The components of the global cyber attack that seized hundreds of thousands of computer systems last week may be more complex than originally believed, a Trump administration official said last Sunday, and experts warned that the effects of the malicious software could linger for some time.
As a new workweek started on Monday in Asia, there were concerns the malicious software could spread further and in different forms, with new types of ransomware afflicting computers around the globe.
There were initial reports of new cases found over the weekend in Japan, South Korea and Taiwan.
The cyber attack has hit 200,000 computers in more than 150 countries, according to Rob Wainwright, executive director of Europol, Europe’s police agency.
Among the organizations hit were FedEx in the US, the Spanish telecom giant Telefónica, the French automaker Renault, universities in China, Germany’s federal railway system and Russia’s Interior Ministry.
The most disruptive attacks infected Britain’s public health system, where surgeries had to be rescheduled and some patients were turned away from emergency rooms.
President Donald J. Trump has ordered his homeland security adviser, Thomas P. Bossert, who has a background in cyber issues, to coordinate the government’s response to the spread of the malware and help organize the search for who was responsible, an administration official said on Sunday.
The attack is more complicated because “the experts tell us that this code was cobbled together from many places and sources,” according to an administration official who insisted on anonymity to discuss the government’s cyber-security plans. The more potential sources of the malicious code, the harder it is for investigators to run down the trail of possible perpetrators.
The source of the attack is a delicate issue for the US because the vulnerability on which the malicious software is based was published by a group called the Shadow Brokers, which last summer began publishing cyber tools developed by the National Security Agency (NSA).
Government investigators, while not publicly acknowledging that the computer code was developed by US intelligence agencies as part of the country’s growing arsenal of cyberweapons, say they are still investigating how the code got out. There are many theories, but increasingly it looks as if the initial breach came from an insider, perhaps a
government contractor.
Copycat variants of the malicious software behind the attacks have begun to proliferate, according to experts, who were on guard for new attacks.
“We are in the second wave,” said Matthieu Suiche of Comae Technologies, a cyber-security company based in the United Arab Emirates. “As expected, the attackers have released new variants of the malware. We can surely expect more.”
The National Police Agency in Japan found two computers with the malicious software over the weekend, according to reports by NHK, the national broadcaster. One instance was found on a personal computer in a hospital and the other on a private citizen’s home computer.
A hospital in Taiwan also reported that one of its computers was compromised, Taiwan’s Central News Agency said on Sunday.
Five businesses in South Korea reported ransomware attacks over the weekend, according to the government’s internet security agency, and a Korean theater chain said late-night moviegoers on Sunday alerted them when computer ransom notes appeared on screens instead of programmed advertisements.
The spread of the malicious software, or malware, has focused attention on several questions, including why a software patch, issued by Microsoft in March, was not installed by more users. But for many systems, especially older systems, such patches are not installed automatically—a fact the hackers took advantage of. Microsoft has not said how it became aware of the vulnerability, but it seems likely it was tipped off by the NSA.
Brad Smith, president and chief legal officer of Microsoft, said in a blog post on Sunday the attack should be a “wake-up call” for the tech industry, consumers and governments.
Smith said Microsoft had the “first responsibility” for addressing vulnerabilities in its software, and that customers must be vigilant. But he said the latest attack showed the dangers of governments’ “stockpiling of vulnerabilities”.
“Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage,” Smith wrote.
So far, the main targets of the attack have been outside the US. But neither the federal government nor US corporations assume that this will continue to be the case.
Britain’s National Cyber Security Center said last Sunday it had seen “no sustained new attacks,” but warned that compromised computers might not have been detected yet, and that the malware could further spread within networks.
Monday could bring a wave of attacks to the US, warned Caleb Barlow, vice president of threat intelligence for IBM. “How the infections spread across Asia, then Europe overnight will be telling for businesses here in the US,” he said.
A 22-year-old British researcher who uses the Twitter name MalwareTech has been credited
with inadvertently helping to stanch the spread of the assault by identifying the web domain for the hackers’ “kill switch”—a way of disabling the malware. Suiche of Comae Technologies said he had done the same for one of the new variants of malware to surface since the initial wave.
Last Sunday MalwareTech was one of many security experts warning that less-vulnerable version of the malware is likely to be released. On Twitter, he urged users to immediately install a security patch for older versions of Microsoft’s Windows, including Windows XP. (The attack did not target Windows 10.)
Allan Liska, an analyst with Recorded Future, a cyber-security company, said a new version of the ransomware he examined on Sunday did not have the kill switch. “This is probably version 2.1, and it has the potential to be much more effective—assuming security defenders haven’t spent all weekend patching,” he said.
The Microsoft patch will help, but installing it across large organizations will take time.
Microsoft has complained for years that a large majority of computers running its software are using pirated versions. The spread of hacking attacks has made legal versions of software more popular, as they typically provide automatic updates of security upgrades.
Governments around the world were bracing themselves for new attacks.
“Please beware and anticipate, and take preventive steps against the WannaCry malware attack,” Indonesia’s communication and information minister, Rudiantara, who like many Indonesians uses only one name, said Sunday at a news conference.
He confirmed one hospital had been afflicted, but without major effects on patients.
In Britain fallout continued Sunday. Two opposition parties, the Labour Party and the Liberal Democrats, asserted that the governing Conservative Party had not done enough to prevent the attack. With a general election on June 8, officials have been racing to get ahead of the problem.
Britain’s defense minister, Michael Fallon, told the BBC on Sunday the government was spending about 50 million pounds, about $64 million, to improve cyber security at the National Health Service (NHS), where many computers still run the outdated Windows XP software, which Microsoft had stopped supporting.
A government regulator warned the NHS in July that updating hardware and software was “a matter of urgency”.
Image credits: AP/Mark Schiefelbein
