If 2016 was the year government hacking went mainstream, 2017 is the year government hacking played the Super Bowl halftime show. It’s not Fancy Bear and Cozy Bear making headlines. This month, the Trump administration publicly attributed the WannaCry ransomware attack to the Lazarus Group, which allegedly works on behalf of the North Korean government. As a Presidential candidate, Donald Trump famously dismissed allegations that the Russian government broke into email accounts belonging to John Podesta and the Democratic National Committee, saying it could easily have been the work of a “400 lb hacker” or China. The public calling-out of North Korean hacking appears to signal a very different attitude towards attribution.
Lazarus Group may be hot right now, but Russian hacking has continued to make headlines. Shortly after the release of WannaCry, there came another wave of ransomware infections, Petya/NotPetya (or, this author’s favorite name for the ransomware, “NyetYa”). Petya was hidden inside of a legitimate update to accounting software made by MeDoc, a Ukrainian company. For this reason and others, Petya was widely attributed to Russian actors and is thought to have primarily targeted Ukrainian companies, where MeDoc is commonly used. The use of ransomware as a wiper, a tool whose purpose is to render the computer unusable rather than to extort money from its owner, appears to be one of this year’s big new innovations in the nation-state actors’ playbook.
WannaCry and Petya both owe their effectiveness to a Microsoft Windows security vulnerability that had been found by the NSA and code named EternalBlue, which was stolen and released by a group calling themselves the Shadow Brokers. US agencies losing control of their hacking tools has been a recurring theme in 2017. First companies, hospitals, and government agencies find themselves targeted by re-purposed NSA exploits that we all rushed to patch, then Wikileaks published Vault 7, a collection of CIA hacking tools that had been leaked to them, following it up with the publication of source code for tools in Vault 8.
This year also saw developments from perennial bad actor Ethiopia. In December, Citizen Lab published a report documenting the Ethiopian government’s ongoing efforts to spy on journalists and dissidents, this time with the help of software provided by Cyberbit, an Israeli company. The report also tracked Cyberbit as their salespeople demonstrated their surveillance product to governments including France, Vietnam, Kazakhstan, Rwanda, Serbia, and Nigeria. Other perennial bad actors also made a splash this year, including Vietnam, whose government was linked to Ocean Lotus, or APT 32 in a report from FireEye. The earliest known samples from this actor were found by EFF in 2014, when they were used to target our activists and researchers.
Any and all original material on the EFF website may be freely distributed at will under the Creative Commons Attribution License, unless otherwise noted. All material that is not original to EFF may require permission from the copyright holder to redistribute.
Not everyone can pay for the news. But if you can, we need your support.
Truthout is widely read among people with lower incomes and among young people who are mired in debt. Our site is read at public libraries, among people without internet access of their own. People print out our articles and send them to family members in prison — we receive letters from behind bars regularly thanking us for our coverage. Our stories are emailed and shared around communities, sparking grassroots mobilization.
We’re committed to keeping all Truthout articles free and available to the public. But in order to do that, we need those who can afford to contribute to our work to do so — especially now, because we have just 5 days left to raise $40,000 in critical funds.
We’ll never require you to give, but we can ask you from the bottom of our hearts: Will you donate what you can, so we can continue providing journalism in the service of justice and truth?