The Confessions of Marcus Hutchins, the Hacker Who Saved the Internet
“It wasn’t a targeted attack but an automated worm spreading across the internet. Within hours, it hit more than 600 doctor’s offices and clinics, leading to 20,000 canceled appointments, and wiped machines at dozens of hospitals. Across those facilities, surgeries were being canceled, and ambulances were being diverted from emergency rooms, sometimes forcing patients with life-threatening conditions to wait crucial minutes or hours longer for care. Jones came to a grim realization: “People may have died as a result of this.”
Cybersecurity researchers named the worm WannaCry, after the .wncry extension it added to file names after encrypting them. As it paralyzed machines and demanded its bitcoin ransom, WannaCry was jumping from one machine to the next using a powerful piece of code called EternalBlue, which had been stolen from the National Security Agency by a group of hackers known as the Shadow Brokers and leaked onto the open internet a month earlier. It instantly allowed a hacker to penetrate and run hostile code on any unpatched Windows computer—a set of potential targets that likely numbered in the millions. And now that the NSA’s highly sophisticated spy tool had been weaponized, it seemed bound to create a global ransomware pandemic within hours.
As the worm spread around the world, it infected the German railway firm Deutsche Bahn, Sberbank in Russia, automakers Renault, Nissan, and Honda, universities in China, police departments in India, the Spanish telecom firm Telefónica, FedEx, and Boeing. In the space of an afternoon, it destroyed, by some estimates, nearly a quarter-million computers’ data, inflicting between $4 billion and $8 billion in damage.”
Wannacry was eventually stopped in its tracks by Hutchins, the protagonist of this story. But not before he had his brushes with cybercrime. Greenberg takes us on a journey of the making of a hacker – when Hutchins growing up in the British countryside was so drawn into the thrills of hacking often boosted by drugs that blurred the lines between right and wrong.
“…But in his teenage mind, Hutchins says, he still saw what he was doing as several steps removed from any real cybercrime. Hosting shady servers or stealing a few Facebook passwords or exploiting a hijacked computer to enlist it in DDoS attacks against other hackers—those hardly seemed like the serious offenses that would earn him the attention of law enforcement. Hutchins wasn’t, after all, carrying out bank fraud, stealing actual money from innocent people. Or at least that’s what he told himself. He says that the red line of financial fraud, arbitrary as it was, remained inviolable in his self-defined and shifting moral code.
…Web injects, in Hutchins’ mind, had a very clear purpose: They were designed for bank fraud. Most banks require a second factor of authentication when making a transfer; they often send a code via text message to a user’s phone and ask them to enter it on a web page as a double check of their identity. Web injects allow hackers to defeat that security measure by sleight of hand. A hacker initiates a bank transfer from the victim’s account, and then, when the bank asks the hacker for a confirmation code, the hacker injects a fake message onto the victim’s screen asking them to perform a routine reconfirmation of their identity with a text message code. When the victim enters that code from their phone, the hacker passes it on to the bank, confirming the transfer out of their account.
Over just a few years, Hutchins had taken so many small steps down the unlit tunnel of online criminality that he’d often lost sight of the lines he was crossing. But in this IM conversation with Vinny, Hutchins says, he could see that he was being asked to do something very wrong—that he would now, without a doubt, be helping thieves steal from innocent victims. And by engaging in actual financial cybercrime, he’d also be inviting law enforcement’s attention in a way he never had before.
Until that point, Hutchins had allowed himself to imagine that his creations might be used simply to steal access to people’s Facebook accounts or to build botnets that mined cryptocurrency on people’s PCs. “I never knew definitively what was happening with my code,” he says. “But now it was obvious. This would be used to steal money from people. This would be used to wipe out people’s savings.”
As a result, spending on cybersecurity across the world is so high that talented hackers can actually make a lucrative career legally as Hutchins realised:
““You’re going to send me this much money every month?”
It was more than he had ever earned as a cybercriminal malware developer.
Hutchins had come to understand, too late, the reality of the modern cybersecurity industry: For a talented hacker in a Western country, crime truly doesn’t pay.”
The article ends with the moral of Hutchins’ story:
“We are all morally complex people,” Wheeler says. “For most of us, anything good we ever do comes either because we did bad before or because other people did good to get us out of it, or both.”
…[Hutchins’] earnest tweet, intended to dispel an easy story to tell about his past immorality: that the sort of whitehat work he’d done was only possible because of his blackhat education—that a hacker’s bad actions should be seen as instrumental to his or her later good deeds.
“There’s [a] misconception that to be a security expert you must dabble in the dark side,” Hutchins wrote. “It’s not true. You can learn everything you need to know legally. Stick to the good side.”