• ## Summary

Search form
• 00:06

DR. KEVIN FONG: On the morning of May 12,NHS staff were about to be confronted by a major outbreak.[MUSIC PLAYING]As an epidemic swept like wildfire across the country.But the disease didn't infect patients.

• 00:28

DR. KEVIN FONG [continued]: And it wasn't biological, insteadit attacked the central nervous system of the NHS itself.Across the country, computer systemswere knocked out by a highly contagious computer virus.

• 00:47

WOMAN: Hello, can I speak to IT please?

• 00:49

DR. KEVIN FONG: That became known as WannaCry.

• 00:52

WOMAN: There's a message on my screensays my files been encrypted.

• 00:55

DR. KEVIN FONG: This is the story of a uniquely challengingday for the National Health Service,a day when the NHS itself became a patient.It was attacked by a particularly vicious pieceof computer code, which took downits networks, its computers, and anything attached to them.And that meant patient record systems, CT scanners,even MRI machines, putting not just data,

• 01:18

DR. KEVIN FONG [continued]: but also patients' lives at risk.

• 01:21

PATRICK WARD: The surgeon looked very forlorn, very sorry.And that was when he then told methat he couldn't do the operation.

• 01:29

DOCTOR: We were unable to book appointments.We were unable to see who will be coming in tomorrow.So we were really paralyzed and at a loss on what to do.

• 01:38

DR. KEVIN FONG: Horizon unpicks the sciencebehind the recent widespread cyberattack that hit our National Health Service.And in his first television interview,we meet the 22-year-old cybersecurity specialistwho stopped it in its tracks.

• 01:53

MARCUS HUTCHINS: I tracked the message board.There were maybe 16, 17 reports of different NHS sortof organizations being hacked.And that's sort of the point whereI decided my holiday is over.I've got to look into this.

• 02:07

DR. KEVIN FONG: The outbreak exposed a vulnerabilityat the heart of the NHS.I'm a doctor.And all of this is a worry.I want know what happened.I want to know why it happens.And I want to know how I can protectmy patients from this new strain of infectious disease.[MUSIC PLAYING]

• 02:45

DR. KEVIN FONG [continued]: I found out about the attacks the way most people did,three news reports.Now, mercifully, the hospital that I worked forwasn't affected.But as details emerged, it became clearthat colleagues all over the NHS weregetting into work that day, setting up their computers,and being greeted with a screen that looks like this.Now, it's very polite.

• 03:06

DR. KEVIN FONG [continued]: It tells you what it's done.It's encrypted all of your data, tells you what you have to do,which is pay some money.And it tells you that if you pay the money now,you won't have to pay quite so much.Otherwise, you're going to lose everything.On the 12th of May, 2017, the cyber attackwrought havoc across the NHS.

• 03:27

DR. KEVIN FONG [continued]: It hits many hospital trusts.And some 80 departments even closed their doorsto ambulances.Operations were cancelled.Patients were diverted.But the story of the virus itself goes back far furtherthan the events of that day.[27 AUGUST 2016 9MONTHS BEFORE INFECTION]

• 04:08

DR. KEVIN FONG [continued]: With all outbreaks, there's alwaysa point of origin, a moment when the virus first emerges.[MUSIC PLAYING]

• 05:03

DR. KEVIN FONG [continued]: For over 20 years, Harold Martin worked as a contractorfor US government intelligence.On the day of his arrest, agents found stolen drivescontaining more than 50 terabytes of classified data,

• 05:26

DR. KEVIN FONG [continued]: allegedly including top secret hackingtools stockpiled by the National Security Agency.Harold Martin's arrest followed a tweetby a mysterious group calling themselves the Shadow Brokers.

• 05:52

DR. KEVIN FONG [continued]: They were offering National Security agents and hackingtools to anyone prepared to pay the $580 million asking price.According to reports, once they found outabout the Shadow Brokers demands,the NSA triggered an internal investigationand just a couple of weeks later,Harold Martin was arrested. • 06:14 DR. KEVIN FONG [continued]: Now, there's no evidence at all that he passed on informationto the Shadow Brokers.But interestingly, on the hard drives in his homewas found the hacking tool, Eternal Blue.Now Eternal Blue is a kind of keythat allows you to prise open the Windows 7 operating system.And it's that that allowed hackersto cause havoc across organizations • 06:35 DR. KEVIN FONG [continued]: all over the world, including the NHS. • 06:43 RAJ SAMANI: When it comes to attribution, [Raj Samani, ChiefScientist, McAfee] in other words,identifying the true source of attacks, the world in cyberis a lot more difficult than say, for example, physical,because you can make your attack appear to comefrom anywhere in the world. • 06:60 MARCIN KLECZYNSKI: So Shadow Brokers is an anonymous entity.We don't really know who's behind Shadow Brokers.[Marcin Kleczynski, CEO, Malwarebytes] • 07:06 ROSS ANDERSON: It's generally [Ross Anderson, Professorof Security Engineering] assumed in the security researchcommunity that the Shadow Brokers are in effectan arm of the Russian state.[14 APRIL 2017 1 MONTH BEFORE INFECTION] • 07:22 DR. KEVIN FONG: 31 days before the cyber attack,there was business as usual across the NHS.But at this moment, the Shadow Brokersmade a fateful decision.With no buyer coming forward, theydumped their trove of stolen cyber weapons online for free. • 07:44 DR. KEVIN FONG [continued]: They were now available for anyone to use.Cal Leeming is someone with a unique insight into the cyberunderworld.He taught himself to hack.And he started young. • 07:58 CAL LEEMING: When I was about nine years old,my grandparents got me my first computer--a proper computer.My eyes were opened when I started using the chat roomsand started talking to this wider audience.People were talking about being able to share Playstationgames.They were sharing credit card information. • 08:19 DR. KEVIN FONG: Attracted to free gamesas an escape from his hard upbringing,he soon graduated to something more serious. • 08:26 CAL LEEMING: There wasn't much money at all.So I found myself using credit cardsthat I got from hacking to send food deliveries to the house.So it was a mixture of 50% just outof curiosity and wanting to learnmore and never 50% survival. • 08:46 DR. KEVIN FONG: At the age of just 12, Cal was arrested.He became the UK's youngest ever cyber criminal. • 08:53 CAL LEEMING: It was very, very traumatic.And they sat me down and said, Cal,do you understand what you have done was against the law?My answer to them was, all I've done was typed on a keyboard,because that's my mindset at the time.I was like, why is that I'm typing on the keyboardto survive, and I'm now getting arrested?And I thought that was very unfair at the time. • 09:15 DR. KEVIN FONG: Cal continued to hack until 2005,when he was caught, again, for using over10,000 stolen identities to purchase goodswith 750,000 pounds. • 09:28 CAL LEEMING: Eventually when I was 18, I handed myself in.And the arresting officer, in my case,gave me a chance to turn my life aroundin exchange for going to prison for a little bit.I owe that guy. • 09:48 DR. KEVIN FONG: After serving a 15 month jail sentence,he changed sides and now runs a cybersecurity firm.Why hackers do what they do?Why do hackers hack? • 09:59 CAL LEEMING: So people have their own motivationsfor wanting to get into hacking.Sometimes it's financial, sometimes criminal,and sometimes it's just pure curiosity.Right now we don't know who started this attack, at leastnot for sure. • 10:13 DR. KEVIN FONG: Do you think at any levelthe people who carried out this attack would have felt slightlyappalled that this attack spills over into the National HealthService? • 10:23 CAL LEEMING: That's a difficult one to answer,because it's not a single group thatdoes all hacking in the world.It's lots and lots of very tiny groups.Sometimes a single person, sometimes lots of people.And with each group of in each environment,you have your own set of rules, conditions,and social etiquette, and all these things. • 10:40 CAL LEEMING: So in some cases, yes, thereare going to be some people that areoutraged, even on the criminal sidethat they've went this far.And in other cases, they might have purposely wantedit to go that far.It depends on the individual. • 10:57 DR. KEVIN FONG: Whatever their motivation,what we know for sure is that someonedid use the alleged NSA exploit Eternal Blue to createa devastating cyber weapon.Within four weeks of Eternal Blue being released,the attack was ready.Eternal blue was mashed together with other piecesof malicious code and then unleashed on the world. • 11:20 DR. KEVIN FONG [continued]: And it was given a name, WannaCry.[11 MAY 2017 EVE OF ATTACK]A security patch against Eternal Bluehad been made available by Microsoft.On the night before the cyber attack,any machine that hadn't installed the update • 11:42 DR. KEVIN FONG [continued]: was still vulnerable, including many in the NHS.Infection was now just a matter of time.Before the cyber attack, 22-year-old Marcus Hutchins • 12:08 DR. KEVIN FONG [continued]: was in the middle of his holiday. • 12:09 MARCUS HUTCHINS: If there was any surf,I might've been surfing.It's so dynamic.The waves are never the same on two days. • 12:18 DR. KEVIN FONG: Marcus works remotely for an LAbased cyber intelligence company. • 12:22 MARCUS HUTCHINS: I track malware.I track malicious code that affects users.And I find ways to track and stop it. • 12:29 DR. KEVIN FONG: And despite being on leave,he was still monitoring the global malware outbreak. • 12:34 MARCUS HUTCHINS: I woke up.I checked the message board.There were a couple of reports of ransomware infections.I didn't think much of it. • 12:41 DR. KEVIN FONG: From his home in Devon,his curiosity would play a crucial roleas the day's events unfolded.[5:59 AM] • 12:51 DR. KEVIN FONG: In London, Patrick Wardwould spent the night in St Bartholomew's hospital.Like thousands of others, in operating theatersacross the country, he was in for plan surgery, in his case,to correct a serious heart problem. • 13:07 PATRICK WARD: They weren't me at six o'clock,as they do in hospital.One of the nurses came round and shaved my chest,ready for obviously the opening of the chest cavity.I was nervous, but I was very excited, very confident • 13:28 PATRICK WARD [continued]: about the operation and what was going to happen.I'd, yeah, mentally got myself in the right placeto have open heart surgery and was, yeah, fantastic readyto go.The condition I have is hypertrophic cardiomyopathy,which is an enlarged heart. • 13:50 PATRICK WARD [continued]: It means I struggle to do normal things, walk.I can't do any sporting activities,lifting heavy objects.Obviously, it puts a big strain on the heartand makes me feel extremely useless.I've had some very dark moments over the last couple of years.So I'd like to, yeah, to get backto leading a normal fit and healthy life. • 14:13 DR. KEVIN FONG: But before surgery could start,Patrick needed some tests. • 14:16 PATRICK WARD: They wanted to check out my arteries.So they sat me down for a cardio angiogram in the morning.So after having the angiogram and some drugs, I was very--I was even more relaxed and readyfor the afternoon operation. • 14:33 DR. KEVIN FONG: While Patrick waited for theater, in Devon,Marcus was keeping an eye out for global cyber attacks. • 14:41 MARCUS HUTCHINS: I checked the message board,there were maybe 16, 17 reports of different NHS sortof organizations being hacked.And that's sort of the point whereI decided my holiday is over. • 14:57 DR. KEVIN FONG: By late morning, the attack had begun.Somehow a worm had got into the NHS.And on the other side of the worldsomebody was tracking the progress of the outbreak.Marcin Kleczynski runs a cybersecurity firmin California.Their software is installed on machines across the world. • 15:19 MARCIN KLECZYNSKI: Every time we disinfect a machine,it pings that information back to the labs teams.Real time information was streamingin regarding these specific attacks.And we're able to actually create a live map wherethe infection is spreading, very similar to a human infectionspreading worldwide.We're able to do that from a computer perspective.So we started detecting the attack. • 15:40 MARCIN KLECZYNSKI [continued]: Actually, the first detection was,according to this, Thursday.So we call that kind of day minus day one.And one of the first computers that we disinfectedwas in Russia, which was very interesting for us to see.But then you look at Friday and Saturday • 16:01 MARCIN KLECZYNSKI [continued]: and through the rest of the weekend,the map just completely explodes.We see infections all over the world predominantly in Europe,but also in the US.And they do not relent. • 16:16 DR. KEVIN FONG: And we're witnessing the largestand fastest spreading outbreak anyone hasseen in recent years. • 16:22 MARCIN KLECZYNSKI: The threat spreads so quicklythat we actually would have to go down to the millisecondsto see when it first appeared in the UK.We think it's sometime Friday morning.But we would really have to slow this down and lookat the millions of data points we have hereto isolate the day we saw it in the UK first. • 16:40 DR. KEVIN FONG: The first outbreak Marcindetected in London showed up in the afternoon at 18 minutespast one Across the country, hospitals like thisfound themselves either in the grip of the attackor desperately trying to switch off systems in an attemptto prevent possible infection. • 17:01 DR. KEVIN FONG [continued]: One of London's largest most capable hospital trusts,St Bartholomew's and the Royal London,found itself amongst the most severely affected.And so NHS staff put into place contingency plans,working tirelessly to keep everything running,but there were consequences. • 17:20 PATRICK WARD: The surgeon, he'd been to see me to say,Pat, I'll with you at 1:00 clockishafter I've done my rounds.He then came back again and said, how are you doing?Everything OK?And I said, yeah, fine.I'm here ready and waiting.I'm not going anywhere.And he said, great.We're all ready.Everybody's getting organized for you down in theater.The team are there.They're looking forward to meeting you. • 17:40 PATRICK WARD [continued]: So this was 10 o'clock, 12 o'clock.And then at half past one, he turned up, again,and looked very, yeah, forlorn and very sorry.And that was when he then told methat he couldn't do the operation. • 17:57 DR. KEVIN FONG: With computer systems down,the surgeon was unable to access Patrick's angiogram and bloodresults.Without them, the operation couldn't go ahead. • 18:07 PATRICK WARD: I was numb.It's is the only way I can describe it.Yeah, I just felt nothing.I was absolutely-- I couldn't believe it.I was just absolutely flabbergasted.It wasn't until the Monday, really,that the realization of what do I do.I didn't have any idea as to whether I'd • 18:28 PATRICK WARD [continued]: have to wait another year for the operation.There was just no information available.It's very frustrating.I get to speak to my wife.She'll tell you how grumpy I've beensince the operation was canceled, not having a date,something to aim for.So it was extremely, extremely frustrating. • 18:51 DR. KEVIN FONG: This is what makesme angriest about this whole thing.This cyber attack isn't about an abstract piece of technology.It's not about ransoms or ransomware.It's not about firewalls or patches.It's about people and their lives and how it affects them.It's not being forced as a doctor to someone like Patrickin the eye and to let him down at the worst possible moment. • 19:14 DR. KEVIN FONG [continued]: And Patrick wasn't alone.The cyber attack had become national news. • 19:19 REPORTER: The NHS is the victim of a major cyber attack.At least 25 hospital trusts and GP surgerieshave been affected.Routine operations at some hospitals are being canceled,ambulances diverted, and patients sent home. • 19:35 MARCUS HUTCHINS: I went out to lunch.I got back.I then saw lots of reports from different sortof sets of the NHS.They were just all sort of simultaneously being like,we're being hit.And I thought this one thing is hitting all these sectors.So it's going to be something pretty big.So I went and I looked into it. • 19:56 MARCUS HUTCHINS [continued]: I asked a friend of mine in the industryif we had a sample of the actual malware that was going around.And he sent it to me.I use virtualization software, which basicallymakes a computer within your computerso that it wouldn't affect me.And saw what it did. • 20:15 DR. KEVIN FONG: Marcus wasn't alone.Cal too set to work examining the malware.I wanted to find out from him what made this cyber attack soruthlessly effective. • 20:31 CAL LEEMING: So what we've got is[Cal Leeming, Cyber Security Expert]a machine that is going to effectively actas patient zero.We've got a second machine to reconstructhow this particular variant of WannaCryspreads across multiple machines.And then in here is what I've dubbed the internet in a box. • 20:51 DR. KEVIN FONG: To make the malware reveal itself,we have to make it believe these computers areconnected to the real internet.And this box provides the necessary dummy signalswhat's protecting the outside world from home. • 21:03 CAL LEEMING: So what we're going to do nowis run the WannaCry ransomware. • 21:13 DR. KEVIN FONG: There you go.And that's the screen of doom.So this is this machine out of action. • 21:20 CAL LEEMING: Exactly. • 21:26 DR. KEVIN FONG: With the files locked up,the clock is ticking.But as the victim decides whether or not to pay,the malware is already planning its next attacks. • 21:37 CAL LEEMING: This particular strain has two components.It has the ransomware itself, which is what we see here.And it has the worm component, whichwas taken from a Eternal Blue, which is governmentweapons grade exploit.This machine here is actually giving us a bit of insight.And what this is showing us is that it's trying • 21:57 CAL LEEMING [continued]: to spread across the network. • 21:59 DR. KEVIN FONG: You don't really think about it, do you?All the output from a machine isn't just whatyou see on your screen.But there's a lot of silent chatter going onin the background. • 22:07 CAL LEEMING: Exactly.If you imagine a big room of people and you shout out,who is here and everyone puts their hand up,and that's effectively what these machines are doing.It shouts out and say, who's here, who's here.And then machines reply.And what it tries to do is it triesto hit each of those machines with this payload.This worm is now spreading out across the network.And in an instance where you've got-- • 22:27 DR. KEVIN FONG: Here we go. • 22:28 CAL LEEMING: And as you can see, it has nowjust spread on to this machine. • 22:36 DR. KEVIN FONG: Eternal Blue had been expertlydesigned to silently move from one machineto another across a Local Area Network or LAN,groups of computers joined togetherinside a business or a hospital.With the LAN infected, it's spread to the internet. • 22:58 CAL LEEMING: So if you imagine you've got your big internetcloud down here and each dot represents a machine.And there's billions of these machines.And what it does is the attack will make a direct connectionto your machine.And if you are exposing this port to the internet,someone could infect your machine • 23:21 CAL LEEMING [continued]: without needing to have a local access to itor be on the same network.And what's even more disturbing from thatis if you look at the research toolsthat actually analyze the internet,you can go and query today right nowhow many of these machines on the internethave got this vulnerable service open to the internet. • 23:41 CAL LEEMING [continued]: Anyone can go and try and exploit them.And there are hundreds and hundredsand hundreds of thousands of these machines. • 23:48 DR. KEVIN FONG: The malware sought out these weaknessand wormed its way into all manner of networks,from companies like Nissan in the UKto Renault in France from a postal service in Russiato a German railway operator.And to be clear, this doesn't depend • 24:09 DR. KEVIN FONG [continued]: upon any human interaction here. • 24:11 CAL LEEMING: It's automatic propagation.There's no human interaction here required at all.And that's why the ransomware itself was relatively low key,to be fair.It wasn't anything particularly special about it.But when combined with a government weapons grade • 24:32 CAL LEEMING [continued]: exploits, the impact has been devastating. • 24:39 DR. KEVIN FONG: No one needed to click on a linkor open a dodgy email.The worm spread all by itself exploding across networksin a matter of hours.With the ransomware hitting thousands of computers, • 24:60 DR. KEVIN FONG [continued]: the hackers needed a secure globallyaccepted form of payment that ideally would be untraceable.They decided to use Bitcoin, an entirely electronic formof so-called cryptocurrency.I've never used bitcoin, but it's easy enough • 25:20 DR. KEVIN FONG [continued]: to buy some on a phone.And once loaded, you can spend it in a manner of places.So can I get a flat white and a mint tea, please? • 25:34 CASHIER: Sure. • 25:35 DR. KEVIN FONG: I've come to a cafe in East Londonto meet Sarah Meiklejohn, an expert in bitcoin,to find out why it's such an attractive currencyfor hackers. • 25:47 CASHIER: Here's your drinks. • 25:48 DR. KEVIN FONG: Perfect.Can I pay with Bitcoin? • 25:50 CASHIER: Yes, sure. • 25:51 DR. KEVIN FONG: OK. • 25:52 CASHIER:$3.50 please.You're just going to come this way.

• 25:55

DR. KEVIN FONG: OK, I'll lean over and scan that.

• 25:58

CASHIER: That's it.

• 25:59

DR. KEVIN FONG: And it's as easy as that.

• 26:00

CASHIER: That's it.

• 26:02

DR. KEVIN FONG: Perfect.Thank you very much.

• 26:03

CASHIER: Thank you very much, guys.

• 26:04

DR. KEVIN FONG: Marvelous.Right.That's yours.Explain to me then, as a complete non-initiate, whatbitcoin is and how it works.

• 26:11

SARAH MEIKLEJOHN: Right.So bitcoin is basically a purely digital form of currency.So it's just a currency like the dollar or the pound.The main differences are that it's notbacked by any governments.There is no central bank involvedin generating bitcoins.And you don't need a bank account to use it.If I want to use bitcoin, I want to send people bitcoins,

• 26:34

SARAH MEIKLEJOHN [continued]: I'm going to download a piece of software.And in doing that, I'm going to join bitcoin's peerto peer network.So this network is basically collectivelyresponsible for playing all the traditional rolesthat we're used to in sort of traditional banking.

• 26:48

DR. KEVIN FONG: So the recent WannaCry attack,which affected many organizations, includingthe National Health Service, was conducted using bitcoinas the currency of ransom.Why did they use bitcoin?

• 27:00

SARAH MEIKLEJOHN: Opening a bitcoin wallet,you know saying, OK, we're open for business,we can accept bitcoins, takes very little time and effort.And then getting paid in bitcoin, equallytakes very little effort.If I want to pay someone on the other side of the world,I can do that using bitcoin and they'll get the paymentinstantaneously.

• 27:19

DR. KEVIN FONG: It's the convenience and speedthat makes it easy for hackers to gather their ransom.But as cyber security expert, Nico who pin,explains bitcoin also offers a certain level of anonymity.

• 27:34

MIKKO HYPPONEN: The only thing we can see[Mikko Hypponen, Chief Research Officer, F Secure]is that somebody is sending money for one addressto a to another address.And these address are these long lists of numbers and letters,which look really random.They are tied to a user, but we haveno idea who these users are.

• 27:49

DR. KEVIN FONG: What was inventedto ensure an individual's privacyhad unforeseen consequences.

• 27:56

MIKKO HYPPONEN: So we very quickly startedseeing bitcoin being used in online crime,first, in online drug trade.Because when you're buying illegal drugs online,you don't want to use your credit card,because the credit card will lead back to youand bitcoin's don't.And then we started seeing ransom attacks.Ransomware has been around for years and years,

• 28:17

MIKKO HYPPONEN [continued]: way before bitcoin.But the megatrend which really maderansomware such a big problem is cryptocurrencies like bitcoin.

• 28:25

DR. KEVIN FONG: By allowing transactionsto take place between pseudonyms, ratherthan real identities, bitcoin became the go to currencyfor cybercrime.But it turns out that the detailsof bitcoin's original design could for some criminalsactually be their undoing.

• 28:45

MIKKO HYPPONEN: Bitcoin was invented by a figure goldSatoshi Nakamoto around six years ago.It's based on an innovation gold blockchain.And blockchain basically means the public ledgerof transactions.

• 28:60

DR. KEVIN FONG: When a transactionis made between two bitcoin users,the details of that transaction are logged into a patternledger known as the blockchain.And the blockchain data isn't kept in a single computerserver.It's distributed across the entire network, which

• 29:20

DR. KEVIN FONG [continued]: means even if an individual machine goes down,it would never be erased.So the entire history of every bitcoin transactionis accessible to all users now and forever.Until this point, what I understood by Bitcoinwas that it was fully anonymous.

• 29:40

DR. KEVIN FONG [continued]: And therefore, it's the perfect, the perfect currency in whichthe underworld can operate.Is that not true?

• 29:47

SARAH MEIKLEJOHN: No.It's definitely not true.Bitcoin exchanges are what's responsible for trading bitcoinwith traditional government backed currencies.But the second you send your bitcoins to this exchange,you've created a link between your activitiesin the bitcoin network and your identity as a real person.The second I know that a given pseudonym belongs to a criminal

• 30:11

SARAH MEIKLEJOHN [continued]: or belongs to anyone, I can then starttrying to understand what that user has done with that money.We've seen, in the past, that attackers have stolen bitcoins.Then they've sat on them for years,probably because they don't reallyknow what to do with them next.

• 30:27

MARCIN KLECZYNSKI: Attribution is hard.This could have been anybody in the world carrying outthis attack.If you're looking for my opinion,it's some script kiddie in a basementsomewhere, not actual government agency.

• 30:38

ROSS ANDERSON: And if he's got any sense, whatsoever,you know he'll take his hard disk,he'll smash it up with a sledgehammerand burn it in a bonfire.And he will not, whatever he does, go and try and spend someof those bitcoins that ended up in his wallet,because if we does, there's quite a number of governmentswould like to offer him some hospitality for quitea long period of his life.

• 31:04

DR. KEVIN FONG: As the ransomware continued to spread,thousands of people face the same dilemma, shouldthey pay the ransom or not?It's a question that Moty Cristalhas given a lot of thought.

• 31:24

MOTY CRISTAL: I'm a negotiator by profession.I started my career in the political negotiationsbetween Israel and the Arab world,and later on into hostage negotiations and high intensityconflicts.In hostage situation, you negotiate with a person

• 31:44

MOTY CRISTAL [continued]: that if you will have the opportunity to talk him,come to the window, and then shot him in the head,because it he just killed three kids, you will do it,and without any moral hesitation.But in the cyber world, you cannot do that.It relies on talk.It's significantly more important.

• 32:07

DR. KEVIN FONG: Extortionists, like the peoplebehind WannaCry, are increasinglyabandoning the real world and moving online.It's low risk and more profitable.But once the setting may have changed,Moty's job remains the same.And much of his work is now in cybercrime.

• 32:27

MOTY CRISTAL: There's always a human beingbehind the keyboard.So at the end of this ransomware attack,there are people that have feelings, logics, emotions.There's always a human being to whom you canand you should try to connect.

• 32:48

DR. KEVIN FONG: No one has been able to reach outto those behind WannaCry, but perhaps Motycould help shed light on how these criminal organizationsthink.In October 2015, he is called in to negotiatefor a financial institution that had been attackedby another piece of malware.The hackers attempted to portray themselves

• 33:10

DR. KEVIN FONG [continued]: as an arm of the Russian state, APT28.Moty reached out to them.

• 33:20

MOTY CRISTAL: You know, I teased them.I said, are you really APT28, the Russianproclaimed Russian team.Yes, correct.And I said, if you APT28, 28 why you start to do this, you know,low stuff of extortion, instead of the very fascinating

• 33:41

MOTY CRISTAL [continued]: cool government stuff?

• 33:43

DR. KEVIN FONG: Through this kind of engagement,over many months, Moty created a dialogue with the attackers.

• 33:50

MOTY CRISTAL: We already start moving towards a deal.And they write to me, the way we can do it--better version of the language-- the waywe can do it, we are already are clean is two equal payments.After the first one, we tell you exactly how you are breachedand which system are most vulnerable.

• 34:12

MOTY CRISTAL [continued]: So suddenly after the first payment,they start actually to be my consultant, my advisors.They start to tell me how my system was breached, whichis a very valuable information.This is something we never do, but consider it as a gesture.And then I immediately reply.

• 34:33

MOTY CRISTAL [continued]: I never recommend moving forward based on the virtual contract,I'm telling them.But with you I feel we have this othnosheniya, the Russian wordfor relationship, to signal them that we are on the same page.I do appreciate this.

• 34:51

DR. KEVIN FONG: Though the ransomwas paid by negotiating with the hackers,Moty successfully ensured that the company's data were notreleased.But for those facing the ransom on the 12th of Mayattack was paying the right thing to do?

• 35:08

MOTY CRISTAL: There are several costs involvedwhen you pay the ransomware.And I do think most important is that youfeel bad that actually you are surrenderedto this type of criminal.So if you pay, you feel bad.

• 35:24

DR. KEVIN FONG: And there's another risk to paying.You open yourself up to further cyber attacks.

• 35:29

MOTY CRISTAL: I do believe in the darkness.Dark in the darkness.People do exchange lists of people who paid.Why?Because that's, again, the human pattern.If you paid once, you might pay again and again.

• 35:54

DR. KEVIN FONG: Ransoms paid in bitcoin, hostage negotiators,it's all fine if you're a high net worth individualor a private mega corporation.But none of that is going to work in the NHS,even if it could pay, which it can't,because there's no money, it wouldn't be allowed to pay.The best you can hope for in that situationas a hacker is that you don't inadvertently

• 36:14

DR. KEVIN FONG [continued]: kill somebody and instead, of the local cybercrime division,suddenly find the murder squad kicking down your front door.Those hospitals that and GPs that have been infectedhave no option but to keep their computers off and hopethat something could stop the spread.And incredibly an answer was found thanks to a bit of luck

• 36:38

DR. KEVIN FONG [continued]: and Marcus's inquisitive nature.By late afternoon, he'd spotted curious in the malware's code.It was trying to connect one specific web address, a domain.

• 36:58

MARCUS HUTCHINS: I saw this domain was not registered.So my first sort of idea was to just go and reserve itjust in case.By registering it, we could track the infectionacross the globe.Straight after registering the domain,we were seeing thousands of queries per second, maybe100,000 unique infections within the first hour.

• 37:18

MARCUS HUTCHINS [continued]: It was sort of like a bingo moment.

• 37:21

DR. KEVIN FONG: He didn't yet realize it,but when registering the domain, at a cost of just \$10,Marcus wasn't just tracking the infection,he was also preventing it from spreading.

• 37:32

MARCUS HUTCHINS: The plan was to track it and thenlook for a way to stop it, but it actuallyturned out that tracking it was stopping it.

• 37:43

DR. KEVIN FONG: It was like finding a vaccine.For now, WannaCry could do no further damage.The NHS didn't realize it yet was stillrelying on emergency systems, but the cyber attack was Over,the malware defeated.

• 38:01

MARCUS HUTCHINS: Kill switch was sortof the term media ran with.It sure makes a lot of sense, because it is a kill switch.It stops the malware.It seems silly that simply registering a domainwould stop a global cyber attack, but it happened.

• 38:15

DR. KEVIN FONG: In the days following the cyber attack,the NHS slowly came back online.Machines were given the patch.Backup data was used to restore the encrypted files.And news of Marcus's cure spread.

• 38:29

REPORTER: Well, as we've been hearing,the global cyber attack was halted almost by accident.It was a 22-year-old in the UK who checked the codeand found a reference to an unregistered website name.

• 38:42

DR. KEVIN FONG: With systems restored,Patrick finally got the news he was waiting for.

• 38:47

PATRICK WARD: I've gone back to work.And then I had a phone call to saythat they had managed to get an operation date for mefor next week, which I was with a customer.And I was, yeah, absolutely delighted.I can't describe the people who did the ransomware.

• 39:09

PATRICK WARD [continued]: I'm sure I wasn't in their thought processto attack individual people, but that's the resultof exactly what's happened.

• 39:25

DR. KEVIN FONG: In a detached sort of way,you've got to have, at least, a bit of respect for the malwareas poorly constructed as it was still did a lot of damage.And that's not unlike a real infection.Real viruses have a lot of flaws and yet, stillgo on to wreak havoc.And like a real infection, the malwarewas able to hide, evade natural defenses,

• 39:48

DR. KEVIN FONG [continued]: avoid surveillance, go dormant, and then go onto cause all of that chaos.But like a real infection, there was in the end a wayto fight it.And so the NHS survived at least this time.

• 40:13

DR. KEVIN FONG [continued]: WannaCry soon disappeared from the front pages,but at a gathering of cybersecurity expertsa fortnite after the attack, it was still making waves.So this is a long, bland cybersecurity conference.It predates the NHS cyber attack by many months,

• 40:33

DR. KEVIN FONG [continued]: but it's going to be dominating the agendaat every single speed, as I mentioned.I wanted to know why in this country,it was the NHS that seemed to bearthe brunt of the ransomware infection.Thank you.I'm Kevin Fong.I'm a doctor in the NHS.We still can't quite understand how worried we should be

• 40:56

DR. KEVIN FONG [continued]: or how vulnerable we continue to be.

• 40:58

PROF NICK JENNINGS: We had [Professor Nick Jennings]the person responsible for one of the trustssort of talking about her experiences in day to day lifeand running IT in the NHS.And it really stuck with me and resonated, actually,sort of the amount of budget that shehad to protect the IT was vanishingly small.

• 41:21

PROF NICK JENNINGS [continued]: They had won support person for 1,000 machines and thingslike that.And that's just not a sustainable in investment.I think the NHS really does need to think about sortof its balance of investment.It must put more money into this.It's always a hard trade to think patient versus IT.

• 41:41

PROF NICK JENNINGS [continued]: But actually, you've got to have that infrastructureto be able to do a good job on the patient side.

• 41:48

DR. KEVIN FONG: Spending varies across the NHS.It's been reported that in 2015 seventrusts spend nothing at all on IT security.If this is true, surely this needs urgent attention nowthat weaknesses have been exposed by the WannaCry attack.

• 42:05

ANOUK VOS: I was shocked what happened to the NHS.[Anouk Vos, Cyber Security Lead, Revnext]I think the shock is more in the vulnerability of hospitalsthan it was in the way to attack was executed.We are always afraid of the next attack hittingcritical infrastructures.So now health care systems were hit,

• 42:27

ANOUK VOS [continued]: we are afraid that it will be electricity department,water departments, those types of infrastructure is being hit.That didn't happen, but it can happen.So I think that this is what we're kind of waiting for.

• 42:45

RAJ SAMANI: I think there has to be a recognition that it's notan IT or a computer issue.This is about everyday life now.

• 42:51

ROSS ANDERSON: In a world where everything's onlineand where there are ever more online threatsand where government agencies involved in securityare much more interested in adding to the threat levelthan adding to the defense level, thus,there's an awful lot of conflict sirthat we're going to have to manage.

• 43:10

DR. KEVIN FONG: This attack affectedRussian banks, Chinese universities, Spanish telecomscompanies, even FedEx.The vulnerabilities were there for all of usacross countries, and continents, private and publicsector, all walks of life.The NHS was simply one in a long list of casualties, collateral

• 43:31

DR. KEVIN FONG [continued]: damage in a global cyber war.The new reality is that we're all at risk.It's not only businesses and governments.Anyone who's connected could be a target.As the world of networked technology

• 43:52

DR. KEVIN FONG [continued]: gets ever more complex, it opens up a whole new realmsof vulnerability.And it's no longer just our computers that are at risk,our homes and offices are now filledwith devices that are online and ripe for hacking.

• 44:10

MAN 1: Which one are you are you pinning all hopes on being--

• 44:13

MAN 2: There.Yeah, that one.

• 44:16

DR. KEVIN FONG: Ken Munro leads a team of ethical hackersthat test the security of internetenabled household devices, the so-called internet of things,to find out where their weak spots areand to see how much havoc they could wreak.This is kind of the most fundamental aspect of hacking.Your in there at the nitty-grittyof the level of the circuit board.

• 44:36

KEN ROWE: So that's what's differentabout the internet of things is unlike,say, any e-commerce site which is safely hosted in a datacenter on a server somewhere, with the internet of thingsyou can come by the kit.You can dismantle it.You can find the chips and the hardwareand then connect to it.So literally put logic probes, electric wires,onto the circuit cables and then pull of the software

• 44:57

KEN ROWE [continued]: and reverse engineer how it works from ones and zeros.And once you've got that, you can find security flaws.

• 45:05

DR. KEVIN FONG: As Ken discovered,some devices are far easier to hack than others.And this is your hackable shop of horrors.What have you got here?

• 45:15

KEN ROWE: So probably the first one we look at thisis my friend Kayla.She's an interactive kids doll.She works by a Bluetooth with an app.The manufacturer forgot to put securityon the Bluetooth connection.So as a result, it means that someonecould be sat on the street outside,could be listening to what's going on in the room.So snooping on your child or potentially speakingto the child to the speaker.

• 45:36

KEN ROWE [continued]: But our interest is we wanted to see if we couldbypass her protection measures.You can't make her swear, but of course, wediscovered you could hack her.And she swears like a docker her now.

• 45:46

DOLL: Hey, calm down or I will kick the shit out of you.

• 45:50

KEN ROWE: Pretty creepy, but it's a very serious issue.The German telecommunications regulatorhas now classified her as a covert bugging deviceand has banned there.It's illegal to own her in Germany now.

• 46:01

DR. KEVIN FONG: All right, OK.So this is a wireless kettle, but I don't actuallycare if someone hacks my kettle.And what can they possibly do with that?

• 46:11

KEN ROWE: Well, this is a Wi-Fi kettle.I mean, how else would you boil a kettle?

• 46:14

DR. KEVIN FONG: Exactly.

• 46:15

KEN ROWE: From the car home?So this is the scary bit.So this is the Wi-Fi model.And I'm going to show you how we managed to hack that.Imagine I'm outside your house.If I want to get your Wi-Fi key from your kettle,it's really surprisingly easy.All I need to do, I'm going to connect to it.I need to put a password in.See password, great security.Unfortunately, the password on these kettlesis, believe it or not, six zeros.

• 46:37

KEN ROWE [continued]: Once I connect to it, I have to send one command,and I can retrieve your wireless network encryption key.That's the key that secures all of your trafficon your Wi-Fi network.So if I was a malicious hacker on your network,I can now to see everything you do on your home wirelessnetwork.Online banking, your social media,everything you do, we can see, because we've

• 46:58

KEN ROWE [continued]: got it was network key.

• 46:59

DR. KEVIN FONG: I can see a thermostat over here.I think I have something similar in my house.What's the problem with a wireless thermostat?

• 47:07

KEN ROWE: Unfortunately, we've found some pretty shockingsecurity on some brands of smart thermostat.This when we manage to actually hold it to ransom.So just like you've heard with NHS ransomware issue,holding critical devices to ransom,actually we found you can even hold the smart thermostatto ransom.So lock you out of your heating, unless you pay cash.

• 47:26

DR. KEVIN FONG: So that would be quite unpleasant,but in the end, surely you just take it off the walland reset it.

• 47:31

KEN ROWE: I'm not so worried about that.What I'm more worried about is actuallytaking control of lots of smart thermostats and someonefinds a way to compromise them, which we have,and they could switch them on and off synchronously.You can correct unexpected power spikesusing people's thermostats.So in theory, you could knock out the grid on a bad day

• 47:52

KEN ROWE [continued]: if you wanted to.

• 47:52

DR. KEVIN FONG: So I mean, that'sfascinating and terrifying.I mean, this is not about what it does to the individual.This is about what it might do to an entire nation's powergrid.

• 48:01

KEN ROWE: Damn right.Imagine you were a foreign power.You want to soften up a country on a particular day,I don't know maybe an election day,and you knocked out the power.That's going to influence the outcome of the election.

• 48:14

DR. KEVIN FONG: All right.The internet of things has also arrived in health care.Devices that regulate drug dosagescan now be operated over the internet.And some of the latest pacemakerscontrolled by Bluetooth.

• 48:34

DR. KEVIN FONG [continued]: A recent study revealed that theremight be thousands of exploits.Do you think this fundamentally limitshow useful the digital revolution mightbe in health care?

• 48:46

KEN ROWE: Well, I think we got things out of step.I think we've got amazing technical advances,fantastic technological steps forward,which are brilliant, which allows us to do cool stuff.That allows us much better diagnostics, brilliant,but we've got that out of step with the security.So we're in a catch-up game.Once security is caught up with technical advances, great.We get fantastic medical benefits.

• 49:08

KEN ROWE [continued]: But until then, it's all a little bit dangerous to me.[MUSIC PLAYING]

• 49:19

DR. KEVIN FONG: We can't go back to the Stone Age.We need digital technology and all of its promise to push backthe frontiers of medicine.So we have to learn how to protect ourselves,but there is hope, hope because there are peopleon our side in this fight.We've met some of them.Hope too, because of all professions,medicine should be able to learn how to deal with this,

• 49:40

DR. KEVIN FONG [continued]: because this is the feat of host immunity of takingthe hit from an infection or recognizing it and thencontinually evolving your defenses, until eventuallyyou're impervious.And hope as well, because despite reports, the NHS neverstopped.Yes, parts of its network were severely affected,

• 50:03

DR. KEVIN FONG [continued]: but it kept doing what it always does.If the last few terrible weeks have taught us anything,it's that the NHS can take whatever you throw at it.It has a plan.It will learn.And it will be ready for the next time.[MUSIC PLAYING]

### Video Info

Publisher: BBC Worldwide

Publication Year: 2017

Video Type:Documentary

Methods: Data privacy, Data ethics

### Segment Info

Segment Num.: 1

Persons Discussed:

Events Discussed:

Keywords:

## Abstract

Dr. Kevin Fong retraces the global WannaCry cyber attack of May 2017, with a focus on its impact to the National Health Service (NHS), including historical information about this malware; the outbreak and its effect on the NHS; how it spread; a reconstruction of the attack; some myths about bitcoin, the ransomware of choice; negotiating with cyber criminals; how it was luckily stopped; what could be done to prevent future attacks; and new cyber security threats from the Internet-of-Things.