A few weeks ago, 15 of Donald Trump’s advisers received an email, apparently from a friend. It contained an invitation to edit a Google spreadsheet. More than half of the recipients clicked on the link. James Comey, then still the FBI director, actually replied to it.
The email in fact came from the website Gizmodo. It wasn’t a hack, though it could have been. It was a stunt, intended to show how vulnerable our systems are to hackers’ number one weapon: human stupidity.
The infection that crippled computer networks in dozens of countries, gained access because of such stupidity: perhaps a single person clicking on a fake link. But it spread because of laziness, penny-pinching and bureaucracy. Some companies hadn’t been willing (or perhaps able) to spend money on updating its systems: the hack relied on a known vulnerability – but IT managers failed to install a patch released two months ago to prevent precisely such an attack. Even if they had, 90pc of the UK’s NHS trusts – a target of the hackers – still use Windows XP, an operating system declared obsolete in April 2014, and thus lacking any such patches.
To most people, it seems reprehensible that a health service was targeted by this «ransomware», which holds files hostage until payment is made. But for the criminals, endangering lives was a feature, not a bug. As they’d learned with attacks elsewhere, people are more willing to pay up when it’s a matter of life and death.
In explaining how all this happened, the best place to start is with the career of a man called Evgeniy Mikhailovich Bogachev.
Bogachev was a bank robber – a very good one. He and his gang would hijack corporate computers, then empty the associated bank accounts. To cover their tracks, they would then launch a massive attack on the bank’s systems – in effect a digital smoke bomb.
Then, Bogachev had a brainwave. To mount that attack, he needed to infect and hijack tens of thousands of computers. Why not make money from them as well? He started using CryptoLocker, a form of ransomware, demanding $300 or $500 to unencrypt the files on the infected machines. Not only did this provide an extra revenue stream, but issuing 2,000 ransom notes for $500 was less likely to draw attention than a $1m heist.
Bogachev didn’t just come up with the business model for this latest heist. His story tells us why such attacks are so hard to stop.
First, it’s alluringly easy to make money from cybercrime. Bogachev himself got started by selling his bank-robbing software to all comers. Similar programs are available for pennies on the internet.
Second, such crooks can be incredibly hard to track down. Bogachev’s activities first came to the authorities’ attention in 2009. But it took five years, and an international manhunt, to unmask him.
Finally, it illustrates how the involvement of governments has complicated things.
Bogachev’s gang was eventually dismantled. But he is still at large – because, being a patriotic Russian, he was moonlighting for Vladimir Putin’s security services – which have protected him ever since.
This isn’t the only example of Russian complicity in cyber-crime. The software used in last week’s hack utilised two separate exploits developed by America’s National Security Agency. These were stolen and dumped online by a group called The Shadow Brokers – widely suspected to be connected to Russia’s espionage services.
Cybercrime, in other words, is such a problem because it is so many problems wrapped into one.
You have to deal with human stupidity. You have to deal with a thriving international network of anonymous criminals. You have to deal with rogue governments (and friendly ones who let their cyberweapons fall into the wrong hands). And you have to deal with outdated systems: in the US much of the code and many of the devices running cash machines, air traffic control and nuclear weapons development date back to the Seventies.
Above all, you have to deal with the fact that the internet and other networks were designed to be open, for computers to talk to each other. Yes, we can – and should – invest far more in cybersecurity, on a national and corporate level. But we can never build perfect defences. All we can hope is that ours are strong enough that attackers seek easier gains elsewhere.
And, of course, that people finally learn not to click on the wrong email.
Robert Colvile is Editor of CapX