Gone are the days when computer viruses and malwares were mere inconveniences to individuals; perhaps by slowing down the speed of the devices. Well, 2017 is quite different with some of the most malicious malwares in the world disrupting critical infrastructures in the most advanced nations of the world. Really, the tides have shifted in the past few years with what used to be small and isolated hacking activities changing to orchestrated, deliberate and at times politically or monetarily motivated cyber attack campaigns. As most countries get ready to embrace these new realities, Ethiopia gets a taste of this new brand of cybercrime, writes Asrat Seyoum.
On Friday May 12, 2017, the world was shocked by the resurgence of one of the most notorious computer malware ever deployed in the cyber realm: the WannaCry ransomware. Some are already referring to it as the Atomic bomb of ransomwares. Malwares of a different kind, and indeed ransomewares are not new to the cyber world. They are malicious computer program capable of extracting or altering valuable information stored on devices to a point where the user could not access the information without a corrective tool from the writers of the programs. And these corrective tools offered usually come at the highest price; hence the term ransomware where the data is the hostage and the payment is the ransom demanded.
The WannaCry ransomware employs a similar logic. The program gets access to individual computers via spam or pshing emails; it comes with a specific attachment that requests the user to get access to the command of the computer. Once in the system, this malware holds computer users hostage by immediately decrypting (coding) critical files on the device by appending files with its recognizable extension: WCRY.
The ransom note instructs users to pay USD 300 in bitcoins, the official currency of the cyber world. Currently, one bitcoin is exchanged for USD 1,575 and the ransom note warns that the amount doubles if the user did not comply within three days of the attack. The program also claims that the decrypted data stream will disappear if the demanded payment is not made within seven days.
Nevertheless, what makes WannaCry a particularly dangerous program is the fact that it uses a decryption algorithm which is of high quality, paralleled only by military grade decryptions. Still worse is the fact that WannaCry exploits vulnerabilities which are found in the Windows Operating System which is employed by more 90 percent of computers and IT devices around world.
Furthermore, this ransomware possesses an additional quality which enables it to jump from one computer to other in networked workspace infecting every device in the Local Area Network provided that they use Windows OS.
Reports of damages due to this particular malware started to pour in hours after its first detection on Friday May 12; soon after critical infrastructure around the world started to unravel one after the other. Since it emergence, WannaCry had infected hundreds of thousands of computers worldwide. However, the most devastating are those that happened in Russian where telecom and postal services were down for a day and one in Spain where a telecom company was forced to interrupt its services. The biggest of them all is the attack on medical facilities and ambulance services in the UK.
The back story to WannaCry is rather something of page turner. The fact of the matter is that a series of vulnerabilities in Microsoft’s Windows Operating System exposed the world to one of the most malicious cyber extortion program every created. However, all the credit should not go to the proud members of the hacking community. In fact, it is US government’s National Security Agency (NSA) that provided the most important tool to the hacking community to indentify and exploit the windows vulnerabilities.
According to reports, it was NSA’s very own “Eternal Blue”, a cyber tool which is used to scan and indentify vulnerabilities in operating systems and programs which was put to use to design WannaCry ransomware. The truth is NSA had always had the “Eternal Blue” tool, using it to indentify and exploit vulnerabilities in Windows OS. It has done so in the past without notifying Microsoft that it either had the tool to identify windows vulnerability or that it exploits these vulnerabilities time and again for its own organizational goals.
In April 2016, the NSA announced that it has been hacked. Soon after, the hacking group going by the name Shadow Brokers released “Eternal Blue” on some of the well-known dark websites. Then NSA was forced to go public with the information and direct Microsoft to provide patches for some of the known vulnerabilities in its operating system. In the meantime, every dark alley hacker in world hunkered down to use “Eternal Blue” to identify the said vulnerabilities.
Well they did find something. It was a weak spot in Windows so-called Server Messaging Block (SMB) component which is used for file sharing services. Then the WannaCry version one focused on exploiting this specific vulnerability.
By Monday, researchers had already figured out that blocking the SMB component would defend against WannaCry attacks. But, this did not bring the hackers to their knees; rather they come up with what is called the WannaCry 2.0. This second version of the ransomware used a different strategy which is to launch Denial of Services (DoS) attack on the component that is used to block SMB also referred to as the Kill Switch. The Kill Switch was bombarded by various requested (orchestrated to put it out of use) and hence rendering it useless to execute the task of blocking the SMB.
On the other hand, by Saturday, Ethiopia was already on the WannaCry attack map. A young expert working for Information Network Security Agency (INSA) who could not be named due to strict security protocol at the Agency remembers it all.
“I don’t have the security clearance level to divulge which organizations were infected by the ransomware,” he told The Reporter. But, he confirmed that the team he leads had to respond to distress calls from a few organizations which were infected by the ransomware. “The good thing was that they called us immediately after they noticed the infection,” he said. This, he explained, gave them a fighting chance to study the decryption algorithms and reverse the process and free some of the data.
“I had a feeling that we have not heard the last of the WannaCry ransomware,” the expert says. According to his analysis, at least 384 different variants of WannaCry are expected to surface in the coming three months. “Now, they (hackers) are dabbling with Eternal Blue and Eternal Rock tools trying to scan for vulnerability in windows; and this is expected to translate into more attacks,” he predicts.
“Although I can’t reveal the specific identities of the organization which were attacked, I can tell you that the infection was detected in both government and private institutions in Ethiopia,” he said.
Nevertheless, the WannaCry ransomware was not the only cyber security concern for Ethiopia this year. In fact, two months before the WannaCry ordeal, Ethiopia was among the countries indentified to be targeted by another malware which specifically targets financial institutions around the world. Concocted by the hacking group called Lazarus, the malicious program takes shelter in the so called SWIFT system (a program that facilitates bank to bank payment systems) and targets banks with lax security measures.
“What Lazarus malware does is station itself in programs like SWIFT and slowly studies the money transfer system and finally uses this information to draw off funds from the account of financial institutions,” he explained to The Reporter.
A recent report from Kaspersky Lab offered detailed account of how banks in developing countries like Ethiopia have been targeted by this group.
“We have several financial institutions in Ethiopia which were compromised by the Lazarus tool. And it appears to be a preparation for a large scale theft,” the Lab told The Reporter in an email interview a while back. The report also indicated that the group has managed to successfully steal 81 million dollars from a bank in Bangladesh.
Further probe into the workings of WannaCry and Lazarus malwares is said to have revealed the use of a series shadow servers located in different locations in Europe. “Still deeper investigation has shown that at the back of shadow server all paths were redirected to one location: North Korea” the expert said.
Nevertheless, these attacks are just the tip of the iceberg when one is talking about the world of cyber security. “The fact of the matter is that even much smaller cyber campaigns are capable of causing damages to a country infrastructure in short span of time,” the expert says. To that end, he cites a small scale cyber campaign orchestrate by a group called Cyber Jihadists on the electric grid of Sudan awhile back and how it paralyzed the countries electric system.
Data obtained from INSA shows a slow and persistent rise in cyber events observed in the sovereign space of Ethiopia in recent years. During the last Fiscal Year (FY) alone the agency indentified as much as 256 attempted cyber attacks targeting systems in Ethiopia. According to the data, attack on websites is the most frequent cyber attack type in Ethiopia. For instance, FY 2013/14, 41 attempted website attacks were registered in Ethiopia, which came down the following year (FY 2014/15) to 36 but only to spiral to 188 in the FY 2015/16.
Malware and infrastructure sabotage attempts are also among the most frequent ones. Malware attack was also highest in 2015/16 with 17 different events registered that year while two and six attacks were recorded in 2014/15 and 2013/14, respectively. Identity theft and cyber bullying are also among the common attacks observed in the sovereign cyber space of Ethiopia. Identity theft cases looks to be on a decline from six cases identified in 2013/14 to two and three in the subsequent years. Although small, cyber bullying is also among most common attacks in Ethiopian cyber space.
Although the data did not show specifically, cyber reconnaissance and espionage are also among specific attacks observed in Ethiopia, the expert explains. Perhaps the most pressing issues at this point would be the sudden spike in the level of cyber attack events in Ethiopia and indeed around the developing world.
Teshale Girma (name changed), IT manager at one of the private banks in Ethiopia, argues that it is not a coincidence that Ethiopia has seen sudden spike in the cyber activities directed towards its institutions in recent years. In fact, his theory involves a range of factors like the country’s internet browsing culture, recent increases in the bandwidth made available to users, rise in the number of internet and mobile phone subscribers, change in the data storage platform from manual to digital, expansion in card and online payment systems and the like.
According to Teshale, the bandwidth available to internet users in Ethiopia is among the fundamental factors for increasing probe into systems and computers in Ethiopia. “If I remember it correctly, the entire internet bandwidth available to Ethiopia was around 29 Gigabit/sec until very recently; and now I think it has grown to more than 40 Gigabit/sec,” he explains. As you can imagine, the connectivity by itself presents difficult situation for hackers and other entities to probe into system in Ethiopia. Still connectivity is not that conducive in Ethiopia. “Even at the organizational level we are still working with 30 and 40Megabit/sec and I know that individual homes elsewhere get 100 and more Megabit/sec,” he argues further.
On the other hand, the close to 50 million mobile subscribers and part of that being active on the internet is also an attraction to any potential attacker, he argues. “You have to know that as so many subscribers become active on the internet, programmers and other forces on the network would be curious as to where this traffic is coming from and if there is something explore there,” he explained to The Reporter.
For INSA’s expert the issue might not be that complicated. He simply attributes reckless behavior and usage culture to making Ethiopia a target for cyber attacks in recent years. As far as he is concerned, users from Ethiopia have the least of concerns when it comes to safety and that is a particular attraction for probers and attackers.
In fact, it could also be misleading to assume that cyber attacks are currently on the rise in Ethiopia, Teshale also opines. “I believe it could also be the awareness and the sensitivity that has awakened in us,” he argues further. But for all we know, he says, the attacks might have been there all along.
Tekeste Birhan Habtu, owner of Cyber Soft, longtime player in Ethiopia’s nascent IT sector, says that the problem is much deeper than few attacks here and there on the cyber space of the nation. He says Ethiopia is in for an overall attitudinal makeover regarding the importance of safeguarding data, which is the real and most important asset in today’s world.
“The concept of sovereignty has moved from territorial dimension to that of the cyber space. These days, sovereignty is expressed in the information and the data of a country and one needs to stand guard of that data at all times,” he says.
“In order to talk about security, we first need to agree on the fact that we are protecting something,” he says. In his assessment, Ethiopia has not yet begun protecting its information from the unwanted intrusion coming from outside. “This process should start from the laws and the regulation at a country level; and then we need to go to the network and software and management levels if we need to have strong strategy to defend our cyber boarders,” Tekeste argues.
The expert at INSA also agrees that the country needs to have an integrated security system, when it comes to the cyber realm. To that end, INSA has recently drafted and discussed what it called Critical Mas Cyber Security Standards with the aim of implanting uniform cyber security standards across all critical infrastructures in the country. Apart from the common standards, the expert is confident that various monitoring and inspection teams at INSA’s disposal are standing guard “24/7” safeguarding infrastructure of the country form malicious attacks.
The young and professional staff at INSA is something to be proud about, the expert discussed in passing. “I have under me 2o plus computer geeks who mostly communicate with 0 and 1s. Our lab has capabilities to dissect malware and other malicious programs to understand how it works and identify its origin and it gives us the technological edge we need to stand in defense of our cyber space,” he says.
“In fact, we have developed our own antivirus and firewall infrastructures and this capacity is being aided by the series of networks and links we have established with various cyber security organizations in Asian, Europe and other continents,” he concludes.
But Tekeste is distressed to see that even the procurement policy in the country is still trusting foreigners with building the most sophisticated IT infrastructures. “Any country reserves such risky projects specifically for citizens for it cannot be entrusted to any foreign entity”.
“Can you ask a foreigner to be a soldier?” he asks. “It is much like that and we need to start there if we are to be secured in the cyber realm”.