Scot A. Terban is a security professional with over 13 years experience specializing in areas such as Ethical Hacking/Pen Testing, Social Engineering Information, Security Auditing, ISO27001, Threat Intelligence Analysis, Steganography Application and Detection. He tweets at @krypt3ia and his website is https://krypt3ia.wordpress.com. Divergent Options’ content does not contain information of an official nature nor does the content represent the official position of any government, any organization, or any group.
National Security Situation: Paying ransom for exploits being extorted by Advanced Persistent Threat Actors: Weighing the Options.
Date Originally Written: June 1, 2017.
Date Originally Published: June 8, 2017.
Author and / or Article Point of View: Recent events have given rise to the notion of crowd funding monies to pay for exploits being held by a hacking group called ShadowBrokers in their new “Dump of the month club” they have ostensibly started. This article examines, from a red team point of view, the idea of meeting actors’ extortion demands to get access to new nation state-level exploits and, in doing so, being able to reverse engineer them and immunize the community.
Background: On May 30, 2017 the ShadowBrokers posted to their new blog site that they were starting a monthly dump service wherein clients could pay a fee for access to exploits and other materials that the ShadowBrokers had stolen from the U.S. Intelligence Community (USIC). On May 31, 2017 a collective of hackers created a Patreon site to crowd fund monies in an effort to pay the ShadowBrokers for their wares and gather the exploits to reverse engineer them in the hopes of disarming them for the greater community. This idea was roundly debated on the internet and as of this writing has since been pulled by the collective after collecting about $3,000.00 of funds. In the end it was the legal counsel of one of the hackers who had the Patreon site shut down due to potential illegalities with buying such exploits from actors like ShadowBrokers. There were many who supported the idea with a smaller but vocal dissenting group warning that it was bad idea.
Significance: The significance of these events has import on many levels of national security issues that now deal with information security and information warfare. The fact that ShadowBrokers exist and have been dumping nation-state hacking tools is only one order of magnitude here. Since the ShadowBrokers dumped their last package of files a direct international event ensued in the WannaCrypt0r malware being augmented with code from ETERNALBLUE and DOUBLEPULSAR U.S. National Security Agency exploits and infecting large numbers of hosts all over the globe with ransomware. An additional aspect of this was that the code for those exploits may have been copied from the open source sites of reverse engineers working on the exploits to secure networks via penetration testing tools. This was the crux of the argument that the hackers were making, simply put, they would pay for the access to deny others from having it while trying to make the exploits safe. Would this model work for both public and private entities? Would this actually stop the ShadowBrokers from posting the data publicly even if paid privately?
Option #1: Private actors buy the exploits through crowd funding and reverse the exploits to make them safe (i.e. report them to vendors for patching).
Risk: Private actors like the hacker collective who attempted this could be at risk to the following scenarios:
1) Legal issues over buying classified information could lead to arrest and incarceration.
2) Buying the exploits could further encourage ShadowBrokers’ attempts to extort the United States Intelligence Community and government in an active measures campaign.
3) Set a precedent with other actors by showing that the criminal activity will in fact produce monetary gain and thus more extortion campaigns can occur.
4) The actor could be paid and still dump the data to the internet and thus the scheme moot.
Gain: Private actors like the hacker collective who attempted this could have net gains from the following scenarios:
1) The actor is paid, and the data is given leaving the hacker collective to reverse engineer the exploits and immunize the community.
2) The hacker collective could garner attention to the issues and themselves, this perhaps could get more traction on such issues and secure more environments.
Option #2: Private actors do not pay for the exploits and do not reward such activities like ransomware and extortion on a global scale.
Risk: By not paying the extortionists the data is dumped on the internet and the exploits are used in malware and other hacking attacks globally by those capable of understanding the exploits and using or modifying them. This has already happened and even with the exploits being in the wild and known of by vendors the attacks still happened to great effect. Another side effect is that all operations that had been using these exploits have been burned, but, this is already a known quantity to the USIC as they likely already know what exploits have been stolen and or remediated in country.
Gain: By not paying the extortionists the community at large is not feeding the cost to benefit calculation that the attackers must make in their plans of profit. If we do not deal with extortionists or terrorists you are not giving them positive incentive to carry out such attacks for monetary benefit.
Other Comments: While it may be laudable to consider such schemes as crowd funding and attempting to open source such exploit reversal and mitigation, it is hubris to consider that this will stop the actor with bad intent to just sell the data and be done with it. It is also of note that the current situation that this red team article is based on involves a nation-state actor, Russia and its military intelligence service Glavnoye Razvedyvatel’noye Upravleniye (GRU) and its foreign intelligence service the Sluzhba Vneshney Razvedki (SVR) that are understood to not care about the money. This current situation is not about money, it is about active measures and sowing chaos in the USIC and the world. However, the precepts still hold true, dealing with terrorists and extortionists is a bad practice that will only incentivize the behavior. The takeaway here is that one must understand the actors and the playing field to make an informed decision on such activities.