Skip to content Skip to footer

Nation-State Hacking: 2017 in Review

2017 is the year government hacking played the Super Bowl halftime show.

If 2016 was the year government hacking went mainstream, 2017 is the year government hacking played the Super Bowl halftime show. It’s not Fancy Bear and Cozy Bear making headlines. This month, the Trump administration publicly attributed the WannaCry ransomware attack to the Lazarus Group, which allegedly works on behalf of the North Korean government. As a Presidential candidate, Donald Trump famously dismissed allegations that the Russian government broke into email accounts belonging to John Podesta and the Democratic National Committee, saying it could easily have been the work of a “400 lb hacker” or China. The public calling-out of North Korean hacking appears to signal a very different attitude towards attribution.

Lazarus Group may be hot right now, but Russian hacking has continued to make headlines. Shortly after the release of WannaCry, there came another wave of ransomware infections, Petya/NotPetya (or, this author’s favorite name for the ransomware, “NyetYa”). Petya was hidden inside of a legitimate update to accounting software made by MeDoc, a Ukrainian company. For this reason and others, Petya was widely attributed to Russian actors and is thought to have primarily targeted Ukrainian companies, where MeDoc is commonly used. The use of ransomware as a wiper, a tool whose purpose is to render the computer unusable rather than to extort money from its owner, appears to be one of this year’s big new innovations in the nation-state actors’ playbook.

WannaCry and Petya both owe their effectiveness to a Microsoft Windows security vulnerability that had been found by the NSA and code named EternalBlue, which was stolen and released by a group calling themselves the Shadow Brokers. US agencies losing control of their hacking tools has been a recurring theme in 2017. First companies, hospitals, and government agencies find themselves targeted by re-purposed NSA exploits that we all rushed to patch, then Wikileaks published Vault 7, a collection of CIA hacking tools that had been leaked to them, following it up with the publication of source code for tools in Vault 8.

This year also saw developments from perennial bad actor Ethiopia. In December, Citizen Lab published a report documenting the Ethiopian government’s ongoing efforts to spy on journalists and dissidents, this time with the help of software provided by Cyberbit, an Israeli company. The report also tracked Cyberbit as their salespeople demonstrated their surveillance product to governments including France, Vietnam, Kazakhstan, Rwanda, Serbia, and Nigeria. Other perennial bad actors also made a splash this year, including Vietnam, whose government was linked to Ocean Lotus, or APT 32 in a report from FireEye. The earliest known samples from this actor were found by EFF in 2014, when they were used to target our activists and researchers.

Any and all original material on the EFF website may be freely distributed at will under the Creative Commons Attribution License, unless otherwise noted. All material that is not original to EFF may require permission from the copyright holder to redistribute.

We’re not going to stand for it. Are you?

You don’t bury your head in the sand. You know as well as we do what we’re facing as a country, as a people, and as a global community. Here at Truthout, we’re gearing up to meet these threats head on, but we need your support to do it: We still need to raise $14,000 to ensure we can keep publishing independent journalism that doesn’t shy away from difficult — and often dangerous — topics.

We can do this vital work because unlike most media, our journalism is free from government or corporate influence and censorship. But this is only sustainable if we have your support. If you like what you’re reading or just value what we do, will you take a few seconds to contribute to our work?