Tuesday, May 23, 2017

Cover and Wannacry

I went to a dinner party once, not in the US, and ended up talking to a retired HUMINT official, also not from the US. I asked him some dumb questions, as Americans do. One of which was, "What's it like trying to make friends with people you hate?"

What he said was that there's always something you can find to really like about a person. You just dwell on that and the camaraderie is natural.

The other question I asked him was if it stressed him out, all the cover and hiding and stuff. And what he said was that after a while he never ever worried about hiding from the adversary. He only worried about getting back-stabbed by the incompetents on his own team. Generally, people who think they are helping, but instead are fucking you, and your whole team, over. This, to be fair, is how I think of all the well-meaning people trying to give vulnerabilities to Microsoft because they feel left out and they want to be part of the cool kids club.

But here's also the thing about cover: People are good at it. It's hard to admit, because there's a natural impulse to think that what you are catching is at least the B team. But maybe it's the D- team. Maybe there is an exponential scale beyond the fishpond you're finding and know about and have listed on the Symantec pages, or maybe the part of the picture you see on the Symantec blog posts analyzing trojans with MD5 signatures is missing crucial pieces of the puzzle.

So what I like to do to look at these things is have a larger strategic structure in mind, and then say "How does this fit into the REALM of possibilities", instead of "What does this lead to from the evidence as presented".

The realm of possibilities is quite interesting here. In addition to being a worm, Wannacry had a TOR C2 in it. And the reporting on Wannacry very much makes it seem like a disconnected event. But what if Wannacry is part of a fabric of attacks? What if the ransom money is meaningless - just something to hook onto for the press so that the reporting isn't "North Korean worm targets everyone...for no apparent reason". Because that would mean everyone did deep analysis. Nobody does deep analysis of what Ransomware does, except to try to decrypt the data.

Sometimes you give a worm "something" to do that is not the main goal. People aren't really analyzing Wannacry for C2 operations that much - mostly they just remove it. In this way, a Nation-State attack can be cloaked as a simple crimeware attack run by a nation-state.

And in the case of Wannacry, there are two goals which might be the main goal if you put a real cyber warfare strategist in charge, which I assume they do:
1. Access to information and networks that are hard to reach
2. Testing self-replicant infrastructure and methodology

The main goal is not "make 100k" because this is a team which steals millions of dollars per op. It would have made MORE sense for them to have shared their kill-switch information with Huawei, Tencent and Qihoo360 first, or soon after launch. . . and I bet we find they tried to do just that.

No comments:

Post a Comment