The shadow arms bazaar that fuels global cybercrime

The WannaCry incident illustrates in stark terms the complexities of the new threats in cyberspace. It calls attention to a shifting landscape of participants on the dark web. PHOTO: EPA

Think of it like a wine club, they said - but for cyber weapons. Last Tuesday, as the world was reeling from the impact of WannaCry, one of the most virulent cyber attacks in Internet history, the group that began it all took a moment to relish what it had wrought: a third of Britain's National Health Service knocked out of action; Chinese students locked out of their university files; and dozens of multibillion-dollar businesses from FedEx to Telefonica disrupted.

"In June, TheShadowBrokers is announcing 'The ShadowBrokers Data Dump of the Month' service," read a post in characteristically broken English on Steemit, a social media publishing platform. "Each month peoples can be paying membership fee, then getting members only data dump."

In other words, a threat of more damage to come.

The ShadowBrokers - an anonymous online group that appeared from nowhere last August - has become one of the most dangerous forces in cyberspace. In April, it dumped a cache of cyber weapons online. A month later, one of those hacking tools had metamorphosed into WannaCry after being recycled by other groups on the murky forums of the dark web - the areas of the Internet not covered by regular search engines.

For the United States government, the threat is particularly grave: The weapons the ShadowBrokers are touting are theirs, apparently stolen last year from the National Security Agency (NSA) in the most serious breach of its systems since the leaks by Edward Snowden, the former Central Intelligence Agency employee.

Western intelligence officials believe ShadowBrokers is a Russian proxy - an aggressive front-line unit in Russia's increasingly strident information war against Washington and its allies. The evidence to connect the online hacktivists to the Kremlin, however, is fragmentary. Indeed, Russia was among the worst-hit countries in the WannaCry epidemic. More than 1,000 computers at its interior ministry were incapacitated. Moscow strenuously denies any connection. President Vladimir Putin railed this week against the US intelligence community as having enabled WannaCry to take place.

Regardless of blame, the WannaCry incident illustrates in stark terms the complexities of the new threats in cyberspace. It calls attention to a shifting landscape of participants on the dark web, which was described to the FT by more than a dozen Western intelligence officials and private-sector cyber security analysts.

Though the ShadowBrokers released the NSA hacking tool on which WannaCry was based, it was another individual or group that repurposed that weapon for more malign uses. And it was likely a third group that then turned it into the ransomware - malware that locks infected users out of their own hard drives and demands payment for the digital keys to unlock them - which spread across the world at lightning speed one week ago.

Digital traces tie North Korea into the picture too. The Lazarus Group, a quasi-criminal unit run by Pyongyang, looks to have developed a precursor to WannaCry.

This underworld is also a highly developed marketplace - a cyberarms bazaar selling everything from the digital equivalents of crowbars to smart bombs - that has become the engine room of global organised crime.

"I've been watching these groups (on the dark web) evolve over the last 20 years," says Mr Anthony Ferrante, senior managing director in forensics and litigation at the consultancy FTI - and the White House's director of cyber incident response in the Obama administration.

"The reality is that some of these threats have always existed, but what has evolved is the accessibility of the means to deliver them. The Internet allows malicious cyber actors to deliver weaponised tools, and scope and scale like we've never seen."

Governments are at a loss as to how to tackle the problem. Critics have long warned about the potential for state-developed cyber weapons technologies to leap out of their control. The ShadowBrokers disclosures are not the first instance - but they come close to being a worst-case scenario.

"The intelligence community is mostly still just absolutely stunned that this even happened," says one former senior US intelligence official. "They are in chaos mode trying to repair the damage."

WORST NIGHTMARE

On the dark web, the ShadowBrokers has found fertile ground in which to sow discord. "There is a complex ecosystem of cyber criminals and other cyber attack actors who sometimes collaborate, place attacks or place information about how to conduct attacks in the public domain," says Mr Ciaran Martin, director of the UK's National Cyber Security Centre, an arm of the intelligence agency GCHQ. "It's a global marketplace. Fundamentally, the growth of this threat is about the return on investment," he adds.

British authorities estimate that 48 per cent of all crime in the UK has a cyber dimension. Europol believes income from global cybercrime to be bigger than that from illegal narcotics. At the most basic level, dark web hacking platforms are available for almost anyone to access. Technical skills are not required. Malware platforms come with drop-down menus so would-be hackers can select the nature of the criminal enterprise they wish to engage in.

More sophisticated malware platforms that use powerful hacking tools are available to buy, to rent or to franchise. The ShadowBrokers' suggestion of a "wine club" model is less out of place than it might sound. Some malware platforms on the dark web even come with user support - chat apps that connect buyers with dedicated coders to help them troubleshoot in their efforts to steal or defraud. Hacking forums provide rating systems for users. Just as on eBay, malware sellers can be rated by buyers based on the quality of their products. Fraudsters dislike being defrauded.

But it is the more obscure, high-end niches of the cyber market that are the cause of most concern for governments.

"At the top end there is a much smaller layer of closed communities - they're the ones doing the dangerous things we really care about, but understanding those is much more difficult," says Mr Steve Stone, global lead for intelligence service at IBM's X-Force Incident Response and Intelligence Services division.

"These are circles of trust; clusters of highly capable individuals who swop ideas, support each other and develop capabilities."

IBM estimates the dark web to host "dozens" of such groups. Some are motivated by money, some by intellectual curiosity and some by more anarchic interests. "We tend to want to put threats in different buckets, to say - this is criminal, this is government or whatever," says Mr Stone. "But often it's not like that. Some of these groups or the people in them can do four different things for four different reasons. Nothing is hard and fast."

For Western intelligence officials in particular, that blurring is a concern. Adversaries, they say, actively exploit it.

"In Russia, there is a lot of overlap between the intelligence services and organised crime," says one British cyber security official.

"I wouldn't describe it as symbiotic so much as mutually exploitative. It gets very hard to pull the two apart; the government sanctions behaviour or turns a blind eye, even within Russia, and in return, it demands services."

The situation is far from unique. Iran has developed links with criminal networks, he says, and has an active community of hackers who exploit and adapt technologies being traded and discussed on the dark web.

North Korea's Lazarus group may be the example par excellence: perpetrating crimes such as the raid on the Swift banking system as well as executing strategic operations including the attempt to destroy Sony in 2014.

For some, especially in Silicon Valley, the US government is as much to blame as anyone for the illicit cyberarms underworld. The ShadowBrokers may be leaking the hacking tools, they note, but the US developed them in the first place. A cyber weapon is simply a software vulnerability. If the US were to disclose the weakness it had discovered to allies, adversaries would fix it too.

Mr Stuart McClure, chief executive of cyber security company Cylance, said WannaCry was his "biggest nightmare scenario", but the question really is when, not if, another serious vulnerability emerges into the wild, he says. "Governments around the world are discovering these all the time and you know they are not disclosing them to vendors, to Microsoft, to Apple."

Controlling the proliferation of cyber weapons is hard. Unlike regular armaments, governments often do not even notice them when their hacking tools disappear: code can be easily copied. An arsenal can fit on a USB drive.

"This is a teachable moment. We need to stop and think about this differently from other types of threats," says Mr Edward Stroz, founder of Stroz Friedberg, which responds to cyber attacks.

Others are more sanguine and see a process of necessary adaptation and rapid change - albeit one that is at risk of running out of control.

"These vulnerabilities exist whether we like them or not," notes Mr Ferrante, who was involved in the US government assessment of software vulnerabilities.

"At least in my experience, in the US, they were only used for the purposes of saving lives. But we need to appreciate their power - they need to be maintained and utilised in an extremely responsible way... when parties don't , then bad things happen."

FINANCIAL TIMES

Join ST's Telegram channel and get the latest breaking news delivered to you.

A version of this article appeared in the print edition of The Straits Times on May 22, 2017, with the headline The shadow arms bazaar that fuels global cybercrime. Subscribe