The Untold Story of BadRabbit. The Most Brutal Cyber Attack in History

Handicapped Ports. Paralysed Corporations. Stunned Government Agencies. How a Single Piece of Code Detonated the World.

AN ELITE RUSSIAN hacking team, a historic ransomware attack, an espionage group in the Middle East, and countless small time cryptojackers all have one thing in common. Though their methods and objectives vary, they all lean on leaked National Security Agency (NSA) hacking tools to invade target computers and spread malware across the network.

After Edward Snowden, a former subcontractor for Central Intelligence Agency (CIA), left the United States with highly classified information from National Security Agency (NSA) in 2013, the intelligence community (back then), forced it’s hand to abort all active missions.

With the leak of intelligence methods like the N.S.A. tools, Mr. Leon Panetta, United States Secretary of Defence, said, “Every time it happens, you have to start over”.

So, the Central Intelligence Agency (CIA), changed all its operational units and started building from scratch, anonymously, with more security, in late 2013. For this task, they hired 200,000 employees, designated — “Security Experts”, from all over the world!

It took 8 months for them to regain stability and deployed mass surveillance programs, late 2014. The mass surveillance program, was deployed not only in United States but also in other territories like Russia, North Korea, Japan, China, India and many more.

How did they achieve mass surveillance?

Their Security Experts’, Researchers’, job role is to find major Zero-day vulnerabilities in modern operating systems. Once they found critical vulnerabilities, they develop these vulnerabilities into exploitable tools with relatable payloads which will successfully hit the target.

They have called for a covert operation, dubbed — “Tailored Access Operations” (T.A.O.), is a cyber-warfare intelligence-gathering unit of the N.S.A., to use these exploitable tools under inspection to avoid another leakage of classified information.

The Organisations, Government agencies are very attentive while performing such operations because, if another leakage occurs, then all the nations would blame the responsibility of exploitation. The consequences are threat to the Economy.

Only a set of qualified experts where assigned to gain access to the classified tools. With these tools, N.S.A. and C.I.A. began to exploit and monitor their predators.

They were successful in gaining access to almost all terrorist groups which they have terminated the previous year (late 2013) as per the Federal Court orders (consequences of Edward Snowden leak)!

Mr. Leon Panetta, also said that “Snowden leaks have been incredibly damaging to our Intelligence and cyber capabilities. The fundamental purpose of intelligence is to be able to effectively penetrate our adversaries in order to gather vital intelligence. This is achieved only when we protect our codes.”

By the end of 2014, the Intelligence communities were all set to monitor the nations worldwide.

They thought everything was ok., until F.B.I. received Israeli Intelligence report.

On July 2015, Israeli Intelligence officers alerts Federal Bureau of Investigation (F.B.I.), by handling a report forum.

The report was immediately sent for analysis to N.S.A. headquarters. N.S.A. and C.I.A. started analysing the forum while the F.B.I. were investigating whether the source of the report was real or fake!

It was a perfect sunny summer afternoon when world’s finest Intelligence Agency, began to lose its mind.

The context of the report was, an antivirus giant — Kaspersky, Moscow Headquarters, is repeatedly surfing on your network with keywords DANDERSPIRITZ, ODDJOB, FUZZBUNCH, DARKPULSAR, ETERNALSYNERGY, ETERNALROMANCE, ETERNALBLUE, EXPLODINGCAN and EWOKFRENZY.

They were blown away, as these keywords are the names of the exploitable tools used in mass surveillance.

Following months were enrolled into a wide-ranging investigation by agency’s counterintelligence arm, known as Q group, and the F.B.I., officials still do not know whether the N.S.A. is the victim, or Russia with insider’s leak or both.

Employees were closely monitored with suspect.

Intelligence community was stunned by the F.B.I.’s claim that one of the employee (whose name is not disclosed), had access to the C.I.A. deployment server, sending information (which includes N.S.A. and C.I.A. nation wide data centres and also some of the officials personal data) to the Islamic State of Iraq and the Levant (I.S.I.L.) [terrorist group] for years.

The accused was linked to the I.S.I.L. terrorist group. His goal is to transfer geo-locations of confidential data centres which were under control of C.I.A..

But N.S.A. was not able to figure out how did Kaspersky got to know these exploitable tool’s name?

So they decided to investigate each and every employee’s house.They suspected Nghia Hoang Pho, 67 year old, N.S.A. ex-programmer, copied all classified tools onto his home computer. He was not a whistleblower. But, he did copied those tools from N.S.A. onto his home computer. Unfortunately, his home computer has Kaspersky anti-virus installed. Kaspersky researchers were tracking Nghia Hoang Pho network and found malicious tools, hijacked those tools from his computer.

Nghia Hoang Pho, pleaded guilty on violating the Espionage act — for willful detention of National Security Information.

Nghia Hoang Pho was sentenced 5.5 years of imprisonment and a fine of $250,000.

There was a fear among the agency that one or more leakers might still be in place.

Their nightmare was true. On 30th August 2016, Shadow Brokers, a hacking group, started sale online in dark market for $ 1 million, advertising that they handle N.S.A. hacking tools.

Initially F.B.I. and Q group speculated, those tools may be related to Edward Snowden’s era and believe that Shadow Brokers ad was a fake deal!

The officials of N.S.A., C.I.A. and F.B.I. denied on commenting this event.

Not even a single hacking group or an organisation considered this deal as factual.

Eventually, in December 2016, The Shadow Brokers group got frustrated and published an article in dark-net claiming that they have original toolkit [Hosted on Tor].


Note: If you don’t know how to be secure while surfing Tor, please don’t visit. If you do so, you might be a victim for them. The screenshots of Shadow Brokers’ article follow…

At the end of this article they also posted some screenshots of N.S.A. tools. They were similar to the one that N.S.A. is currently using.

America’s largest and most secretive intelligence agency had been deeply infiltrated.

On the other hand, Shadow Brokers published documents which includes detailed lists of hacked or potentially targeted computers, those belonging to firms in Qatar, Dubai, Abu Dhabi, Syria, Yemen, and the Palestinian terrorists. Also included a load of hacking tools, this time targeting windows versions.

“”Oh you thought that was it?” the hacker group wrote in a typically grammar-challenged statement accompanying their leak. There was speculation prior to this release that the group had finally published its full set of stolen documents, after a seemingly failed attempt to auction them for bitcoins. “Too bad nobody deciding to be paying theshadowbrokers for just to shutup and going away.”

Though the group released all the stolen confidential documents, not even a single community has commented on those leaked documents. N.S.A. and F.B.I. denied to comment on the leakage. Since no one is accepting the statement of loss, cybercriminals did not come forward to bid the Shadow Brokers’ auction.

During this phase in December 2016, Donald Trump has won the elections and became the president of United States.

Since no one is participating in the auction held by Shadow Brokers’ $ 1 million sale, frustrated group published an article on Donald Trump in late December 2016.

The group started to list all the classified decisions took by President Donal Trump (only a few officials know about those decisions) was spreading around the world.

Even after this critical leakage, neither Donald Trump administration nor the F.B.I. commented on this leak. But F.B.I. was secretly investigating the source of Shadow Brokers.

Some officials doubt that the Shadow Brokers got it all by hacking the most secure American government agency — hence the search for insiders.

The Hunt for an Insider

For decades after its creation in 1952, the N.S.A. — dubbed as an organisation with leakproof. But since Mr. Snowden flew away with hundreds of thousands of documents in 2013, that notion has been shattered.

The Snowden damage led to the investment of millions of dollars in new technology and tougher rules to counter what the government calls the insider threat. But N.S.A. employees say that with thousands of employees pouring in and out of the gates, and the ability to store a library’s worth of data in a device that can fit on a key ring, it is impossible to prevent people from walking out with secrets.

When F.B.I. agent found Harold T. Martin’s (a former contractor for N.S.A.) house, garden shed and car stuffed with sensitive documents and storage devices. Agency found approximately 50 Terabytes of confidential data!

Mr. Martin’s huge collection of stolen files included much of what the Shadow Brokers have, and he was the primary suspect for investigators as a possible source for them. Officials say they do not believe he deliberately supplied the material, though they have examined whether he might have been targeted by thieves or hackers.

Harold T. Martin

But evidence show that on 12th August 2016, he had contacted Kaspersky Lab researchers through twitter[with an anonymous account named “@Hal_99999999”]. He had sent 3 cryptic messages and 2 readable messages to one of the researcher which were sent in private mode. 3 Cryptic messages include PGP access key for encrypted files.

1st message — “So…figure out how we talk with Yevgeny” — presumably Kaspersky Lab CEO Eugene Kaspersky, whose given name is Yevgeny Kaspersky.

2nd message — “Shelf life, three weeks”

But, there was no reply to Martin. Because, anonymous twitter account he used to contact Kaspersky Researcher is not known to the researcher (profile was not in follower or being followed list).

Thirty minutes after his final message to Kaspersky — “We hacked N.S.A.” Shadow Brokers wrote “We find many many Intelligence Cyber weapons”. The leaked cyber weapons include ETERNALBLUE an exploit found in windows versions.

Inside the N.S.A., the declaration was like a bomb exploding. A zip file posted online contained the first free sample of the agency’s hacking tools. It was immediately evident that the Shadow Brokers were not fake, and that the agency was in trouble.

Next day when the Kaspersky Researcher replied to Martin stating “about what?”. Martin had blocked the researcher’s twitter account.

Some of the officials say that Shadow Brokers targeted Martin for years, N.S.A. will maintain all the computer codes of it’s employees for malware analysis and store them in documents. Those documents were stolen by Edward Snowden, so they precisely targeted Martin, hijacked classified tools from his computer.

Why was Martin copying all the data to his house?

His lawyers say, Martin’s work at home habit got out of control. For years he used to copy those tools and master them on his computer.

Federal Court ordered to remove softwares of Kaspersky within 90 days. This was a huge strike for the anti-virus firm.

Not even a single agency reported about those leaked cyber weapons (was kept secret). Only Shadow Brokers were claiming that they have access to those tools.

As there was lack of trust in Shadow Brokers group around this event. To create demand in those tools, they started playing a mind blowing game…

On 14th March 2017, Shadow Brokers, anonymously mailed to security research centre — Microsoft Corporation. They exposed a critical vulnerability to the organisation.(which N.S.A. had found)

Immediately Microsoft has patched its software and alerted its departments for an emergency software update. The organisation stated it was a critical bug, so update is necessary.(publicly reported). Security update can be seen here.

Now, its time for Shadow Brokers to advertise their tools in such a way that those tools will exploit the critical vulnerability (which Microsoft had patched it recently). Shadow Brokers were waiting for this moment.

On 14th April 2017, one month after Microsoft’s critical Vulnerability patch, they published an article — “Don’t forget your base”.

This article includes a PGP key and a link which will be redirecting to their payment page [hosted in dark net]. Payment method was in Bitcoins. They billed for about $ 1 million worth Bitcoins.

Hackers and Crypto-jackers from North Korea to Russia, were equipped with those cyber weapons and shot directly to the networks which had spread to over 150 countries. They call it “Wannacry Ransomware”.

Infected computers’ data will be encrypted. It will be decrypted only when the ransom amount is paid.

Organisations were stunned with the cyber criminal activity.

Hackers steal international personal user data from the company Uber, including phone numbers, email addresses, and names, of 57 million people and 600,000 driver’s license numbers. Uber’s GitHub account was accessed through Amazon’s cloud-based service. Uber paid the hackers $100,000 for assurances, but those nerds had destroyed the data.

There were many cases where small organisations had forced to shut down due to heavy ransom.

EternalBlue takes advantage of a vulnerability in a particular Windows protocol, allowing hackers to remotely run their own code on any unpatched machine.

The attackers’ used 20 different languages to demand money from users.

The attack affected Telefonica and several other large companies in Spain, as well as parts of the British National Health Service (NHS), where at least 16 hospitals had to turn away patients or cancel scheduled operations, FedEx, Deutsche Bahn, Honda, Renault, as well as the Russian Interior Ministry and Russian telecom MegaFon.

The attackers gave their victims a 7-day deadline from the day their computers got infected, after which the encrypted files would be deleted.

Shortly after the news of the infections broke online, a Equation Group cybersecurity researcher in collaboration with others found and activated a “kill switch” hidden within the ransomware, effectively halting the initial wave of its global propagation.

The next day, researchers announced that they had found new variants of the malware without the kill switch. This malware was dubbed — “Petya”.

The creators of Petya, removed the kill switch and targeted Ukraine network which had propagated through banking systems.

During this crisis around the world, another hacking group — named “Fancy Bear” were busy breaking US Democratic National Committee’s servers. They named this malware as “Not Petya”.

The release of NotPetya was an act of cyberwar by almost any definition — one that was likely more explosive than even its creators intended. Within hours of its first appearance, the worm raced beyond US and out to countless machines around the world, from hospitals in Pennsylvania to a chocolate factory in Tasmania.

It ­crippled multinational companies including Maersk, pharmaceutical giant Merck, FedEx’s European subsidiary TNT Express, French construction company Saint-Gobain, food producer Mondelez, and manufacturer Reckitt Benckiser.

In each case, it inflicted nine-figure costs. It even spread back to Russia, striking the state oil company Rosneft.

The result was more than $10 billion in total damages, according to a White House assessment confirmed by former Homeland Security adviser Tom Bossert, who at the time of the attack was President Trump’s most senior cybersecurity-­focused official.

Petya Ransomware

If a system is infected with Petya, control unit of the system will start malfunctioning and displays the above image.

It forces victim to enter any key, then a beautiful message would appear stating…

Without purchasing the key, files in your system cannot be decrypted.

Victim is forced to purchase the key (amount varies from attacker-to-attacker).

If transaction is not done within 7 days, data in your system will be destroyed.

Cyber criminals were easily gaining access to these tools directly, by paying Shadow Brokers and customising the payloads according to their needs.

There was an emergency world wide to stop these Ransomware attacks. This was becoming a huge problem for many industries until a beast enters the Cyberwar. They all say — “The Equation Group”.

“The Equation Group” — creators ofStuxnet”

United States Intelligence and Israeli Intelligence cyber warfare experts — dubbed “The Equation Group”[EQ]. This group was shut down after stuxnet operation, due to the damage it had done in 2010.

Now, in this crisis, United States and Israel thought, it is time to wake up the BEAST.

EQ group first tried to use a variant of NotPetya on Russian networks. The idea of the group is to block all the malware which bombarded on the network. Most eavesdroppings are projected from Russia. So they tried to suppress those attacks in the Russian network.

But, Russian’s, who were equipped with cyber weapons, patched their systems long ago. Immediately, EQ group started an operation named “BAD RABBIT”.

Unlike all the Ransomware, Bad Rabbit first exploits the unpatched computer. With the help of unpatched computer’s network, it will hijack patched computers. Likewise within 45 minutes of its breach in Russia, Ukraine, North Korea, Germany and Iran as main suspects, lead to shut down their country’s network grid.

Even if the victim pays the ransom, the encrypted files are not decrypted. Officials say that they did not develop Bad Rabbit in the sense of decryption.

Which means that they force victims to throw their machines eventually halting the malware propagation.

Even a year after Microsoft issued a patch, attackers can still rely on the EternalBlue exploit to target victims, because so many machines remain defenseless to this day.

Microsoft and others criticized the NSA for keeping the EternalBlue vulnerability a secret for years instead of proactively disclosing it for patching. Some reports estimate that the NSA used and continued to refine the EternalBlue exploit for at least five years, and only warned Microsoft when the agency discovered that the exploit had been stolen

Who is Responsible for this cyberwar?

According to Microsoft, N.S.A. is responsible because the vulnerabilities were not disclosed to the organisation for a patch.

Harold T. Martin, who was responsible for the leak, pleaded guilty and sentenced 9 years of imprisonment and a fine of $ 250,000.

F.B.I.’s officials said it may be years before the “full fallout” of the Shadow Brokers breach is understood. Even the arrest of whoever is responsible for the leaks may not end them, he said — because the sophisticated perpetrators may have built a “dead man’s switch” to release all remaining files automatically upon their arrest.


Please update your Software 😂


Programmer By Heart | strong and barely controllable emotion