RED HERRING: What’s Behind the Wave of Ransomware Attacks Linked to NSA Hacking Tools?

Shawn Helton
21st Century Wire 

In this age of hyper-real media propaganda, some stories published by mainstream media whether true or not, can be used as a ‘red herring’ to provide an all to convenient mask for other politically charged news releases.

In fact, the very same day as the viral spread of WannaCry, the United States was said to have nearly completed a series of arms deals with Saudi Arabia worth $110 billion dollars and some $350 billion total over the next 10 years. This dovetailed the Trump administration’s decision to announce a “vision for a new regional security architecture” for an ‘Arab NATO‘ headquartered in Saudi Arabia, the largest state-sponsor of terror in the world.

Furthermore, the largest financial support for Al Qaeda linked terror operations involving Sunni extremists worldwide – has come from Saudi Arabia, with other GCC allies providing logistical support.

From 2015 to today, Saudi Arabia has breached international law with an ongoing bombardment of Yemen and more recently it emerged that Saudi government forces began a shocking military offensive against its own citizens in the eastern province of Qatif in the Awamiyah town.

A recently released Stockholm study yielded some stunning conclusions concerning arms exports from the US and Europe, in addition to arms imports acquired by Gulf Cooperation Council (GCC) countries, most notably Saudi Arabia. According to this latest report from 2012-16, there has been the highest arms transfer volume over a 5-year stretch since the end of the Cold War.

The monolithic US arms deal recently made with Saudi Arabia, along with the attacks on Saudi citizens (not to mention the US-led coalition airstrikes in Syria aiding ISIS) has largely been ‘whitewashed’ as mainstream media was consumed with a global cyber attack narrative, the reanimated Russia-gate probe and the symbolic nature of Trump’s trip to the Middle East this week.

With all this in mind, let’s dissect the wave of ransomware attacks used to misdirect the masses this past week…

WORLD-HACK-LIES-21WIRE-SLIDER-SH-3
‘MISDIRECTION’ – What’s really behind the global ransomware cyber attacks? (Photo Illustration 21WIRE’s Shawn Helton)

Over the last week, we were told that a wave of cyber attacks across the globe were carried out by the WannaCrypt ransomware worm (aka WanaCrypt, WanaCrypt0r 2.0 or Wcry), more commonly refered to as WannaCry. The intrusive malware was believed to infect some “230,000 computers in over 150 countries,” and is now accompanied by a new variant of the same exploit called ‘Adylkuzz’ which according to early media reports, can be ‘invisible’ and may make your computer run slowly if you haven’t installed the most up-to-date security, going undetected for weeks or months says the security firm Proofpoint.

Interestingly, the origins of both WannaCry and Adylkuzz can be traced back to NSA hacking tools that use EternalBlue and DoublePulsar exploits that were supposedly ‘stolen’ by the anonymous hacking collective dubbed The Shadow Brokers sometime in March.

Forbes describes the exploit of Microsoft Windows named Eternal Blue:

“It’s been a matter of weeks since a shady hacker crew called Shadow Brokers dumped a load of tools believed to belong to the National Security Agency (NSA). It now appears one leaked NSA tool, an exploit of Microsoft Windows called EternalBlue, is being used as one method for rapidly spreading a ransomware variant called WannaCry across the world.”

The Hill reported:

“Google security researcher Neel Mehta appears to be the first to have noticed that large swaths of computer code in an early version of Wanna Cry were identical to code used by the Lazarus Group, a team of hackers linked to the government of North Korea.”

“Lazarus Group is best known for hacking Sony Pictures in 2014 to protest the movie “The Interview.” But recently it has been linked to a series of digital bank robberies that, in one case, stole $81 million from the central bank of Bangladesh. The robberies would, many suspect, provide a revenue stream while the country faces crippling sanctions. “

Kaspersky Labs computer security corporation noted the common code linked to both WannaCry and the Lazarus Group and the possibility of a cyber false flag with this latest WannaCry outbreak:

“In theory anything is possible, considering the 2015 backdoor code might have been copied by the Wannacry sample from February 2017. However, this code appears to have been removed from later versions. The February 2017 sample appears to be a very early variant of the Wannacry encryptor. We believe a theory [involving] a false flag although possible, is improbable.”


(Photo Illustration 21WIRE)

The inclusion of the Sony hack story from 2014, (which has long been outed as a false flag operation), is what makes the WannaCry cyber attack story so hard to completely swallow wholesale.

This is not to suggest that WannaCry did not occur at all, more that the ransomware worm was a stage-manged attack that may have been used for other purposes. Interestingly, CyberSecurity Malaysia outed two viral messages that claimed WannaCry ransomware was ‘distributed’ through online banking services and WhatsApp were a hoax.

Below is a short passage from an article by 21WIRE‘s Patrick Henningsen that fully revealed the theatrical media staging behind’ The ‘Interview’ film fiasco (aka the Sony hack), as the group said to be behind the so-called cyberattack was tied to a high level security officer at Sony Entertainment:

“Experts confirmed that the alleged malware used in the cyberattack was in fact leaked years ago and any hacker could have utilized it since.”

The thoughtful analysis continued with the following:

“It was also reported that the firms’ investigations had uncovered one former Sony Entertainment employee and security officer referred to as “Lena”, who had high level admin access to the company’s IT system, and who has connections to the hacking group, ‘Guardians of Peace’ (#GOP) who were blamed for the cyber attack. This means that the hack is more likely an ‘inside job’, and the motivations could have a redress for any number of grievances including Sony’s company lay-offs and online piracy prosecutions.”

In May of 2015, another suspicious cyber attack story surfaced involving a former blackhat hacker crew from 2008 dubbed TeaMp0isoN, a small group that later reemerged as a whitehat computer-security team in 2015.

In other words, TeaMp0isoN became a legal hacking group…

During the same time frame, a 20-year-old British hacker named Junaid Hussain, a person with multiple online identities, was said to be virtually linked to the so-called ‘ISIS-inspired’ shooting in Garland Texas and was believed by authorities to be the cyber hacker named TriCk, connected the group TeaMp0isoN.

Hussain was simultaneously linked to ISIS and mentioned as a key figure behind the apparent hack of CENTCOM’s Twitter account by a group calling themselves the “Cyber Caliphate.”

The unintended aftermath of events following the dubious ‘cartoon shooting’ in Garland, revealed the CENTCOM hack as a sham, as it detailed an apparent hacker’s relationship between government entities and hacking groups that were associated with ISIS.

Those in the intelligence community might say that Hussain went ‘rogue’ while interchangeably working with ISIS and TeaMp0isoN the ‘whitehat’ group formerly blackhat hackers who joined up with the hacking collective Anonymous – but that many connections between terror and security appear to be beyond a coincidence.

After considering the historical context of the two cyber attack scenarios outlined above, let’s look at what else happened when WannaCry was recently released..

CIA-VAULT-7STRIKES-AGAIN-21WIRE-SLIDER-SH-3
(Photo Illustration 21WIRE’s Shawn Helton)

As the media world was consumed with the spread of the WannaCry ransomware, Bleeping Computer noted the following Wikileaks Vault 7 release that outlined two hacking tools allegedly ‘stolen’ from the CIA:

“While the world was busy dealing with the WannaCry ransomware outbreak, last Friday, about the time when we were first seeing a surge in WannaCry attacks, WikiLeaks dumped new files part of the Vault 7 series.

This time around, the organization dumped user manuals for two hacking tools named AfterMidnight and Assassin, two very simplistic malware frameworks, allegedly developed and stolen from the CIA.”

In March of 2017, Wikileaks allegedly exposed many of the CIA’s hacking tools. Here’s a passage from a 21WIRE report worth considering in the wake of this recent outbreak of ransomware:

“One of the more curious details contained in Vault 7 were the revelations concerning the CIA’s ability to mask any hacking  fingerprints that could potentially implicate the agency. Additionally, the secretive agency could also leave behind potential evidence that a cyber attack was carried out by a foreign body or nation. Here’s another passage from the Wikileaks publication on the matter:

“Tradecraft DO’s and DON’Ts” contains CIA rules on how its malware should be written to avoid fingerprints implicating the “CIA, US government, or its witting partner companies” in “forensic review”. 

Conclusion: Another aspect to consider when trying to determine the reality behind the latest ransomware attacks, is to look at those countries mostly impacted by the intrusive worm, a list which includes Russia, who was the worst hit globally, along with the top 20 that logged Ukraine, India, Taiwan, China, Romania, Egypt, Iran, Brazil, Spain and Italy as the most affected.

Question: Who would benefit the most from a cyber attack largely directed at Russia and China?

Additionally, in October of 2016, here at 21WIRE, we examined the possibility that a wave of distributed denial of service (DDoS) attacks that hit some of the top online companies websites including Amazon, Netflix, Twitter and Reddit was a staged-managed event centered around the government wanting to usher in new ‘ISP governance’ (making ISP’s bent to government wishes to ‘kick out the bad actors’ off their networks) and rights-violating security protocols.

Moving forward, we could see other cyber ‘copycat’ attack stories that could deflect from other politically charged news, that simultaneously may propel calls for new internet security laws.

More from Moon Of Alabama below on the bombardment of mainstream media red herrings and false claims…


(Image Source: twitter)

One Day, Three Serious News Stories That Turn Out To Be False

Moon Of Alabama

It is a fakenews day. Three stories are making the rounds through the media that are each based on false or widely exaggerated interpretation of claims. North Korea, Syria and the U.S. President are the targets.

1. The Wall Street Journal asserts with a #fakenews headline that bits of computer-code in the recent WannaCry ransom virus are identical with bits of computer code that was allegedly used in a 2014 hack of Sony. (The Sony attack was falsely attributed to North Korea.)

Researchers Identify Clue Connecting Ransomware Assault to Group Tied to North Korea

Neel Mehta, a security researcher at Alphabet Inc.’s Google unit, on Monday pointed out similarities between that earlier WannaCry variant and code used in a series of attacks that security specialists have attributed to the Lazarus group.

The “Lazerus group” (which probably does not exist at all) was attributed to North Korean state agencies. Six paragraphs later we learn that the “similarities” were found in often reused code:

The findings don’t necessarily demonstrate that Lazarus or North Korea was involved in the WannaCry attack, researchers said. The culprits in the latest attack, who haven’t been identified, could have copied the code in question, for example.

The connection found in the old version lies in software that both programs use to securely connect to other systems over the internet, said Kurt Baumgartner, a Kaspersky Lab researcher.

Common code is found in nearly all software that sets up an internet connection. The reason for that is quite simple. No longer does anyone ever write such code. There are well tested examples of such program snippets widely available in open-source software on Github and elsewhere. “Copy and paste” is done faster than re-inventing the wheel. Even worse – the code snippet in question here is so trivial that any decent programmer would likely write it the very same way (a call to the Time() function to get a seed value for a following call to the Random() function). There are only X reasonable ways to add 1 to 1. Two people doing it the same way proves nothing at all. People copying publicly available code proves nothing either. It certainly does not prove that code for two different hacks was written by the same people. It does not provide that these bugs have anything at all to do with North Korea. The bits of similarities are of zero factual news value.

2. Back in February Amnesty International (which promotes NATO interventions) issued a sensational report about alleged killings in Syrian prisons. As we wrote at that time:

A new Amnesty International report claims that the Syrian government hanged between 5,000 and 13,000 prisoners in a military prison in Syria. The evidence for that claim is flimsy, based on hearsay of anonymous people outside of Syria. The numbers themselves are extrapolations that no scientist or court would ever accept. It is tabloid reporting and fiction style writing from its title “Human Slaughterhouse” down to the last paragraph.

The U.S. State Department now reused that fake report and adds wrongly interpreted satellite pics to further slander the Syrian government:

US: Syria is burning bodies to hide proof of mass killings

More from Moon Of Alabama here

READ MORE HACKING NEWS AT: 21st Century Wire HACKING Files


US Coalition Attacks Syrian Forces – Helping ISIS in the Process

On Thursday, the US-led coalition announced it had launched an air strike against “pro-Assad forces” inside Syria killing several government-aligned militia soldiers and destroying numerous military vehicles near the al-Tanf region where the borders of Syria, Iraq and Jordan meet. The US coalition claim that Syrian forces inside of Syria posed a threat to US and NATO troops and the ‘rebels’ they are training and arming on the Jordanian side of that border region.

The US-led attack comes as UN officials and diplomats are meeting in Geneva to discuss a solution to Syria’s six year war. According to one Syrian official, the attack was a “flagrant aggression launched by the international coalition exposes the falsity of its allegation about fighting terrorism and undoubtedly demonstrates the reality of the Zionist-American project in the region.”

The move by the US also poses an indirect threat to the stability of the Astana Peace Agreement signed by Russia, Iran and Turkey which guarantees “de-escalation zones” inside Syria in order to bring an end to major ground hostilities in the country.

21WIRE’s Patrick Henningsen spoke with RT International as the story broke on Thursday evening GMT, telling newscasters in Moscow that this week’s attack by the US, like many others previously – seems to strategically benefit ISIS terrorist forces on the ground in Syria. WATCH:


.
Other reports are also suggesting that thousands of Hezbollah troops are being deployed to the al-Tanf passageway at the Iraq-Syria border. Fars News reports:

“Hezbollah has deployed 3,000 forces in al-Tanf region to participate in Badiyeh operations in Syria. Most of the forces had earlier been stationed in al-Zabadani, Madhaya and Sarqaya regions as well as the Western parts of the town of al-Tofail and Brital, Ham and Ma’araboun heights in the Eastern mountain.”

READ MORE SYRIA NEWS AT: 21st Century Wire SYRIA Files

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s