As fear of being attacked by the ransomware, Wannacry, grips the global netizens, Newsd talks to Pukhraj Singh, a renowned cyber-security expert. He played an instrumental role in setting up the cyber-warfare operations centre of the National Technical Research Organisation (NTRO), India’s technical intelligence agency. Singh also helped chart the course of some seminal government initiatives on cybersecurity like the National Critical Infrastructure Protection Centre (NCIIPC), Inter-ministerial Task Force on Cyber Defence & Preparedness, and Information Security Guidelines & Procedures of the Ministry of Home Affairs.
Here is an excerpt from the exclusive interview:
Q. Could you please explain how does Wannacry work?
Well, it all started when a mysterious group of hackers called the ShadowBrokers claimed to have broken into the cyber-weapon stockpile of Tailored Access Operations (TAO) last year. TAO is an elite hacking division of the National Security Agency (NSA), assigned with the most challenging missions of penetrating into nations and organisations to glean intelligence from their networks. Their cyber-weapon stockpile itself is valued at billions of dollars. Over the course of many months, ShadowBrokers have released portions of the stolen exploits – experts have confirmed that they actually belonged to TAO. One of the exploits, codenamed ETERNALBLUE by the NSA — released to the public in April 2017 — targeted versions of Microsoft Windows dating back all the way to Windows XP. It was quite a potent hack, imparting complete access to many flavours of Windows upon exploitation. Someone packaged that vulnerability into a self-replicating computer worm which is now known as WannaCry.
Although Microsoft had promptly issued a patch for the vulnerability, it does take a lot of time for the affected parties to apply it, as the deployment base of Windows spans hundreds of millions of computers. The mechanism of WannaCry itself is quite inelegant. It infects a vulnerable Windows system, encrypting all the data to blackmail the user into paying a ransom. In the meantime, it also scans more vulnerable computers around its vicinity and the internet. This goes on and on in an endless loop. That’s WannaCry for you – a stupid little irritant that has now acquired global significance, piggybacking upon a powerful vulnerability.
Q. How can its impact be minimalized after exposure to the malware?
Patch your systems at the earliest if you don’t want to get caught in the crossfire of a global cyber war. Start with the advisory issued by Microsoft to understand its magnitude. Many organisations are not in a position to apply the patches immediately, as it may break untested applications or functionalities. For them, limiting the exposure to the affected service is extremely important. The vulnerability affects the Server Message Block protocol running on the port 445 of Windows operating system. Limit access to it.
Q. Russia, Ukraine, India and Taiwan have been the most affected countries of this attack. As a cyber-security expert, would you call the Indian government’s reaction to it satisfying? Is it true that India is safe from these attacks?
India’s cyber czar deems the attack as low-key. Around three weeks ago, I performed a nation-wide scan of the IP range and found multiple infections of the ETERNALBLUE-DOUBLEPULSAR implant kit. The information was corroborated with other folks on Twitter who had performed similar global scans, listing a high hit-rate from India. Someone had already weaponized the exploits and undertaken a mass compromise. A worm was merely a step away. CERT-In ought to have seen the blips on the radar right then.
It also tells us two things. First, anyone who’s still allowing connections to ports like SMB from the Internet has a pathetic security posture. It’s not like other countries don’t have legacy systems on their networks, but we just haven’t contained the exposure. During that scan, I got a lot of pings from the National Optical Fiber Network, which I believe is a re-branded National Knowledge Network. This is critical infrastructure 101 — some stock taking from NCIIPC is required (it’s a constitutional body and the public should have access to its response mechanisms).
Second, the cyber czar’s assertion may be a little unfounded. India is the third-largest source of infections for WannaCry. Factor that with relative Internet density and per-capita figures
Just to emphasise a point: the “accidental hero” who found the kill-switch in the initial strains of the malware sourced the preliminary intelligence from UK’s National Cyber Security Center — which runs an automated, community-driven cyber threat intelligence aggregation and sharing platform. There has been no response from the Indian establishment on the institutionalisation of such frameworks, while the whole world seems to be moving towards sectoral/collaborative models of cyber defence. Even the adoption of threat intelligence standards has not begun in earnest.
We need to keep in mind that a ransomware typically just subverts the functioning of a known vulnerability to blackmail the victim. It’s not worthy of so much publicity. Rather than being so reactive, the focus should have been on minimising the exposure to the vulnerability itself, which could have been accomplished much, much in advance.