Today the National Audit Office (NAO) issued a report saying National Health trusts were left vulnerable to the unsophisticated Wannacry attack because NHS chiefs ignored cyber-security recommendations. Then Minister of State for Security Ben Wallace went on to say on BBC Radio 4' that the UK Government held North Korea responsible.
Commentators all agreed on the first assertion, but there was a divergence of opinion regarding attribution.
Back in May FireEye reported that it had found that the WannaCry malware shares unique code with WHITEOUT malware that it had previously attributed to suspected North Korean actors. While we FireEye had not verified other experts' observation of known DPRK tools being used to drop early versions of WannaCry, it says it not observed other groups use the code present in both WannaCry and WHITEOUT and it do not believe it is available in open source. “This indicates a connection between the two,” concluded Ben Read, Analyst, FireEye, going on to comment in an email to SC Media UK, “Our analysis has found this unique code shared across additional North Korean malware, including NESTEGG and MACKTRUCK. Significantly, while this code is present in the MACKTRUCK malware, it is not used. The shared code likely means that, at a minimum, WannaCry operators share software development resources with North Korean espionage operators.”
However, other commentators urge caution in this attribution, such as Bharat Mistry, principal security strategist at Trend Micro, who in an Opinion article to be published shortly in SC, noted, “Contrary to popular belief, it is actually possible to compromise computers inside the hermit nation. In fact, machines there are just as susceptible to malware as anywhere else. Data from our Smart Protection Network (SPN) shows that spam campaigns originating from the North Korean IP range are actually part of unsolicited email campaigns sent by larger botnets most likely operated from overseas.” He concludes,”The North Korean internet isn't quite as tightly controlled as many think, meaning that machines inside the country have been compromised from overseas to launch attacks and conduct malicious activity.”
Wallace had said: "This attack, we believe quite strongly, came from a foreign state. North Korea was the state that we believe was involved this worldwide attack." He said officials were "as sure as possible' and 'it is widely believed in the community and across a number of countries that North Korea had taken this role".
There was less information on what response the UK should or would take.
In contrast to the speculation about attribution, the NAO was based on agreed facts about the impact of the attack, and how it was made possible by poor patching and communication of response plans.
Amyas Morse, head of the National Audit Office said, “The WannaCry cyber attack had potentially serious implications for the NHS and its ability to provide care to patients. It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice. There are more sophisticated cyber-threats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks.”
The report notes how on Friday 12 May 2017 a computer virus, known as WannaCry, which encrypts data on infected computers and demands a ransom payment to allow users access, was released worldwide. WannaCry was the largest cyber attack to affect the NHS in England, although individual trusts had been attacked before 12 May. Key findings of the investigation are:
The Department was warned about the risks of cyber attacks on the NHS a year before WannaCry and although it had work underway it did not formally respond with a written report until July 2017. It had been advised to migrate away from Windows XP by April 2015. In March and April 2017, NHS Digital had issued critical alerts warning organisations to patch their systems to prevent WannaCry but it was unable to monitor if departments had complied with its advice.
The attack led to disruption in at least 34 percent of trusts in England. In total at least 81 out of 236 trusts across England were affected. A further 603 primary care and other NHS organisations were infected by WannaCry, including 595 GP practices, but no patient data is believed to have been compromised or stolen. NHS England identified 6,912 appointments had been cancelled, and estimated over 19,000 appointments would have been cancelled in total.
No NHS organisation paid the ransom, but the Department does not know how much the disruption to services cost the NHS.
The cyber attack could have caused more disruption if it had not been stopped by Marcus Hutchins activating a ‘kill switch' so that WannaCry stopped locking devices.
The Department had developed a plan, which included roles and responsibilities of national and local organisations for responding to an attack, but had not tested the plan at a local level, it was not immediately clear who should lead the response and there were problems with communications. Those involved were reported by the media as saying, no one knew what to do – and people reverted to using pen and paper and communicating via things such as Snapchat.
All organisations infected by WannaCry shared the same vulnerability and could have taken relatively simple action to protect themselves. Infected organisations had unpatched, or unsupported Windows operating systems so were susceptible to the ransomware.
A recent report from the cyber experts at EfficientIP earlier this year found on average UK companies lagged behind other in patching their systems. Almost all (99 percent) of UK Public Sector organisations said they did not apply the necessary security patches (compared to 83 percent globally) to answer the eleven critical vulnerabilities released by BIND in 2016.
SC Media UK also received email comments from various industry commentators who drew their own lessons from the report (see below):
Herve Dhelin, EfficientIP VP Strategy, said: ”Leaving noticed and published vulnerabilities unpatched is like leaving an open bar for hackers. We were shocked to find that so many companies with crucial data to protect did not apply available patches, and all took a long time to do it: ...companies need to understand the crucial importance of patching properly. The results can, and have often been devastating.”
Thomas Fischer, threat researcher and global security advocate at Digital Guardian emailed SC Media UK saying, “it will be interesting to see how the Government reacts. The fundamental question facing the NHS now is what actions to take. Does it focus on improving patient care, ensuring adequate staffing levels, and maintaining the essential physical infrastructure to meet immediate healthcare needs. Or, does it improve non-essential IT infrastructure that can always be replaced by good old fashioned pen and paper. What's clear from reviewing this report, is that the NHS's approach to IT management will have to change, one way or another. Two obvious areas to start would be improving user training and awareness of cyber-security and ensuring that there is enough available infrastructure to allow systems to be upgraded or patched in a rolling schedule, without negatively impacting productivity."
Nick Pollard, Security Intelligence & Analytics Director at Nuix suggests that, “Prevention needs to be at the forefront of any ransomware strategy. Since the endpoint is ground-zero for ransomware attacks, what the NHS needed was the ability to detect and put a stop to malicious behaviour as early as possible in the kill chain.
Next-generation endpoint security can allow security teams to detect threats that are hidden or obfuscated deep in the system through continuous monitoring of activity straight from the kernel, giving them access to the rawest form of endpoint data available. This lets them detect and block malicious processes the instant they try to invade the organisation.
Javvad Malik, security advocate at AlienVault, says that perhaps the more telling aspect is that while the Department of Health had an incident response plan, it was neither communicated nor tested. “Without a clearly communicated and tested incident response plan, trying to make one up in the midst of an incident is a recipe for disaster.”
Marco Cova, senior security researcher at Lastline notes how the National Health Service has annual budget in the region of £116 billion making it a massive target for cyber-attacks yet its poorly defended. “Priorities for all NHS trusts are unsurprisingly targeted at medical needs over and above admin and operational needs, but, as the WannaCry incident demonstrated, IT security is nowadays an essential prerequisite to deliver core business functions, including medical care.” He add, “NHS trusts have no choice but to invest in security, both in terms of better processes and better technology, to deal with cyber-threats."
Andrew Clarke, EMEA director at One Identity pointed out that in many cases hacked organisations do not have an inventory of all operating systems and applications that need to be patched – which makes the challenging task of patching even harder , saying that a robust patch management system would aid that. Unfortunately some of the specific medical equipment being used was only every designed to run Windows XP – so in that case the options are limited. However, “What could have been done better was the compartmentalisation of environments that were known to be running older software so that if they did get impacted, the damage could be limited.
Csaba Krasznay, security evangelist, Balabit suggests that it is possible, and in fact, strongly recommended, to work toward speeding up the patching cycle, and even introduce technology that ensures only machines with the right security posture are allowed to access the organization's information resources.
Commenting on the news, Mark James, security specialist at ESET says “It does seem like a huge breakdown in communications and would highlight an urgent need to get things right for the time when a sophisticated attack gets hold- unlike Wannacry, that technically was not sophisticated at all! Hopefully not just the NHS, but many companies around the world, suddenly jumped into action to avoid further outbreaks and have put plans in place to stop the next unnecessary cyber disaster from happening…."