Let this recap of 2017’s biggest cyber-incidents so far serve as a reminder of just how chaotic things have already gotten–and the year’s only halfway done.
The mysterious hacking group known as the Shadow Brokers first surfaced in August 2016, claiming to have breached the spy tools of the elite NSA-linked operation known as the Equation Group. The Shadow Brokers offered a sample of alleged stolen NSA data and attempted to auction off a bigger trove, following up with leaks for Halloween and Black Friday in 2016.
This April, though, marked the group’s most impactful release yet. It included a trove of particularly significant alleged NSA tools, including a Windows exploit known as EternalBlue, which hackers have since used to infect targets in two high-profile ransomware attacks (see below).
On May 12 a strain of ransomware called WannaCry spread around the world, walloping hundreds of thousands of targets, including public utilities and large corporations. Notably, the ransomware temporarily crippled National Health Service hospitals and facilities in the United Kingdom, hobbling emergency rooms, delaying vital medical procedures, and creating chaos for many British patients.
Though powerful, the ransomware also had significant flaws, including a mechanism that security experts effectively used as a kill switch to render the malware inert and stem its spread. US officials later concluded with “moderate confidence” that the ransomware was a North Korean government project gone awry that had been intended to raise revenue while wreaking havoc. In total, WannaCry netted almost 52 bitcoins, or about $130,000—not much for such viral ransomware.
A month or so after WannaCry, another wave of ransomware infections that partially leveraged Shadow Brokers Windows exploits hit targets worldwide. This malware, called Petya, NotPetya and a few other names, was more advanced than WannaCry in many ways, but still had some flaws, like an ineffective and inefficient payment system.
Though it infected networks in multiple countries—like the US pharmaceutical company Merck, Danish shipping company Maersk, and Russian oil giant Rosnoft—researchers suspect that the ransomware actually masked a targeted cyberattack against Ukraine. The ransomware hit Ukrainian infrastructure particularly hard, disrupting utilities like power companies, airports, public transit, and the central bank, just the latest in a series of cyber assaults against the country.
A display panel with an error can be seen at the main railway station in Frankfurt am Main, Germany, 13 May 2017. A world-wide cyber attack broke down ten thousands of computers of companies, institutions and users. In Germany it was the German railways that were targeted.
Wikileaks CIA Vault 7
On March 7, WikiLeaks published a data trove containing 8,761 documents allegedly stolen from the CIA that contained extensive documentation of alleged spying operations and hacking tools. Revelations included iOS and Android vulnerabilities, bugs in Windows, and the ability to turn some smart TVs into listening devices.
Wikileaks called the dump “Vault 7,” and the organization has followed the initial release with frequent, smaller disclosures. These revelations have detailed individual tools for things like using Wi-Fi signals to track a device’s location, and persistently surveilling Macs by controlling the fundamental layer of code that coordinates hardware and software.
WikiLeaks claims that Vault 7 reveals “the majority of [the CIA] hacking arsenal including malware, viruses, trojans, weaponized ‘zero day’ exploits, malware remote control systems and associated documentation.” It is unclear, though, what proportion of the CIA toolbox the disclosures actually represent. Assuming the tools are legitimate, experts agree that the leaks could cause major problems for the CIA, both in terms of how the agency is viewed by the public and in its operational abilities. And as with the Shadow Brokers releases, Vault 7 has led to heated debate about the problems and risks inherent in government development of digital spy tools.
In February, the internet infrastructure company Cloudflare announced that a bug in its platform caused random leakage of potentially sensitive customer data. Cloudflare offers performance and security services to about six million customer websites (including heavy hitters like Fitbit and OKCupid), so though the leaks were infrequent and only involved small snippets of data, they drew from an enormous pool of information.
Google vulnerability researcher Tavis Ormandy discovered the problem on February 17, and Cloudflare patched the bug within hours, but the data leakage could have started as early as September 22, 2016. Leaked data was only deposited on a small subset of Cloudflare customer sites, and usually it wasn’t visible on the pages themselves. Search engines like Google and Bing that crawl the web, though, automatically cached the errant data—everything from gibberish to users’ Uber account passwords and even some of Cloudflare’s own internal cryptography keys—making it all easily accessible through search.
198 Million Voter Records Exposed
Unfortunately, it’s not uncommon to hear that a trove of voter data was breached or exposed somewhere in the world. But on June 19, researcher Chris Vickery announced a discovery that would give even the most jaded security expert pause. He had discovered a publicly accessible database that contained personal information for 198 million US voters—possibly every American voter going back more than 10 years.
Macron Campaign Hack
Two days before France’s presidential runoff in May, hackers dumped a 9GB trove of leaked emails from the party of left-leaning front-runner (now French president) Emmanuel Macron. The leak seemed orchestrated to give Macron minimal time and ability to respond, since French presidential candidates are barred from speaking publicly beginning two days before an election. But the Macron campaign did release statements confirming that the En Marche! party had been breached, while cautioning that not everything in the data dump was legitimate.
The attack was less strategic and explosive than the WikiLeaks releases of pilfered DNC emails that dogged Hillary Clinton’s presidential campaign in the US, but Macron also had the advantage of observing what had happened in the US and preparing for potential assaults. Researchers did find evidence that the Russian-government-linked hacker group Fancy Bear attempted to target the Macron campaign in March.
After the email leak heading into the election, the Macron campaign said in a statement, “Intervening in the last hour of an official campaign, this operation clearly seeks to destabilize democracy, as already seen in the United States’ last president campaign. We cannot tolerate that the vital interests of democracy are thus endangered.”