By Gianpaolo Russo, Fellow
On May 12, 2017, the WannaCry ransomware worm spread across the internet, targeting systems running Microsoft Windows with a vulnerable version of SMB. This vulnerability had, in fact, been patched by Microsoft in April – any systems hit by the worm had not applied that patch. The events surrounding this vulnerability, and its original disclosure months prior, provide an interesting focal point for the discussion of vulnerability disclosure and the national security equities process.
Let’s start at the beginning. In August 2016, the Shadowbrokers announced possession of Equation Group data and the beginning of an auction for said data. As part of this announcement, for proof and advertising, they released (estimated 2013 era) tools from the Equation Group kit related to the exploitation of various commercial firewalls. This first release contained information about a vulnerability in older Cisco products which was previously unknown to the public. In the author’s view, it wouldn’t be proper to consider this type of flaw a true “zero-day” vulnerability, since it had likely seen prior use by private parties.
This first auction did not gain traction with the named groups from whom the Shadowbrokers most wanted attention, specifically: the Five Eyes, Russia, China, Iran, Korea, Japan, Israel, Saudi Arabia, the UN, NATO, Cisco, Juniper, Intel, Microsoft, Symantec, Google, Apple, and FireEye.
In January 2017, the Shadowbrokers published screenshots of data they claimed was the Equation Group’s 2013 “Windows Ops Disk”. Within that ops kit was the EternalBlue attack tool which targeted the now infamous SMB vulnerability. By publishing the screenshot proving possession of those tools, the Shadowbrokers were putting the Equation Group on notice that every vulnerability in that kit was no longer under Equation Group control and could enter the public domain at any time.
How did the Equation Group respond? We have to make some inferences. In February 2017, Microsoft cancelled its traditional Patch Tuesday release. In March 2017, Microsoft released a patch for the Samba vulnerability at issue, formalizing it in Microsoft Security Bulletin MS17-010. At this point, the Shadowbrokers had not released any code or details indicating that this specific vulnerability existed, only screenshots of a list of codenamed files. We can infer that the Equation Group had reacted and disclosed information about the vulnerability to Microsoft so that patches could be created.
With Microsoft’s publicly available patch, the SMB vulnerability in MS17-010 was effectively fully disclosed. Thirty days later, in April 2017, the Shadowbrokers published the “Windows Ops Kit” from their prior screenshots. The next month, the first outbreak of the WannaCry worm was reported. In the wake of the worm, Microsoft’s President, Brad Smith, called for a “Digital Geneva Convention”, wherein the private sector would ask the world’s governments not to engage in “cyberattacks on the private sector, that they will not target civilian infrastructure, whether it’s of the electrical or the economic or the political variety. We need governments to pledge that, instead, they will work with the private sector to respond to vulnerabilities, that they will not stockpile vulnerabilities, and they will take additional measures.”
Asking the world’s intelligence agencies to hang up their cyber operations and turn over information regarding their vulnerability research and exploitation development is a big ask that does not leave much room for considering the needs of the intelligence mission. If this conversation moves forward, perhaps we will see definitions of “cyberattack” that are nuanced to a point bordering on ineffective vagueness. Sure, during times of peace we won’t attack each other, but spies are gonna spy. That sounds a lot like the status quo.
What is a useful lesson when considering the vulnerability equities process in light of the Shadowbrokers leaks and the WannaCry outbreak?