Updated: Jun 29, 2019
Let’s do a quick recap of part one of this blog and the timeline leading up to the release of WannaCry. This will include another tool released by the ShadowBrokers – DoublePulsar.
In 2013, NSA’s Tailored Access Operations (aka the “Equation Group”) developed the FuzzBunch framework consisting of a set of hacking tools. EternalBlue and EternalRomance were part of this set of tools.
In 2015, Kaspersky published details about the Equation Group in the document entitled, “Equation Group: Questions and Answers.” In that document, Kaspersky states that they “discovered one of the first EquationDrug modules during our research into the Regin nation-state APT operation” (source released on November 24, 2014).
In 2016, ShadowBrokers launch the Equation Group Cyber Weapons Auction. The auction Includes 300MB of exploits against Cisco, Fortinet, Juniper, and TopSec. SECONDDATE is included in this release. Kaspersky compares RC5/RC6 encryption algorithms in the “freebies” against their known Equation Group signatures and state the leaked exploits are likely from the Equation Group.
Within three days of Kaspersky’s announcement, a signature in SECONDDATE that was contained in the FOXACID document leaked by Edward Snowden is used to verify that the ShadowBrokers’ dump includes NSA tools.
Ah, yes, and then there’s Harold (who we will soon know as "Hal"). Just one week after the FOXACID verification, the FBI raided the home of Harold T. Martin, III, a Booz Allen Hamilton contractor working within the Tailored Access Group in the NSA. The raid netted over 50 terabytes of stolen materials making Snowden’s leak look like a trickle of information.
We will come back to him in March of 2018.
April 14 - After several unsuccessful attempts at auction, the ShadowBrokers leak the FuzzBunch tools, which include EternalBlue and EternalRomance and DoublePulsar.
May 12 - WannaCry hits the world using EternalBlue, EternalRomance, and DoublePulsar.
WannaCry relies on a “dropper” – a malicious file that is dropped on a system. WannaCry uses EternalBlue as a transport to spread from one machine to another. Variations of WannaCry use EternalRomance as a transport mechanism. Both tools use an SMB remote code execution vulnerability.
WannaCry uses the trojan DoublePulsar to open a back door on the compromised host.
WannaCry reached out to resolve a funky URL. If that failed, WannaCry would begin its process of encrypting and ransoming the local drive and spreading. This DNS lookup is the "kill switch." If the name resolved properly, WannaCry would stop. When Marcus Hutchins registered the domain, he effectively killed WannaCry’s spread.
You can examine the traffic from a host infected by WannaCry’s by visiting https://precisionsec.com/wannacry-pcap-smb-445/ and downloading the wannacry_smb_445.pcap file. Thanks to Precisionsec for making this file public for research.
In this trace file, the compromised host sends out a DNS query for a nonsensical name. Approximately 1-1/2 seconds after the resolution failed, we see a port 445 scan begin. In the image that follows, I’ve hidden the source and destination IP addresses to show more information in the Packet List pane. When you view the trace file, you’ll notice the range of destination IP addresses being targeted by the port 445 scan.
Let’s return to 2017. We haven’t seen the end of malware related to the Equation Group’s leaked tools.
June 22 – A compromised version of M.E.Doc tax accounting software is pushed out by a Ukranian financial technology company during an update process. Look at who tweeted about the malicious M.E.Doc update – Marcus Hutchins (“MalwareTech”) (see Part 1 of this blog set). The malware sits dormant for five days.
June 27 – NotPetya (based on a modified version of EternalBlue and EternalRomance) ransomware attack is launched. This attack affects computers in Ukraine and around the world. On this same date, the United States blames North Korea’s Lazarus Group for launching WannaCry. Regardless of what the NotPetya ransom note says, it appears that NotPetya cannot decrypt the files. For more information on NotPetya, visit https://www.us-cert.gov/ncas/alerts/TA17-181A.
Note: The name "NotPetya" was used to indicate that this is not the same attack as the 2016 Petya attack. Petya was the name of the Soviet weapon satellite in the James Bond GoldenEye film featuring Pierce Brosnan (good old 1995).
Now things get really interesting!
September 13 - The United States government bans Kaspersky products on federal systems. Elaine Duke, the acting secretary of Homeland Security, orders all U.S. federal agencies to remove Kaspersky software from government systems. See Binding Operational Directive 17-01, “Removal of Kaspersky-branded Products” at https://cyber.dhs.gov/bod/17-01/. Kaspersky sues the United States of America and the U.S. Department of Homeland Security.
October 10 – The New York Times releases an article stating that Israeli government hackers inside Kaspersky’s network detected NSA tools in place in 2015 – the Israeli government notified the NSA. These same hackers also watched Kaspersky software being used by Russian hackers to search the world for US intelligence program code names. In addition, they stated that Kaspersky software was also used to scoop up improperly stored classified documents from an NSA employee’s home computer. It doesn’t appear that this was Harold T. Martin, but yet another NSA employee (possibly Nghia Pho – see September 2018). [See https://www.nytimes.com/2017/10/10/technology/kaspersky-lab-israel-russia-hacking.html.]
March 28 - Harold pleads guilty to what appears to be the largest breach of classified information in history. The FBI found “stacks of documents and electronic storage devices stashed in his car, home, and even garden shed.” It appears that Harold (he goes by “Hal,” ironically) has been hoarding classified materials at his home for over 20 years. Interestingly, it has been reported that Hal, calling himself “HAL99999999,” actually tried reaching out to Kaspersky employees to possibly offer materials with a “shelf life, three weeks.” His defense attorneys tried to portray Hal as a mentally unstable patriot.
February 15 – The U.S. White House issues a Statement from the Press Secretary placing blame for NotPetya directly on the Russian military. [See https://www.whitehouse.gov/briefings-statements/statement-press-secretary-25/.]
November 30 – Kaspersky’s suit against the United States and the U.S. Department of Homeland Security is dismissed. [See https://www.cadc.uscourts.gov/internet/opinions.nsf/E80294FD90EE7C05852583550053AE25/$file/18-5176.pdf.]
May 6 - Symantec releases a post entitled, "Buckeye: Espionage Outfit Used Equation Group Tools Prior to Shadow Brokers Leak." [See https://www.symantec.com/blogs/threat-intelligence/buckeye-windows-zero-day-exploit .] Whoa! First of all - who is "Buckeye?" The Buckeye cyber espionage group (also known as APT3 and Gothic Panda) is a state-sponsored Chinese hacking group. ArtOfTheHak made an interesting 3-minute video profiling Gothic Panda.
The Symantec report indicates that the Buckeye espionage group was using a variant of DoublePulsar back in March 2016. The ShadowBrokers didn't release DoublePulsar until April 14, 2017.