Red Herring: What’s Behind the Wave of Ransomware Attacks Linked to NSA Hacking Tools?

Shawn Helton
21st Century Wire 

In this age of hyper-real media propaganda, some stories published by mainstream media whether true or not, can be used as a ‘red herring’ to provide an all too convenient mask for other politically charged news releases.

In fact, the very same day as the viral spread of WannaCry, the United States was said to have nearly completed a series of arms deals with Saudi Arabia worth over $100 billion dollars. This dovetailed the Trump administration’s decision to announce a “vision for a new regional security architecture” for an ‘Arab NATO‘ headquartered in Saudi Arabia, the largest state-sponsored of terror in the world.

Furthermore, the largest financial support for Al Qaeda linked terror operations involving Sunni extremists worldwide – has come from Saudi Arabia, with other GCC allies providing logistical support.

From 2015 to today, Saudi Arabia has breached international law with an ongoing bombardment of Yemen and more recently it emerged that Saudi government forces began a shocking military offensive against its own citizens in the eastern province of Qatif in the Awamiyah town.

The monolithic arms deal with Saudi Arabia and their attack on their own province (not to mention the US-led coalition airstrikes in Syria aiding ISIS) has largely been ‘whitewashed’ as mainstream media was consumed with a global cyber attack narrative, the reanimated Russia-gate probe and symbolic nature of Trump’s trip to the Middle East this week.

With all this in mind, let’s dissect the wave of ransomware attacks used to misdirect the masses this past week…

‘MISDIRECTION’ – What’s really behind the global ransomware cyber attacks? (Photo Illustration 21WIRE’s Shawn Helton)

Over the last week, we were told that a wave of cyber attacks across the globe were carried out by the WannaCrypt ransomware worm (aka WanaCrypt, WanaCrypt0r 2.0 or Wcry), more commonly referred to as WannaCry. The intrusive malware was believed to infect some “230,000 computers in over 150 countries,” and is now accompanied by a new variant of the same exploit called ‘Adylkuzz’ which according to early media reports, can be ‘invisible’ and may make your computer run slowly if you haven’t installed the most up-to-date security, going undetected for weeks or months says the security firm Proofpoint.

Interestingly, the origins of both WannaCry and Adylkuzz can be traced back to NSA hacking tools that use EternalBlue and DoublePulsar exploits that were supposedly ‘stolen’ by the anonymous hacking collective dubbed The Shadow Brokers sometime in March.

Forbes describes the exploit of Microsoft Windows named Eternal Blue:

“It’s been a matter of weeks since a shady hacker crew called Shadow Brokers dumped a load of tools believed to belong to the National Security Agency (NSA). It now appears one leaked NSA tool, an exploit of Microsoft Windows called EternalBlue, is being used as one method for rapidly spreading a ransomware variant called WannaCry across the world.”

The Hill reported:

“Google security researcher Neel Mehta appears to be the first to have noticed that large swaths of computer code in an early version of Wanna Cry were identical to code used by the Lazarus Group, a team of hackers linked to the government of North Korea.”

“Lazarus Group is best known for hacking Sony Pictures in 2014 to protest the movie “The Interview.” But recently it has been linked to a series of digital bank robberies that, in one case, stole $81 million from the central bank of Bangladesh. The robberies would, many suspect, provide a revenue stream while the country faces crippling sanctions. “

Kaspersky Labs computer security corporation noted the common code linked to both WannaCry and the Lazarus Group and the possibility of a cyber false flag with this latest WannaCry outbreak:

“In theory anything is possible, considering the 2015 backdoor code might have been copied by the Wannacry sample from February 2017. However, this code appears to have been removed from later versions. The February 2017 sample appears to be a very early variant of the Wannacry encryptor. We believe a theory [of] a false flag although possible, is improbable.”

(Photo Illustration 21WIRE)

This is what makes this WannaCry cyberattack story so hard to swallow, is the inclusion of the Sony hack from 2014, which has long been outed as a false flag operation.

Below is a short passage from an article by 21WIRE‘s Patrick Henningsen that fully revealed the theatrical media staging behind’ The ‘Interview’ film fiasco (aka the Sony hack), as the group said to be behind the so-called cyberattack was tied to a high level security officer at Sony Entertainment:

“Experts confirmed that the alleged malware used in the cyberattack was in fact leaked years ago and any hacker could have utilized it since.”

The thoughtful analysis continued with the following:

“It was also reported that the firms’ investigations had uncovered one former Sony Entertainment employee and security officer referred to as “Lena”, who had high level admin access to the company’s IT system, and who has connections to the hacking group, ‘Guardians of Peace’ (#GOP) who were blamed for the cyber attack. This means that the hack is more likely an ‘inside job’, and the motivations could have a redress for any number of grievances including Sony’s company lay-offs and online piracy prosecutions.”

In May of 2015, another suspicious cyber attack story surfaced involving a former blackhat hacker crew from 2008 dubbed TeaMp0isoN, a small group that later reemerged as a whitehat computer-security team in 2015.

In other words, TeaMp0isoN became a legal hacking group…

During the same time frame, a 20-year-old British hacker named Junaid Hussain, a person with multiple online identities, was said to be virtually linked to the so-called ‘ISIS-inspired’ shooting in Garland Texas and was believed by authorities to be the cyber hacker named TriCk, connected the group TeaMp0isoN.

Hussain was simultaneously linked to ISIS and mentioned as a key figure behind the apparent hack of CENTCOM’s Twitter account by a group calling themselves the “Cyber Caliphate.”

The unintended aftermath of events following the dubious ‘cartoon shooting’ in Garland, revealed the CENTCOM hack as a sham, as it detailed an apparent hacker’s relationship between government entities and hacking groups that were associated with ISIS.

Those in the intelligence community might say that Hussain went ‘rogue’ while interchangeably working with ISIS and TeaMp0isoN the ‘whitehat’ group formerly blackhat hackers who joined up with the hacking collective Anonymous – but that many connections between terror and security appear to be beyond a coincidence.

After considering the historical context of the two cyber attack scenarios outlined above, let’s look at what else happened when WannaCry was recently released... 

(Photo Illustration 21WIRE’s Shawn Helton)

As the media world was consumed with the spread of the WannaCry ransomware, Bleeping Computer noted the following Wikileaks Vault 7 release outlining two hacking tools allegedly ‘stolen’ from the CIA:

“While the world was busy dealing with the WannaCry ransomware outbreak, last Friday, about the time when we were first seeing a surge in WannaCry attacks, WikiLeaks dumped new files part of the Vault 7 series.

This time around, the organization dumped user manuals for two hacking tools named AfterMidnight and Assassin, two very simplistic malware frameworks, allegedly developed and stolen from the CIA.”

In March of 2017, Wikileaks allegedly exposed many of the CIA’s hacking tools. Here’s a passage from a 21WIRE report on that topic worth considering in the wake of this recent outbreak of ransomware:

“One of the more curious details contained in Vault 7 were the revelations concerning the CIA’s ability to mask any hacking  fingerprints that could potentially implicate the agency. Additionally, the secretive agency could also leave behind potential evidence that a cyber attack was carried out by a foreign body or nation. Here’s another passage from the Wikileaks publication on the matter:

““Tradecraft DO’s and DON’Ts” contains CIA rules on how its malware should be written to avoid fingerprints implicating the “CIA, US government, or its witting partner companies” in “forensic review”. “

Conclusion: Another aspect to consider when trying to determine the reality behind the latest ransomware attacks, is to look at those countries mostly impacted by the intrusive worm, a list which includes Russia, who was the worst hit globally, along with the top 20 that logged Ukraine, India, Taiwan, China, Romania, Egypt, Iran, Brazil, Spain and Italy as the most affected.

Moving forward, we could see other cyber ‘copycat’ attack stories that could deflect from other politically charged news.

More from Moon Of Alabama below on the bombardment of mainstream media red herrings and false claims…

(Image Source: twitter)

One Day, Three Serious News Stories That Turn Out To Be False

Moon Of Alabama

It is a fake news day. Three stories are making the rounds through the media that are each based on false or widely exaggerated interpretation of claims. North Korea, Syria and the U.S. President are the targets.

1. The Wall Street Journal asserts with a #fakenews headline that bits of computer-code in the recent WannaCry ransom virus are identical with bits of computer code that was allegedly used in a 2014 hack of Sony. (The Sony attack was falsely attributed to North Korea.)

Researchers Identify Clue Connecting Ransomware Assault to Group Tied to North Korea

Neel Mehta, a security researcher at Alphabet Inc.’s Google unit, on Monday pointed out similarities between that earlier WannaCry variant and code used in a series of attacks that security specialists have attributed to the Lazarus group.

The “Lazerus group” (which probably does not exist at all) was attributed to North Korean state agencies. Six paragraphs later we learn that the “similarities” were found in often reused code:

The findings don’t necessarily demonstrate that Lazarus or North Korea was involved in the WannaCry attack, researchers said. The culprits in the latest attack, who haven’t been identified, could have copied the code in question, for example.
…
The connection found in the old version lies in software that both programs use to securely connect to other systems over the internet, said Kurt Baumgartner, a Kaspersky Lab researcher.

Common code is found in nearly all software that sets up an internet connection. The reason for that is quite simple. No longer does anyone ever write such code. There are well tested examples of such program snippets widely available in open-source software on Github and elsewhere. “Copy and paste” is done faster than re-inventing the wheel. Even worse – the code snippet in question here is so trivial that any decent programmer would likely write it the very same way (a call to the Time() function to get a seed value for a following call to the Random() function). There are only X reasonable ways to add 1 to 1. Two people doing it the same way proves nothing at all. People copying publicly available code proves nothing either. It certainly does not prove that code for two different hacks was written by the same people. It does not provide that these bugs have anything at all to do with North Korea. The bits of similarities are of zero factual news value.

2. Back in February Amnesty International (which promotes NATO interventions) issued a sensational report about alleged killings in Syrian prisons. As we wrote at that time:

A new Amnesty International report claims that the Syrian government hanged between 5,000 and 13,000 prisoners in a military prison in Syria. The evidence for that claim is flimsy, based on hearsay of anonymous people outside of Syria. The numbers themselves are extrapolations that no scientist or court would ever accept. It is tabloid reporting and fiction style writing from its title “Human Slaughterhouse” down to the last paragraph.

The U.S. State Department now reused that fake report and adds wrongly interpreted satellite pics to further slander the Syrian government:

US: Syria is burning bodies to hide proof of mass killings

More from Moon Of Alabama here…

READ MORE HACKING NEWS AT: 21st Century Wire HACKING Files

READ MORE ABOUT MSM FAKE NEWS AT: FAKE MSM NEWS FILES 

SUPPORT 21WIRE – SUBSCRIBE & BECOME A MEMBER @ 21WIRE.TV

21st Century Wire is an alternative news agency designed to enlighten, inform and educate readers about world events which are not always covered in the mainstream media.