The ‘90s cyberpunk thriller Hackers is used too often to illustrate the fearful future of cyber security, but it’s popular for a reason. The film’s seemingly fictional scenarios keep coming true. Take this week’s global ransomware attack, for instance. It’s a plot twist that would make Matthew Lillard leer at the camera and cackle.
On Tuesday morning, a message from unknown hackers appeared on thousands of computers—kind of like that Matthew Lillard scene at the end of Hackers. The red screen was a result of ransomware, a malware that encrypts an infected computer’s files and demands payment in exchange for decrypting them.
Ransomware attacks are on the rise and criminals are raking in the bitcoin, but some experts believe the goal of Tuesday’s ransomware attack went beyond collecting cryptocurrency. They say the hackers wanted to disrupt information technology not only in Ukraine, where the attack started, but also across the world. The hackers wanted to pour a bit of chaos into the system.
Image: Ukraine government / Facebook
This is the batshit-crazy future of cyber attacks. As more sophisticated weapons make it out into the wild, it’s becoming easier and easier for blackhats to deploy malware and shut down computers all over the globe in exchange for a few bitcoins. But by proxy, it’s also easier for hackers to use the same techniques to cause pure chaos, whether they get paid for it or not.
Last month, for instance, WannaCry ransomware infections swept through computers in over 150 countries. The malware propagated via EternalBlue, a stolen and leaked NSA exploit, and it encrypted the hard drives tens of thousands of computers in Russia, the UK, and elsewhere. WannaCry asked the computer owners for the equivalent of $300 (£231.40) in bitcoin to unlock their machines. Fortunately, security researcher Marcus Hutchins quickly identified a kill switch, which allowed security experts to slow its spread. Some think this might have been a happy accident, but it still reigned in the havoc unleashed by the attack. Nevertheless, the hackers reportedly made over $50,000 (£38,565) in three days.
This month’s attack was different. Security researchers are calling the global assault a lot of different names—Petya, NotPetya, Nyetya, GoldenEye—but most everyone agrees that the attack started in Ukraine and spread through corporate VPN systems. As with WannaCry, the new attack encrypted the victims’ hard drives and demanded $300 to unlock them. Unlike WannaCry, however, no kill switch was identified, and yet, it doesn’t look like the hackers made much money at all. The attackers required victims to send a confirmation email to an email address hosted by Posteo, an email address that Posteo blocked not long after the attack started. That meant that the hackers couldn’t receive payments, and the victims couldn’t get their machines unlocked.
But some experts think that the attack was never about profits. It was about chaos.
“This is definitely not designed to make money,” wrote the security researcher who goes by “the grugq” in a blog post. “This is designed to spread fast and cause damage, with a plausibly deniable cover of ‘ransomware.’”
The details and timing of the attack support this theory. As the grugq points out, the attackers’ code was based off a known ransomware tool called Petya, and patient zero—the software that the malware initially targeted—was an accounting program made by the Ukrainian financial tech company MeDoc. According to the grugq, “everyone that does business requiring them to pay taxes in Ukraine has to use MeDoc,” since it’s one of only two software packages approved by the Ukrainian government. And so, if hackers wanted raise hell in Ukraine, while also impacting foreign companies that did business with Ukraine, the MeDoc software was the perfect target.
This brings us to timing. The Guardian suggests that Tuesday’s attack held special significance, since it arrived a day before Ukraine’s constitution day. This national public holiday celebrates the anniversary of the signing of the Ukrainian constitution on June 28, 1996. From a different point of view, the holiday also marks the day that Ukraine officially broke away from the former Soviet Union. And if you’ve been watching the news in the past three years, you know that Ukraine and Russia haven’t exactly been getting along lately. The two countries have been waging their own Cold War of sorts, after Russia annexed the Crimea territory in eastern Ukraine in 2014.
So it seems possible that pro-Russian hackers could have been behind this week’s attack. If their mission was indeed to cause chaos in Ukraine and amongst its economic allies, they succeeded. They didn’t make much money, but that probably wasn’t the point. Even still, one can’t rule out the possibility that it was a regular old ransomware attack that got botched. But seriously, just look at the evidence.
“I honestly don’t know, because both are plausible, [but] I’d lean toward Russia [given the] timing,” security entrepreneur Ryan Lackey told Gizmodo. “But it easily could have been some kind of team effort by hackers where some subset working on some parts was great and one guy or another team sucked.”
The Russia theory also falls in line with recent events involving cyber attacks in Ukraine. The country’s been hit with thousands of attacks since the conflict with Russia over the Crimean territory heated up a few years ago. Last December, it reached a fever pitch, when hackers caused a blackout in large sections of Ukraine’s capital, Kiev. This happened almost exactly a year after a similar incident in 2015. Not only are the hackers involved—Russian or not—using more sophisticated methods, they’re also starting to use them elsewhere in the world, including the United States.
Meanwhile, Russia is basically playing dumb. Kremlin spokesman Dmitry Peskov said in a statement, “[The attack] again proves the Russian thesis that such a threat requires cooperation on the global level.” Which is a funny thing to say, since security researchers agree that the attack targeted Ukraine but spread to the country’s economic partners through the MeDoc software. In doing so, the attackers effectively created the illusion of international cooperation. They also ramped up the potential for global chaos quite a bit.
Which brings us back to the movie Hackers. Ultimately, the plot comes down to sabotage that puts hackers in the middle of an international conflict, involving governments and major corporations. Viewed through a certain lens, this week’s attack potentially reflects the same tension. In that clip, Matthew Lillard talks about a conspiracy involving a computer virus that “was to be blamed on innocent hackers” in order to pull off a much larger, much more sinister mission. Part of the point was to create chaos in order to distract the world from a much more orderly assault.
We don’t yet know whether this week’s hackers had ties to Russia, and we might never know. Nevertheless, it feels like we’re entering a new era of cyber attacks, one where politically motivated attacks can hide behind the mask of money-hungry hackers. It’s frightening because we don’t actually know who the bad guys are, and we don’t really know what they’re trying to do. It’s terrifying because these attacks are happening more often, and the methods are becoming more sophisticated every week.
But seriously, does this scenario sound like a cyberpunk thriller, or what? Too bad it’s real life.