Part 1 of 2: Spies, Espionage, Ransomware, and Harold
Updated: Jun 28, 2019
On May 6, 2019, Symantec released a blog entitled “Buckeye: Espionage Outfit Used Equation Group Tools Prior to Shadow Brokers’ Leak.” This is a stunning revelation in a movie-bound story of ransomware, nation-state attackers and spies, violation of the espionage act, and a guy named Harold.
In this first blog, I will cover the timeline up to the date of EternalBlue’s release. EternalBlue is one of the Equation Group’s tools released by ShadowBrokers and instrumental in Wannacry’s propagation.
Last week I presented a session called “Network Forensics with Wireshark” at the HTCIA Silicon Valley conference. The leading presentations made numerous references to WannaCry and EternalBlue. Upon taking the stage, I asked the audience if they were aware of the history leading up to WannaCry’s emergence. They indicated a curiosity that prompted me to start my presentation with a session simply entitled “Hmmmm…”
Here are some excerpts from that presentation. In part 2 of this blog series, I will examine a WannaCry trace file, explain why Harold is a concern, and review Symantec’s blog statements.
The WannaCry ransomware attack reared its ugly head in May of 2017. The attack targeted Windows system by encrypting data and demanding payment via Bitcoin.
WannaCry propagated through a tool called EternalBlue. Although Microsoft had released patches to thwart the spread of WannaCry, many organizations had not applied the patches yet.
WannaCry was “neutered” by Marcus Hutchins (a.k.a. “MalwareTech”) when he created a domain that matched the hard-coded URL (the kill-switch). If WannaCry could successfully resolve the kill-switch URL, it wouldn’t continue its destructive course of action or ransom demand. [Read the post script at the end of this blog for the latest information on Marcus Hutchins’ indictment and guilt plea. Marcus will also resurface in Part 2 of this blog series.]
EternalBlue (an instrumental element of WannaCry) exploits a Windows fault that “allows remote attackers to execute arbitrary code via crafted packets, aka “Windows SMB Remote Code Execution Vulnerability” [CVE-2017-0144].” [Visit https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144 for details.]
Prior to Windows 8, interprocess communications [IPC$] allow null sessions. This is the vulnerability that EternalBlue exploits.
EternalBlue was created by the NSA as part of a hacking tool set called the FuzzBunch framework. EternalBlue is important to WannaCry.
NSA’s Tailored Access Operations (TAO) develops a set of hacking tools (FuzzBunch framework) including EternalBlue. “Equation Group” is the code name of NSA’s TAO group.
February 16 – Kaspersky publishes Equation Group: The Crown Creator of Cyber-Espionage, Equation: The Death Star of Malware Galaxy, and Equation Group: Questions and Answers (PDF). [See https://securelist.com/files/2015/02/Equation_group_questions_and_answers.pdf]
August 13 – ShadowBrokers launches the Equation Group Cyber Weapons Auction. The auction Includes 300MB of exploits against Cisco, Fortinet, Juniper and TopSec. [SECONDDATE is included in release - on August 19th, this will be an important item.] ShadowBrokers set a desired bid amount of one million Bitcoin (about $560 at the time). Only a fraction of that amount was bid.
August 16 - Kaspersky blog compares RC5/RC6 encryption algorithms in “freebies” against their known Equation Group signatures. They state leaked exploits are likely from Equation Group. See https://securelist.com/the-equation-giveaway/75812/
August 19 – The “FOXACID SOP FOR OPERATIONAL MANAGEMENT OF FOXACID INFRASTRUCTURE” document leaked by Edward Snowden is used to verify that the ShadowBrokers’ dump includes NSA tools by validating a 16-character string (“ace02468bdf13579”) contained in SECONDDATE.
“ 5. OR if the project is going to be using SECONDDATE, you must use the “ace02468bdf13579” MSGID. This is mandatory in all SECONDDATE operations. This creates a date time stamp when the tag is being used. This time stamp prevents constant re-exploitation from the target hitting the back button in their browser.”
August 27 - FBI raids the home of Harold T. Martin, III – a Booz Allen Hamilton Contractor working in the Tailored Access Operations (TAO) group in the NSA. We will come back to Harold in Part 2 of this blog set. He will have a big impact in the security industry for years to come.
October 31 - TheShadowBrokers Trick or Treat post releases some tools and code names including DEWDROP, INCISION, JACKLADDER, ORANGUTAN, PATCHICILLIN, RETICULUM, SIDETRACK AND STOCSURGEON.
January 8 – The ShadowBrokers Windows Warez auction offers up exploits for $750 BTC ($660,000 at that time). It’s another disappointment.
January 12 – The ShadowBrokers decide to go dark stating that “Despite theories, it always being about bitcoins for TheShadowBrokers.” They also stated “If TheShadowBrokers receiving 10,000 btc in bitcoin address then coming out of hiding and dumping password for Linux + Windows.” TheShadowBrokers releases the 58 Windows hacking tools for free.
March 14 – Microsoft releases security bulletin MS17-010 detailing the security flaw and patches now available. This offers a Null IPC$ access block.
April 14 - TheShadowBrokers – “Lost in Translation” post leaks the FuzzBunch tools leaked. ETERNALBLUE is now in the wild. ETERNALROMANCE is now in the wild.
May 12 – WannaCry hits the world wreaking havoc on millions of computer systems including the UK National Health Service (NHS), numerous US hospitals, FedEx, Nissan, Russian banks/railway system/interior ministry, international police departments, Universities in China, and Hitachi.
So now we are up to May 2017. EternalBlue is in the open and WannaCry is hitting the world.
In the next blog, I will bring in Petya and NonPetya, introduce a group of Israeli hackers, ponder Kaspersky's role in this situation, look at a trace of WannaCry, and explain why Harold concerns me so much.
Postscript to Part 1: Marcus Hutchins
July 11, 2017 - The United States District Court, Eastern District of Wisconsin, indicted Marcus Hutchins for developing and selling the Kronos malware which steals online banking credentials. Although a British citizen, Marcus Hutchins was barred from leaving the United States.
April 19, 2019 – Marcus Hutchins pleaded guilty to two of the ten charges brought against him under U.S.C. Title 18, Section 2512. Each charge carries a maximum of up to 5 years in prison, up to a $250,000 fine, and up to a year of supervised release. [Read the plea agreement at https://www.courtlistener.com/recap/gov.uscourts.wied.77855/gov.uscourts.wied.77855.124.0.pdf.]