. ^ “Parkeerbedrijf Q-Park getroffen door ransomware-aanval”Nu.nl (in Dutch). 13 May 2017. Retrieved 14 May 2017.
  151. ^ “France’s Renault hit in worldwide ‘ransomware’ cyber attack” (in Spanish). France 24. 13 May 2017. Archived from the original on 21 May 2017. Retrieved 13 May 2017.
  152. ^ “Компьютеры РЖД подверглись хакерской атаке и заражены вирусом”Радио СвободаRadio Free Europe/Radio Liberty. 13 May 2017. Archived from the original on 16 May 2017. Retrieved 13 May 2017.
  153. Jump up to:a b Vidal Liy, Macarena (15 May 2017). “Putin culpa a los servicios secretos de EE UU por el virus ‘WannaCry’ que desencadenó el ciberataque mundial”El País (in Spanish). Archived from the original on 16 May 2017. Retrieved 16 May 2017.
  154. Jump up to:a b c “Ransomware WannaCry Surfaces In Kerala, Bengal: 10 Facts”New Delhi Television Limited (NDTV)Archived from the original on 16 May 2017. Retrieved 15 May 2017.
  155. ^ Sanjana Nambiar (16 May 2017). “Hit by WannaCry ransomware, civic body in Mumbai suburb to take 3 more days to fix computers”Hindustan TimesArchived from the original on 16 May 2017. Retrieved 17 May 2017.
  156. ^ “Un ataque informático masivo con ‘ransomware’ afecta a medio mundo” (in Spanish). elperiodico.com. 12 May 2017. Archived from the original on 12 May 2017. Retrieved 13 May 2017.
  157. ^ Balogh, Csaba (12 May 2017). “Ideért a baj: Magyarországra is elért az óriási kibertámadás”HVG (in Hungarian). Archived from the original on 13 May 2017. Retrieved 13 May 2017.
  158. ^ “Telkom systems crippled by WannaCry ransomware”MyBroadband. 21 May 2017. Archived from the original on 29 August 2018. Retrieved 21 May 2017.
  159. ^ “Timrå kommun drabbat av utpressningsattack” (in Swedish). Sveriges Television. 13 May 2017. Archived from the original on 15 May 2017. Retrieved 15 May 2017.
  160. ^ Kirk, Jeremy. “WannaCry Outbreak Hits Chipmaker, Could Cost $170 Million”. Information Security Media Group, Corp. Archived from the original on 10 August 2018. Retrieved 10 August 2018Taiwan Semiconductor Manufacturing Co., the world’s largest chip manufacturer, says a WannaCry infection hit unpatched Windows 7 systems in its fabrication facilities, leaving multiple factories crippled.
  161. ^ “Virus Ransomware Wannacry Serang Perpustakaan Universitas Jember”Tempo (in Indonesian). 16 May 2017. Archived from the original on 16 May 2017. Retrieved 17 May 2017.
  162. ^ “Il virus Wannacry arrivato a Milano: colpiti computer dell’università Bicocca”la Repubblica (in Italian). 12 May 2017. Archived from the original on 17 May 2017. Retrieved 13 May 2017.
  163. ^ “Some University of Montreal computers hit with WannaCry virus”The Globe and Mail. 16 May 2017. Archived from the original on 17 May 2017. Retrieved 16 May 2017.
  164. ^ Wong, Julia Carrie; Solon, Olivia (12 May 2017). “Massive ransomware cyber-attack hits 74 countries around the world”The GuardianArchived from the original on 21 May 2017. Retrieved 12 May 2017.
  165. ^ Heintz, Sylvia Hui, Allen G. Breed and Jim (14 May 2017). “Lucky break slows global cyberattack; what’s coming could be worse”Chicago TribuneArchived from the original on 14 May 2017. Retrieved 14 May 2017.
  166. ^ “Ransomware attack ‘like having a Tomahawk missile stolen’, says Microsoft boss”The Guardian. 14 May 2017. Retrieved 15 May 2017.
  167. ^ Storm, Darlene (15 May 2017). “WikiLeaks posts user guides for CIA malware implants Assassin and AfterMidnight”ComputerworldArchived from the original on 17 May 2017. Retrieved 17 May 2017.
  168. ^ Smith, Brad (14 May 2017). “The need for urgent collective action to keep people safe online”. Microsoft. Archived from the original on 16 May 2017. Retrieved 14 May 2017.
  169. ^ “Patch Act bill before Congress”Archived from the original on 18 May 2017. Retrieved 23 May 2017.
  170. ^ Whittaker, Zack. “Congress introduces bill to stop US from stockpiling cyber-weapons”ZDNetArchived from the original on 22 May 2017. Retrieved 23 May 2017.
  171. Jump up to:a b Chalfant, Morgan (12 June 2017). “Lawmakers to hold hearing on ‘Wanna Cry’ ransomware attack”TheHillArchived from the original on 15 June 2017. Retrieved 14 June 2017.
  172. ^ “Finding the kill switch to stop the spread of ransomware – NCSC Site”www.ncsc.gov.ukArchived from the original on 23 March 2019. Retrieved 21 May 2017.
  173. Jump up to:a b “Sky Views: Stop the cyberattack blame game”. Sky News. Archived from the original on 19 May 2017. Retrieved 21 May 2017.
  174. ^ “gentilkiwi/wanakiwi”GitHubArchived from the original on 20 May 2017. Retrieved 20 May 2017.
  175. ^ “aguinet/wannakey”GitHubArchived from the original on 20 May 2017. Retrieved 20 May 2017.
  176. ^ Auchard, Eric (19 May 2017). “French researchers find way to unlock WannaCry without ransom”ReutersArchived from the original on 19 May 2017. Retrieved 19 May 2017.
  177. ^ Snowden, Edward [@Snowden] (13 May 2017). “When @NSAGov-enabled ransomware eats the internet, help comes from researchers, not spy agencies. Amazing story” (Tweet). Retrieved 20 May 2017 – via Twitter.
  178. ^ Snowden, Edward [@Snowden] (13 May 2017). “Pause a moment to consider why we’re left with researchers, not governments, trying to counter the @NSAGov-enabled ransomware mess. Hint” (Tweet). Retrieved 20 May 2017 – via Twitter.
  179. ^ “WannaCry: BSI ruft Betroffene auf, Infektionen zu melden” (in German). heise online. 13 May 2017. Retrieved 14 May 2017.
  180. ^ “The ransomware attack is all about the insufficient funding of the NHS”The Guardian. 13 May 2017. Archived from the original on 14 May 2017. Retrieved 14 May 2017.
  181. ^ “Jeremy Hunt ‘ignored warning signs’ before cyber-attack hit NHS”The Guardian. 13 May 2017. Archived from the original on 13 May 2017. Retrieved 14 May 2017.
  182. ^ Larson, Selena (17 May 2017). “Why WannaCry ransomware took down so many businesses”CNN Money. CNN. Archived from the original on 21 May 2017. Retrieved 22 May 2017.
  183. ^ “UPDATED Statement on reported NHS cyber-attack (13 May)”. National Health Service. Archived from the original on 13 May 2017. Retrieved 30 May 2017.
  184. ^ “Cyber-attack cost NHS £92m – DHSC”. Health Service Journal. 11 October 2018. Retrieved 13 November 2018.
  185. ^ “Health chiefs refuse to foot £1bn bill to improve NHS cyber security”. Building Better Healthcare. 15 October 2018. Archived from the original on 27 November 2018. Retrieved 27 November 2018.

External links

Wikimedia Commons has media related to WannaCry ransomware attack.

Related Videos:

Related Posts:

Microsoft warns wormable Windows bug could lead to another WannaCry

Family Day: Celebrating Together in Milton and Burlington

Digital Draughts: The Classic Checkers Challenge – JavaScript

WhatsApp Messenger_2.24.6.14_Apkpure.apk

DIY Projects and Hacks

Artificial Intelligence FAQs(Opens in a new bro

Suspected State-Sponsored Hack Targets British Columbia Government Networks

Microsoft Describes How Government Hackers Stole ‘Large Sums’ From Financial Firms

1.8 Million Users Attacked by Android Banking Malware, 300% Increase Since 2017

What Are Virii, Viruses, and Malware? Explained…

Related Posts

Why 90% of Employers Will Pay You More If This One Thing Is on Your Resume
Why 90% of Employers Will Pay You More If This One Thing Is on Your Resume
Gallery

Why 90% of Employers Will Pay You More If This One Thing Is on Your Resume

Is the Universe a Simulation? New Physics Theory Suggests Gravity Is a Byproduct of Information Processing
Is the Universe a Simulation? New Physics Theory Suggests Gravity Is a Byproduct of Information Processing
Gallery

Is the Universe a Simulation? New Physics Theory Suggests Gravity Is a Byproduct of Information Processing

ChatGPT Across Generations: From Search Engine to Life Advisor
ChatGPT Across Generations: From Search Engine to Life Advisor
Gallery

ChatGPT Across Generations: From Search Engine to Life Advisor

All OpenAI ChatGPT Models Explained: GPT-3.5 vs GPT-4 vs GPT-4 Turbo
All OpenAI ChatGPT Models Explained: GPT-3.5 vs GPT-4 vs GPT-4 Turbo
Gallery

All OpenAI ChatGPT Models Explained: GPT-3.5 vs GPT-4 vs GPT-4 Turbo

The SUV That Floats: BYD’s Yangwang U8 and the Start of an Automotive Revolution
The SUV That Floats: BYD’s Yangwang U8 and the Start of an Automotive Revolution
Gallery

The SUV That Floats: BYD’s Yangwang U8 and the Start of an Automotive Revolution

Stop Ignoring BIOS Updates: Your PC Depends on It
Stop Ignoring BIOS Updates: Your PC Depends on It
Gallery

Stop Ignoring BIOS Updates: Your PC Depends on It

Unlocking LLaMA 2 on MS‑DOS: A Retrocomputing Journey from 486 to Ryzen
Unlocking LLaMA 2 on MS‑DOS: A Retrocomputing Journey from 486 to Ryzen
Gallery

Unlocking LLaMA 2 on MS‑DOS: A Retrocomputing Journey from 486 to Ryzen

SSD vs HDD comparison 2024 2025
SSD vs HDD comparison 2024 2025
Gallery

SSD vs HDD comparison 2024 2025

China’s Stainless Steel Breakthrough in Hypersonic Missile Technology
China’s Stainless Steel Breakthrough in Hypersonic Missile Technology
Gallery

China’s Stainless Steel Breakthrough in Hypersonic Missile Technology

Space Waste Management: Solving Urine and Feces Challenges for Long-Duration Missions
Space Waste Management: Solving Urine and Feces Challenges for Long-Duration Missions
Gallery

Space Waste Management: Solving Urine and Feces Challenges for Long-Duration Missions

Goodbye Jeep: A Veteran’s Take on the Dangerous Decline of American Auto Quality
Goodbye Jeep: A Veteran’s Take on the Dangerous Decline of American Auto Quality
Gallery

Goodbye Jeep: A Veteran’s Take on the Dangerous Decline of American Auto Quality

The Portals of Hellion: Complete Game Guide & Lore Compendium
The Portals of Hellion: Complete Game Guide & Lore Compendium
Gallery

The Portals of Hellion: Complete Game Guide & Lore Compendium

Leave A Comment

About the Author: Bernard Aybout (Virii8)

I am a dedicated technology enthusiast with over 45 years of life experience, passionate about computers, AI, emerging technologies, and their real-world impact. As the founder of my personal blog, MiltonMarketing.com, I explore how AI, health tech, engineering, finance, and other advanced fields leverage innovation—not as a replacement for human expertise, but as a tool to enhance it. My focus is on bridging the gap between cutting-edge technology and practical applications, ensuring ethical, responsible, and transformative use across industries. MiltonMarketing.com is more than just a tech blog—it's a growing platform for expert insights. We welcome qualified writers and industry professionals from IT, AI, healthcare, engineering, HVAC, automotive, finance, and beyond to contribute their knowledge. If you have expertise to share in how AI and technology shape industries while complementing human skills, join us in driving meaningful conversations about the future of innovation. 🚀