It was bound to happen: NSA exploits published by the Shadowbrokers group on April 14th 2017 were finally used to launch a massive cyberattack. Its final cost is still to be determined but it is expected to be substantial. The timing of the attack is quite surprising. Given that the exploits involved are available since April 14th, and that some Metasploit probes are able to detect the security patch released by Microsoft since the end of March, one may wonder why this first ransomware attack occurs so late.
An anonymous source close to the investigation into the initial exploits told Reuters in September 2016 that the NSA detected the leak as soon as it happened in 2013. The source goes on to say that the agency had “tuned its sensors to detect use of any of the tools by other parties, especially foreign adversaries with strong cyber espionage operations, such as China and Russia”. But because these sensors ( probably IDS-like probes placed directly on Internet backbones) did not detect unauthorized uses of these tools against U.S. or allied targets, the NSA did not feel the need to warn U.S manufacturers immediately. The detection capability of these sensors certainly does not cover every NSA exploits that have been leaked (in fact some of them only allow one to pivot within an already compromised network), but it may indeed apply to exploits like EternalBlue. With this in mind, it is easy to understand why potential users were reluctant to be the first to openly use this exploit.
WannaCry, the ransomware involved in the 12th May attack, first appeared in February 2017 in a far less dangerous form called Wcry, which failed to impress anyone. Today, the new version stands out not only for its virulence, but also for its lack of economic efficiency: gains only amount to tens of thousands of dollars, a ridiculous sum given the number of successful infections. This could be interpreted as amateurism, and it suggests that the perpetrators did not realize the efficiency of the exploits they decided to use for their own profit. But perhaps a certain degree of amateurism is indeed required to be bold enough to launch a ransomware campaign based of these exploits in such a visible fashion: authors of successful ransomwares have not yet dared to use them. And when a cybercriminal takes the risk to offer a complete exploit package on a blackmarket platform, he faces a fierce reaction from his peers, who certainly aren’t willing to draw the attention of law enforcement agencies on their community, and who argue that one must be foolish to be willing to take the risk of using such exploits now.
Insane, reckless, you say? Or maybe the authors of WannaCry simply decided they did not have much to lose should they be held responsible for the attack. In that case, it would not be surprising if the authors happened to be North Koreans, as suggested by the use of code samples identical to those found in a piece of malware belonging to Lazarus. This North Korean group is responsible for the Sony Pictures hack, the Bangladesh heist and DarkSeoul operation. This attack may actually have a more political nature than initially thought: one may argue that it could be a way for North Korea to demonstrate the efficiency of NSA’s cyber weapons, and to point out the responsibility the United States bear in the creation and proliferation of these weapons.
It’s worth noting that Shadowbrokers did wait for about a month after the Microsoft security update MS17-010 was published before publicly sharing these exploits. No need to be thankful though: the exploit was becoming less and less useful as time progressed since the patch was published. They may have concluded that a large-scale use by other actors would enable them to use the exploits discreetly for their own purposes.
In any case, the risk of overexposure likely to result from the first worldwide use of EternalBlue will not prevent it from being used again in the foreseeable future by numerous actors once the initial storm has passed. Such was the case of the Conficker worm, which used a vulnerability of comparable severity (MS08-067) and had similar consequences. Almost a decade later, it still accounted for a significant part of malware infection in 2016.