Theft & Subsequent Re-Use of Cyber Weapons

Uploaded on 2018-07-06 in NEWS-News Analysis, INTELLIGENCE--International, FREE TO VIEW, TECHNOLOGY--Hackers

Almost exactly one year ago, the world experienced two destructive cyber-attacks in which offensive cyber tools developed by the National Security Agency were stolen and shared with the public. 

In May 2017, the WannaCry ransom-ware hit over 300,000 computers in 150 countries. One month later, the NotPetya attack hit the computer systems of companies and governmental entities across the globe causing millions of dollars in damages. 

These attacks exploited numerous vulnerabilities, and have subsequently exposed the slow response time of targeted countries and the lack of effective information sharing mechanisms between responsible agencies, something which could have mitigated the severe damage caused by the attacks.

The interesting feature of these attacks is that those responsible, North Korea and Russia, used the leaked offensive tools originally developed by the NSA. 

The investigation into WannaCry ultimately revealed that the attackers had exploited a security vulnerability called EternalBlue, originally developed by the NSA. NotPetya used a variant of the same vulnerability, which is still wreaking havoc a year later. For example, in February 2018, security researchers at Symantec reported that an Iran-based hacking group had used EternalBlue as part of its operations.

This situation whereby technologically advanced countries are investing efforts in developing offensive cyber capabilities only to have these very tools stolen and reused raises three critical questions of urgent policy relevance.

First, are states going to start reusing each other’s leaked cyber tools as a matter of course? The ability to reuse stolen cyber tools may signal the beginning of a shift in the distribution of international cyber power, as weaker actors (including non-state actors) become increasingly able to use sophisticated malware to cause global damage and possibly target the cyber weapons’ original designers. 

Countries that are less technologically advanced and less vulnerable to cyberattacks might find the reuse of stolen vulnerabilities appealing for their own offensive activity.

Second, is it possible to prevent the leaking of cyber tools from occurring in the first place? There aren’t many reasons to be optimistic. Firstly , there’s the insider threat problem, a particularly thorny issue given the extensive use of contractors and the risk that they steal or mishandle sensitive information that they were exposed to during their service. A second and possibly more problematic reason is that it is cheaper to use stolen vulnerabilities than finding new ones. As new vulnerabilities like EternalBlue get exposed, the costs of using stolen cyber vulnerabilities and conducting attacks are being consistently lowered while benefits remain high. 

States with offensive capabilities know that putting their hands on unique vulnerabilities developed by their adversaries will enable them to more easily launch sophisticated attacks without the need pursue a lengthy and costly R&D process. 
This makes the reuse of cyber tools especially appealing and may motivate different actors to concentrate their efforts in this direction. As long as the benefits of using the stolen vulnerabilities are higher than the costs, these vulnerabilities will remain an attractive target.

A third question for policymakers is whether the theft and reuse of cyber vulnerabilities change the way states handle these vulnerabilities. States should be aware of the risk that vulnerabilities leak into the open and develop information-sharing mechanisms to address it. These information sharing mechanisms should exist between the intelligence agencies themselves and between the intelligence community and the tech industry. 

Once it has been recognised that a vulnerability, exploit or tool has been stolen, the relevant agency should immediately share the specific data with all the agencies and firms that might get affected by it, just like what the NSA is believed to have done. 
To minimise security concerns and to not expose sensitive sources and methods, there is no need to share the precise reasons for giving such warnings. Yet it is crucial to share this information in order to patch the vulnerabilities as soon as possible and lower future risks.

The US government has its own vulnerabilities equities process (VEP) policy which sets out how the US government discloses computer vulnerabilities it detects or acquires to other vendors. Countries across Europe have their own similar VEP mechanism, and an EU-wide VEP is being considered. 

But as so many countries around the globe are developing offensive cyber capabilities, and in light global damage costs of the WannaCry and NotPetya, there is an urgent need to create an international mechanism for vulnerability disclosures akin to a global VEP.

Formulating an effective response to this growing type of cyber weapon proliferation is clearly the responsibility of national governments. 

Alongside the development of these offensive capabilities, and in light of the success of recent attacks, the theft and leak of offensive cyber weapons and their subsequent use is only likely to increase, potentially creating new international tensions between governments and between them and the tech industry.

Defense One:

You Might Also Read: 

Prices For Stolen NSA Exploits Go Higher:

When Terrorists Learn How to Hack:
 

« Using AI To Reduce Business Risks
China Escalates Hacks On The US »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

ZenGRC

ZenGRC

ZenGRC - the first, easy-to-use, enterprise-grade information security solution for compliance and risk management - offers businesses efficient control tracking, testing, and enforcement.

LockLizard

LockLizard

Locklizard provides PDF DRM software that protects PDF documents from unauthorized access and misuse. Share and sell documents securely - prevent document leakage, sharing and piracy.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Panzura

Panzura

Panzura optimizes enterprise data storage management and distribution in the cloud, making cloud storage simple and secure.

LexisNexis Risk Solutions

LexisNexis Risk Solutions

LexisNexis Risk Solutions provides technology solutions for Anti-Money Laundering, Fraud Mitigation, Anti-Bribery and Corruption, Identity Management, Tracing and Investigation.

Tigera

Tigera

Tigera provides zero-trust network security and continuous compliance for Kubernetes platforms that enables enterprises to meet their security and compliance requirements.

Red Sift

Red Sift

Red Sift is the only integrated cloud email and brand protection platform, supporting organizations to secure their communications.

Kapalya

Kapalya

Kapalya empowers businesses and their employees to securely store sensitive files at-rest and in-transit across multiple platforms through a user-friendly desktop and mobile application.

North European Cybersecurity Cluster (NECC)

North European Cybersecurity Cluster (NECC)

NECC promotes information security and cybersecurity-related cooperation and collaboration in the Northern European region in order to enhance integration into the European Digital Single Market.

Morphus Information Security

Morphus Information Security

Morphus is an information security company providing Red Team, Blue Team and GRC services as well as conducting research in cybersecurity and threat analysis.

TierPoint

TierPoint

TierPoint delivers secure, reliable, and connected infrastructure solutions at the internet’s edge. We meet you where you are in your journey to solve for data storage, compute, and recovery.

Bionic

Bionic

Bionic is an agentless way to get control over your increasingly complex applications so you can manage, operate, and secure them faster and more efficiently.

Foretrace

Foretrace

Foretrace aims to prevent, assess, and contain the exposure of customer accounts, domains, and systems to malicious actors.

Guardian Digital

Guardian Digital

Guardian Digital makes email safe for business. Threat-ready business email protection. Fully supported.

SE Ventures

SE Ventures

SE Ventures provides capital to big ideas and bold entrepreneurs who can benefit from Schneider Electric's deep domain expertise, R&D assets, and global customer base.

Assured Clarity

Assured Clarity

Assured Clarity are a global consultancy, specialising in Risk Management and Data Privacy, through Education, Awareness and Training, throughout an organisation.

RealDefense

RealDefense

RealDefense develops and markets various privacy, security and optimization technologies and services for consumers and small businesses.

Prompt Security

Prompt Security

Prompt Security provides an LLM agnostic approach to ensure security, data privacy and safety across all aspects of Generative AI.

Trovent Security

Trovent Security

Trovent was founded with a clear goal: to support medium-sized companies in significantly increasing their IT security level.