Reflecting on the recent cyber attacks and looking at the WannaCry outbreak as an example, a key way to understand this growing threat is to trace back to the source and understand the underlying motive.
Attacks of this scale are very difficult to monetise without getting caught and so there must be a different motive behind them. Understand this and it is easier to trace back to the source of attribution.
There are several possibilities that could be considered; from young hackers who want to show off to their friends or prove themselves to gain access to a new group, organised cyber-criminal organisations whose main goal is financial gain, nation states collecting intelligence for political or economic advantages, to terrorists whose main motive is destruction and fear.
>See also: The year of the ransomware shakedown
Of course, there are many more cyber players in the world – these are just a few examples. However, when it comes to the recent cyber attacks the motives are quite narrow.
Finding the root cause
In the discipline of digital forensics the goal is always to find the root cause, and in most cases it is either reverse engineering the malware or following the money trail. With WannaCry neither of these paths led clearly to anywhere and so the real motive has not been identified. As a result we have seen many people pointing to nation states as the protagonists.
The recent variant of Petya, or NotPetya, depending on which security researcher you speak to, has fostered different opinions. What is clear is that this recent cyber attack, spread without a kill-switch, was not intended to be easily stopped. It is more of a wiper than a Ransomware – and again, the money trail does not lead to any significant amount of financial gain.
Identifying the real crime
What are the motives? There are many alternatives that make sense – in the world of hacking the most intelligent way to get away with a crime is distraction, while the real crime happens elsewhere. If this is not a distraction, then the only remaining motive is terrorism and to put fear into the world of the huge potential impact that cyber attacks can have.
Looking again at the recent Wiper/Ransomware it is possible that if this was indeed a distraction, the real money is being made via currency manipulation on a large scale – and bitcoin is the financial motive.
The scale and speed of it spreading, although not unprecedented, points to expertise and resources. In effect, the alternative motive behind both Wannacry and Petya could be insider trading, with currency manipulation and Bitcoin as the real target.
The motives behind financial gain or cyber terrorism
This can be supported by the one common theory on the value of Bitcoin, in the application of Metcalfe’s Law. Metcalfe’s law states that the value of a telecommunications network is proportional to the square of the number of connected users of the system (n2) (Wikipedia). Giovanni Santostasi, chief scientific officer at DeepWave and Fountain Health Technologies, has applied this to Bitcoin: “The exponential growth is driven by one factor only, not millions. The rate of adoption. Period. In fact there is a strong correlation (R2 = 0.82) between number of users and price.”
So, if you want to manipulate Bitcoin value the best way to achieve this is to cause a sudden increase in the number of users. This is most easily measured by the number of Bitcoin wallets in existence.
A global ransomware outbreak, demanding payment by Bitcoin, would certainly have such an effect: both direct victims and judicious organisations are likely to obtain wallets. If we look at the value of Bitcoin in the past 48 hours you can see the value has increased by over 200 USD, or just under 10%, in the hours after the Ransomware outbreak.
The reality is that the motives behind this recent cyber attack could indeed be either currency manipulation on a massive scale – or cyber terrorism with the goal of creating destruction and fear in the world. Today people don’t have the answer.
Safeguarding the future
Some have even suggested that these examples are ‘test runs’ for future attacks, probing the viability of future attacks to target newly discovered vulnerabilities. I would challenge this.
A test run would have a kill-switch or ultimately we would never see it. There are also much better ways to do test runs without the risk of the malware getting into the wild, while at the same time proving its ability.
This malware was intentionally set out into the world to cause disruption and chaos and maybe financial gain. What’s more, until companies disable or patch the root cause of this issue soon then this will be a continuing attack for the next years to come.
Sourced by Joseph Carson, Chief Security Scientist at Thycotic
The UK’s largest conference for tech leadership, Tech Leaders Summit, returns on 14 September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here