2:52:24 > 2:52:26On the morning of May 12th,
2:52:26 > 2:52:30NHS staff were about to be confronted by a major outbreak...
2:52:34 > 2:52:38..as an epidemic swept like wildfire across the country.
2:52:43 > 2:52:47But the disease didn't infect patients, and it wasn't biological.
2:52:49 > 2:52:53Instead it attacked the central nervous system of the NHS itself.
2:52:58 > 2:52:59Across the country,
2:52:59 > 2:53:03computer systems were knocked out by a highly contagious computer virus.
2:53:05 > 2:53:07Hello, can I speak to IT, please?
2:53:07 > 2:53:10It became known as WannaCry.
2:53:10 > 2:53:13There's a message on my screen, it says my files have been encrypted.
2:53:13 > 2:53:15This is the story of a uniquely challenging day
2:53:15 > 2:53:18for the National Health Service.
2:53:18 > 2:53:21A day when the NHS itself became a patient.
2:53:21 > 2:53:25It was attacked by a particularly vicious piece of computer code
2:53:25 > 2:53:26which took down its networks,
2:53:26 > 2:53:29its computers and anything attached to them.
2:53:29 > 2:53:32And that meant patient record systems, CT scanners,
2:53:32 > 2:53:34even MRI machines,
2:53:34 > 2:53:37putting not just data but also patients' lives at risk.
2:53:39 > 2:53:42The surgeon looked very forlorn and very sorry,
2:53:42 > 2:53:46and that was when he then told me that he couldn't do the operation.
2:53:46 > 2:53:48We were unable to book appointments,
2:53:48 > 2:53:51we were unable to see who would be coming in tomorrow,
2:53:51 > 2:53:56so we were really paralysed and at a loss of what to do.
2:53:56 > 2:54:00Horizon unpicks the science behind the recent widespread cyber attack
2:54:00 > 2:54:02that hit our National Health Service.
2:54:03 > 2:54:07And, in his first television interview, we meet the 22-year-old
2:54:07 > 2:54:11cyber security specialist who stopped it in its tracks.
2:54:11 > 2:54:13I checked the message board.
2:54:13 > 2:54:17There were maybe 16, 17 reports of different NHS, sort of,
2:54:17 > 2:54:19organisations being hit.
2:54:19 > 2:54:22And that was sort of the point where I decided, "My holiday's over,
2:54:22 > 2:54:24"I've got to look into this."
2:54:24 > 2:54:30The outbreak exposed a vulnerability at the heart of the NHS.
2:54:30 > 2:54:33I am a doctor, and all of this is a worry.
2:54:33 > 2:54:36I want to know what happens, I want to know why it happens,
2:54:36 > 2:54:39and I want to know how I can protect my patients
2:54:39 > 2:54:42from this new strain of infectious disease.
2:55:02 > 2:55:05I found out about the attacks the way most people did,
2:55:05 > 2:55:07through news reports.
2:55:07 > 2:55:10Now, mercifully, the hospital that I work for wasn't affected,
2:55:10 > 2:55:13but as details emerged, it became clear that colleagues all
2:55:13 > 2:55:16over the NHS were getting into work that day,
2:55:16 > 2:55:19setting up their computers
2:55:19 > 2:55:22and being greeted with a screen that looks like this.
2:55:22 > 2:55:25Now it's very polite - it tells you what it's done, it's encrypted
2:55:25 > 2:55:28all of your data, tells you what you have to do, which is pay some money,
2:55:28 > 2:55:31and it tells you that if you pay the money now,
2:55:31 > 2:55:32you won't have to pay quite so much.
2:55:32 > 2:55:35Otherwise you're going to lose everything.
2:55:38 > 2:55:44On 12th May 2017, the cyber attack wrought havoc across the NHS.
2:55:44 > 2:55:46It hit many hospital trusts,
2:55:46 > 2:55:50and some A&E departments even closed their doors to ambulances.
2:55:50 > 2:55:52Operations were cancelled.
2:55:52 > 2:55:54Patients were diverted.
2:55:55 > 2:55:58But the story of the virus itself
2:55:58 > 2:56:01goes back far further than the events of that day.
2:56:26 > 2:56:30With all outbreaks, there's always a point of origin.
2:56:30 > 2:56:33A moment when the virus first emerges.
2:56:41 > 2:56:44DRAMATIC MUSIC PLAYS
2:57:07 > 2:57:10Down! Down! Hands on your head!
2:57:10 > 2:57:12Down, down, down!
2:57:13 > 2:57:15Cuff him!
2:57:21 > 2:57:22For over 20 years,
2:57:22 > 2:57:26Harold Martin worked as a contractor for US government intelligence.
2:57:35 > 2:57:38On the day of his arrest, agents found stolen drives
2:57:38 > 2:57:42containing more than 50 terabytes of classified data...
2:57:44 > 2:57:47..allegedly including top-secret hacking tools
2:57:47 > 2:57:50stockpiled by the National Security Agency.
2:58:00 > 2:58:03Harold Martin's arrest followed a tweet
2:58:03 > 2:58:06by a mysterious group calling themselves the Shadow Brokers.
2:58:10 > 2:58:13They were offering National Security Agency hacking tools
2:58:13 > 2:58:18to anyone prepared to pay the 580 million asking price.
2:58:20 > 2:58:22According to reports,
2:58:22 > 2:58:24once they found out about the Shadow Brokers' demands,
2:58:24 > 2:58:28the NSA triggered an internal investigation and,
2:58:28 > 2:58:31just a couple of weeks later, Harold Martin was arrested.
2:58:31 > 2:58:33Now, there's no evidence at all
2:58:33 > 2:58:36that he passed on information to the Shadow Brokers,
2:58:36 > 2:58:39but, interestingly, on the hard drives in his home,
2:58:39 > 2:58:42was found the hacking tool, Eternal Blue.
2:58:42 > 2:58:46Now, Eternal Blue is a kind of key that allows you to prise open
2:58:46 > 2:58:49the Windows 7 operating system, and it is that which allowed hackers to
2:58:49 > 2:58:56cause havoc across organisations all over the world, including the NHS.
2:59:02 > 2:59:03When it comes to attribution,
2:59:03 > 2:59:06in other words identifying the true source of attacks,
2:59:06 > 2:59:11the world in cyber is a lot more difficult than,
2:59:11 > 2:59:14say for example, physical, because, you know, you can make your attack
2:59:14 > 2:59:16appear to come from anywhere in the world.
2:59:17 > 2:59:20So, Shadow Brokers is an anonymous entity,
2:59:20 > 2:59:22we don't really know who's behind Shadow Brokers.
2:59:24 > 2:59:27It's generally assumed in the security research community
2:59:27 > 2:59:32that the Shadow Brokers are, in effect, an arm of the Russian state.
2:59:40 > 2:59:4235 days before the cyber attack,
2:59:42 > 2:59:44it was business as usual across the NHS.
2:59:47 > 2:59:51But at this moment, the Shadow Brokers made a fateful decision.
2:59:52 > 2:59:54With no buyer coming forward,
2:59:54 > 2:59:59they dumped their trove of stolen cyber-weapons online, for free.
3:00:01 > 3:00:04They were now available for anyone to use.
3:00:08 > 3:00:13Cal Leeming is someone with unique insight into the cyber underworld.
3:00:13 > 3:00:16He taught himself to hack, and he started young.
3:00:16 > 3:00:18When I was about nine years old,
3:00:18 > 3:00:22my grandparents got me my first computer.
3:00:22 > 3:00:23A proper computer.
3:00:23 > 3:00:27My eyes were opened when I started using these chatrooms
3:00:27 > 3:00:29and started talking to this wider audience.
3:00:29 > 3:00:34People were talking about being able to share PlayStation games.
3:00:34 > 3:00:37They were sharing credit card information.
3:00:37 > 3:00:40Attracted to free games as an escape from his hard upbringing,
3:00:40 > 3:00:44he soon graduated to something more serious.
3:00:44 > 3:00:45There wasn't much money at all.
3:00:45 > 3:00:51So I found myself using credit cards that I had got from hacking
3:00:51 > 3:00:53to send food deliveries to the house.
3:00:54 > 3:00:58So it was a mixture of 50% just utter curiosity
3:00:58 > 3:01:00and wanting to learn more,
3:01:00 > 3:01:02and the other 50% survival.
3:01:04 > 3:01:07At the age of just 12, Cal was arrested.
3:01:07 > 3:01:11He became the UK's youngest ever cybercriminal.
3:01:11 > 3:01:12It was very, very traumatic.
3:01:12 > 3:01:14And they sat me down and said,
3:01:14 > 3:01:18"Cal, do you understand what you have done was against the law?"
3:01:19 > 3:01:23My answer to them was, "All I've done was typed on a keyboard."
3:01:23 > 3:01:25Because that's my mind-set, at the time.
3:01:25 > 3:01:27I was like, "Why is it that I'm typing on the keyboard to
3:01:27 > 3:01:30"survive and I'm now getting arrested?"
3:01:30 > 3:01:33And I thought that was very unfair at the time.
3:01:33 > 3:01:36Cal continued to hack until 2005,
3:01:36 > 3:01:40when he was caught again for using over 10,000 stolen identities
3:01:40 > 3:01:45to purchase goods worth £750,000.
3:01:46 > 3:01:51Eventually, when I was 18, I handed myself in,
3:01:51 > 3:01:55and the arresting officer in my case gave me a chance
3:01:55 > 3:01:58to turn my life around in exchange for going to prison
3:01:58 > 3:01:59for a little bit.
3:02:00 > 3:02:02I owe that guy a lot.
3:02:05 > 3:02:09After serving a 15-month jail sentence, he changed sides,
3:02:09 > 3:02:12and now runs a cyber security firm.
3:02:14 > 3:02:17Why do hackers do what they do? Why do hackers hack?
3:02:17 > 3:02:21People have their own motivations for wanting to get into hacking.
3:02:21 > 3:02:24Sometimes it is financial, other times criminal,
3:02:24 > 3:02:26and sometimes it's just pure curiosity.
3:02:26 > 3:02:31Right now we don't know who started this attack, at least not for sure.
3:02:31 > 3:02:34Do you think, at any level, the people who carried out this attack
3:02:34 > 3:02:38would have felt slightly appalled that this attack spilt over
3:02:38 > 3:02:40into the National Health Service?
3:02:40 > 3:02:43That's a difficult one to answer,
3:02:43 > 3:02:46because it's not a single group that does all hacking in the world,
3:02:46 > 3:02:48it's lots and lots of very tiny groups,
3:02:48 > 3:02:50sometimes a single person, sometimes lots of people,
3:02:50 > 3:02:52and with each group, within each environment,
3:02:52 > 3:02:54you have your own set of rules,
3:02:54 > 3:02:57conditions and social etiquette and all these things.
3:02:57 > 3:03:01So, in some cases, yes, there are going to be some people
3:03:01 > 3:03:04that are outraged, even on the criminal side, that they've...
3:03:04 > 3:03:05That it went this far.
3:03:05 > 3:03:08And in other cases, they might have purposefully wanted it
3:03:08 > 3:03:12to go that far. It depends on the individual.
3:03:14 > 3:03:19Whatever their motivation, what we know for sure is that someone
3:03:19 > 3:03:23did use the alleged NSA exploit Eternal Blue
3:03:23 > 3:03:25to create a devastating cyber-weapon.
3:03:26 > 3:03:29Within four weeks of Eternal Blue being released,
3:03:29 > 3:03:31the attack was ready.
3:03:31 > 3:03:35Eternal Blue was mashed together with other pieces of malicious code
3:03:35 > 3:03:38and then unleashed on the world, and it was given a name.
3:03:48 > 3:03:51A security patch against Eternal Blue
3:03:51 > 3:03:54had been made available by Microsoft.
3:03:54 > 3:03:57But on the night before the cyber attack,
3:03:57 > 3:04:02any machine that hadn't installed the update was still vulnerable...
3:04:02 > 3:04:04including many in the NHS.
3:04:09 > 3:04:12Infection was now just a matter of time.
3:04:21 > 3:04:23On the morning of the cyber-attack,
3:04:23 > 3:04:2822-year-old Marcus Hutchins was in the middle of his holiday.
3:04:28 > 3:04:30If there was any surf, I might have been surfing.
3:04:30 > 3:04:34It's so dynamic, the waves are never the same on two days.
3:04:35 > 3:04:40Marcus works remotely for an LA-based cyber intelligence company.
3:04:40 > 3:04:43I track malware. I track malicious code that affects users,
3:04:43 > 3:04:46and I find ways to track and stop it.
3:04:47 > 3:04:48And despite being on leave,
3:04:48 > 3:04:52he was still monitoring the global malware outbreak.
3:04:52 > 3:04:55I woke up, I checked the message board, there were a couple of
3:04:55 > 3:04:59reports of ransomware infections, but I didn't think much of it.
3:04:59 > 3:05:00From his home in Devon,
3:05:00 > 3:05:05his curiosity would play a crucial role as the day's events unfolded.
3:05:09 > 3:05:11In London, Patrick Ward had spent the night
3:05:11 > 3:05:14in St Bartholomew's Hospital.
3:05:15 > 3:05:16Like thousands of others,
3:05:16 > 3:05:19in operating theatres across the country,
3:05:19 > 3:05:21he was in for planned surgery,
3:05:21 > 3:05:24in his case to correct a serious heart problem.
3:05:24 > 3:05:26They woke me at six o'clock,
3:05:26 > 3:05:29as they do in hospital,
3:05:29 > 3:05:36and one of the nurses came round and shaved my chest, ready for,
3:05:36 > 3:05:38obviously, the opening of the chest cavity.
3:05:39 > 3:05:43I was nervous, but I was very excited, very...
3:05:43 > 3:05:49confident about the operation and what was going to happen.
3:05:49 > 3:05:52I'd...yeah, mentally got myself in the right place
3:05:52 > 3:05:55to have open heart surgery,
3:05:55 > 3:05:57and was, yeah, fantastic, ready to go.
3:05:57 > 3:06:00PHONE RINGS
3:06:00 > 3:06:04The condition I have is hypertrophic cardiomyopathy,
3:06:04 > 3:06:08which is an enlarged heart.
3:06:08 > 3:06:10It means I struggle to do normal things, - walk,
3:06:10 > 3:06:13I can't do any sporting activities, lifting heavy objects
3:06:13 > 3:06:16obviously puts a big strain on the heart.
3:06:16 > 3:06:19It makes me feel extremely useless.
3:06:19 > 3:06:24I've had some very dark moments over the last couple of years,
3:06:24 > 3:06:27so I'd like to, yeah, get back to leading
3:06:27 > 3:06:30a normal fit and healthy life.
3:06:30 > 3:06:34But before surgery could start, Patrick needed some tests.
3:06:34 > 3:06:36They wanted to check out my arteries,
3:06:36 > 3:06:40so they sent me down for a cardio angiogram in the morning.
3:06:40 > 3:06:43So after having the angiogram and some drugs, I was very...
3:06:43 > 3:06:48I was even more relaxed and ready for the afternoon operation.
3:06:50 > 3:06:52While Patrick waited for theatre,
3:06:52 > 3:06:57in Devon, Marcus was keeping an eye out for global cyber-attacks.
3:06:59 > 3:07:04I checked the message board. There were maybe 16, 17 reports
3:07:04 > 3:07:07of different NHS, sort of, organisations being hit.
3:07:07 > 3:07:11And that was the point where I decided my holiday is over.
3:07:15 > 3:07:17By late morning, the attack had begun.
3:07:17 > 3:07:21Somehow, a worm had got into the NHS.
3:07:21 > 3:07:22And on the other side of the world,
3:07:22 > 3:07:25somebody was tracking the progress
3:07:25 > 3:07:26of the outbreak.
3:07:29 > 3:07:33Marcen Kochinski runs a cyber security firm in California.
3:07:33 > 3:07:37Their software is installed on machines across the world.
3:07:37 > 3:07:41Every time we disinfect a machine, it pings that information back
3:07:41 > 3:07:44to the labs teams. Real-time information was streaming in,
3:07:44 > 3:07:46regarding these specific attacks.
3:07:46 > 3:07:49We were able to actually create a live map,
3:07:49 > 3:07:53where the infection is spreading. Very similar to a human infection
3:07:53 > 3:07:57spreading worldwide. We were able to do that from a computer perspective.
3:07:57 > 3:07:59So, we started detecting the attack.
3:07:59 > 3:08:03Actually, our first detection was, according to this, Thursday.
3:08:03 > 3:08:06We call that, kind of, day minus one, day one.
3:08:06 > 3:08:10And one of the first computers that we disinfected was in Russia,
3:08:10 > 3:08:12which was very interesting for us to see.
3:08:17 > 3:08:19But then, you look at Friday and Saturday
3:08:19 > 3:08:22and through the rest of the weekend,
3:08:22 > 3:08:24the map just completely explodes.
3:08:24 > 3:08:28We see infections all over the world, predominantly in Europe,
3:08:28 > 3:08:32but also in the US and they do not relent.
3:08:34 > 3:08:37They were witnessing the largest and fastest-spreading outbreak
3:08:37 > 3:08:40anyone had seen in recent years.
3:08:41 > 3:08:42The threat spread so quickly
3:08:42 > 3:08:44that we actually would have to go
3:08:44 > 3:08:45down to the milliseconds
3:08:45 > 3:08:46to see when it first appeared
3:08:46 > 3:08:47in the UK.
3:08:47 > 3:08:49We think it is sometime Friday morning.
3:08:51 > 3:08:52But we really have to slow this down
3:08:52 > 3:08:55and look at the millions of data points we have here to isolate
3:08:55 > 3:08:57the day we saw it in the UK first.
3:08:58 > 3:09:01The first outbreak Marcen detected in London
3:09:01 > 3:09:05showed up in the afternoon at 18 minutes past one.
3:09:09 > 3:09:12Across the country, hospitals like this found themselves
3:09:12 > 3:09:15either in the grip of the attack or desperately trying to switch off
3:09:15 > 3:09:19systems in an attempt to prevent possible infection.
3:09:19 > 3:09:22One of London's largest, most capable hospital trusts,
3:09:22 > 3:09:24St Bartholomew's and the Royal London,
3:09:24 > 3:09:27found itself amongst the most severely affected.
3:09:27 > 3:09:30So, NHS staff put into place contingency plans,
3:09:30 > 3:09:33working tirelessly to keep everything running.
3:09:33 > 3:09:35But there were consequences.
3:09:38 > 3:09:41The surgeon, he had been to see me, to say, "Pat, I'll be with you
3:09:41 > 3:09:44"at one o'clock-ish, after I've done my rounds."
3:09:44 > 3:09:48He then came back again and said, "How are you doing? Everything OK?"
3:09:48 > 3:09:51I said, "Yeah, fine. I'm here, ready and waiting.
3:09:51 > 3:09:54"I'm not going anywhere." And he said, "Great. We're all ready.
3:09:54 > 3:09:56"Everybody is getting organised for you down in theatre.
3:09:56 > 3:09:59"The team are there, they are looking forward to meeting you."
3:09:59 > 3:10:01This was 10 o'clock, 12 o'clock
3:10:01 > 3:10:02and then, at half past one,
3:10:02 > 3:10:09he turned up again and looked very, yeah, forlorn
3:10:09 > 3:10:12and very sorry. And that was when he then told me
3:10:12 > 3:10:14that he couldn't do the operation.
3:10:15 > 3:10:18With computer systems down, the surgeon was unable to access
3:10:18 > 3:10:21Patrick's angiogram and blood results.
3:10:21 > 3:10:24Without them, the operation could not go ahead.
3:10:25 > 3:10:29I was numb. It is the only way I can describe it.
3:10:29 > 3:10:32Yeah, I just felt nothing. I was absolutely...
3:10:32 > 3:10:35I couldn't believe it. I was just absolutely flabbergasted.
3:10:39 > 3:10:41It wasn't until the Monday, really,
3:10:41 > 3:10:45that the realisation of "What do I do?"
3:10:45 > 3:10:48I didn't have any idea as to whether I'd have to wait another year
3:10:48 > 3:10:52for the operation. There was just no information available.
3:10:52 > 3:10:54It's very frustrating.
3:10:54 > 3:10:58Speak to my wife, she will tell you how grumpy I have been
3:10:58 > 3:11:01since the operation was cancelled. Not having a date,
3:11:01 > 3:11:06something to aim for. So it was extremely, extremely frustrating.
3:11:09 > 3:11:11This is what makes me angriest about this whole thing.
3:11:11 > 3:11:15This cyber attack isn't about an abstract piece of technology,
3:11:15 > 3:11:17it's not about ransoms or ransomware.
3:11:17 > 3:11:21It's not about firewalls or patches. It's about people and their lives
3:11:21 > 3:11:24and how it affects them. It is about being forced, as a doctor,
3:11:24 > 3:11:27to look someone like Patrick in the eye and to let him down
3:11:27 > 3:11:29at the worst possible moment.
3:11:32 > 3:11:33And Patrick wasn't alone.
3:11:33 > 3:11:36The cyber attack had become national news.
3:11:36 > 3:11:40The NHS is the victim of a major cyber attack.
3:11:40 > 3:11:44At least 25 hospital trusts and GP surgeries have been affected.
3:11:44 > 3:11:47Routine operations at some hospitals are being cancelled,
3:11:47 > 3:11:50ambulances diverted and patients sent home.
3:11:53 > 3:11:55I went out to lunch. I got back.
3:11:55 > 3:12:00I then saw lots of reports from different sectors of the NHS.
3:12:00 > 3:12:02They were all just simultaneously saying, "We're being hit."
3:12:06 > 3:12:08I thought, "This one thing is hitting all these sectors,
3:12:08 > 3:12:10"so it's got to be something pretty big",
3:12:10 > 3:12:12so I went and I looked into it.
3:12:15 > 3:12:17I asked a friend of mine in the industry if he had a sample
3:12:17 > 3:12:19of the actual malware that was going around
3:12:19 > 3:12:21and he sent it to me.
3:12:21 > 3:12:24I use virtualisation software, which basically makes a computer
3:12:24 > 3:12:28within your computer, so that it wouldn't affect me
3:12:28 > 3:12:29and I saw what it did.
3:12:33 > 3:12:34Marcus wasn't alone.
3:12:36 > 3:12:39Cal, too, set to work examining the malware.
3:12:41 > 3:12:45I wanted to find out from him what made this cyber attack
3:12:45 > 3:12:46so ruthlessly effective.
3:12:49 > 3:12:51So, what we've got is a machine
3:12:51 > 3:12:54that is going to effectively act as patient zero.
3:12:54 > 3:12:58We've got a second machine to reconstruct how this
3:12:58 > 3:13:03particular variant of WannaCry spreads across multiple machines.
3:13:03 > 3:13:08In here is what I have dubbed, "The internet in a box."
3:13:08 > 3:13:12To make the malware reveal itself, we have to make it believe
3:13:12 > 3:13:15these computers are connected to the real internet
3:13:15 > 3:13:20and this box provide the necessary dummy signals, whilst protecting
3:13:20 > 3:13:21the outside world from harm.
3:13:22 > 3:13:27What we're going to do now is run the WannaCry ransomware.
3:13:32 > 3:13:33There you go.
3:13:33 > 3:13:34And that's the screen of doom.
3:13:36 > 3:13:39- So, this is this machine out of action.- Exactly.
3:13:44 > 3:13:45With the files locked up,
3:13:45 > 3:13:47the clock is ticking.
3:13:49 > 3:13:51But as the victim decides whether or not to pay,
3:13:51 > 3:13:53the malware is already planning its next attacks.
3:13:55 > 3:13:57This particular strain has two components.
3:13:57 > 3:13:59It has the ransomware itself,
3:13:59 > 3:14:01which is what we see here, and it has the worm component,
3:14:01 > 3:14:05which was taken from Eternal Blue,
3:14:05 > 3:14:09which is a government weapons-grade exploit.
3:14:09 > 3:14:12This machine here is actually giving us a bit of insight.
3:14:12 > 3:14:15And what this is showing us is that it is trying
3:14:15 > 3:14:17to spread across the network.
3:14:17 > 3:14:21You don't really think about it, do you? All the output from
3:14:21 > 3:14:23a machine isn't just what you see on your screen.
3:14:23 > 3:14:26- There is a lot of silent chatter going on in the background.- Exactly.
3:14:26 > 3:14:29If you imagine a big room of people and you shout out, "Who's here?!"
3:14:29 > 3:14:31And everyone puts their hand up. That is effectively what
3:14:31 > 3:14:34these machines are doing. It shouts out and says, "Who's here?!"
3:14:34 > 3:14:38and then, the machines reply. What it then tries to do is it hit
3:14:38 > 3:14:42each of those machines with this payload. This worm is now spreading
3:14:42 > 3:14:45out across the network and in an instance where you have got...
3:14:45 > 3:14:50- There we go.- And as you can see, it's now spread onto this machine.
3:14:54 > 3:14:58Eternal Blue had been expertly designed to silently move
3:14:58 > 3:15:03from one machine to another across a local area network or LAN.
3:15:03 > 3:15:07Groups of computers joined together inside a business or a hospital.
3:15:09 > 3:15:12With the LAN infected, it spread to the internet.
3:15:16 > 3:15:20If you imagine you have got your big internet cloud down here
3:15:20 > 3:15:23and each dot represents a machine and there is billions
3:15:23 > 3:15:27of these machines, OK? And what it does is
3:15:27 > 3:15:30the attack will make a direct connection to your machine
3:15:30 > 3:15:35and if you are exposing this port to the internet, someone could
3:15:35 > 3:15:41infect your machine without needing to have local access to it
3:15:41 > 3:15:43or be on the same network.
3:15:43 > 3:15:47What is even more disturbing from there is,
3:15:47 > 3:15:51if you look at the research tools that actually analyse the internet,
3:15:51 > 3:15:54you can go and query today, right now, how many of these machines
3:15:54 > 3:15:57on the internet have got this vulnerable service open.
3:15:57 > 3:16:00Through the internet, anyone can go and try and exploit them
3:16:00 > 3:16:03and there are hundreds and hundreds and hundreds of thousands
3:16:03 > 3:16:05of these machines.
3:16:07 > 3:16:09The malware sought out these weaknesses
3:16:09 > 3:16:11and wormed its way into all manner of networks.
3:16:11 > 3:16:16From companies like Nissan in the UK to Renault in France,
3:16:16 > 3:16:20from a postal service in Russia to a German railway operator.
3:16:24 > 3:16:29And to be clear, this does not depend upon any human interaction?
3:16:29 > 3:16:34It's automatic propagation. There is no human interaction here required
3:16:34 > 3:16:39at all. And that is why the ransomware itself was
3:16:39 > 3:16:43relatively low-key, to be fair. There wasn't anything particularly
3:16:43 > 3:16:47special about it, but when combined with
3:16:47 > 3:16:53a government weapons-grade exploit, the impact has been devastating.
3:16:57 > 3:17:01No-one needed to click on a link or open a dodgy e-mail.
3:17:01 > 3:17:04The worm spread all by itself,
3:17:04 > 3:17:08exploding across networks in a matter of hours.
3:17:20 > 3:17:24Across the country, the surprisingly virulent attack meant that
3:17:24 > 3:17:26several hospitals were beginning to struggle.
3:17:26 > 3:17:29And wherever the ransomware was found, they would switch off
3:17:29 > 3:17:32machines in an attempt to contain the outbreak.
3:17:32 > 3:17:36Nevertheless, some of those networks went dark.
3:17:36 > 3:17:38Now, even that was not a complete disaster,
3:17:38 > 3:17:40because in the NHS, we have contingency plans
3:17:40 > 3:17:43for almost every conceivable emergency,
3:17:43 > 3:17:46from power outages, terrorist attacks,
3:17:46 > 3:17:48even a cyber attack of this kind.
3:17:52 > 3:17:56So, what was it that forced some accident and emergency departments
3:17:56 > 3:18:00to close their doors that day? A&E relies upon support
3:18:00 > 3:18:05from state-of-the-art technologies and specialities.
3:18:05 > 3:18:08And these were some of the hardest hit,
3:18:08 > 3:18:11among them, doctors and their systems in radiology.
3:18:11 > 3:18:14It is packed with the latest kit.
3:18:14 > 3:18:19X-rays, MRI scanners and CT machines that allow doctors
3:18:19 > 3:18:23to investigate the hidden extent of injury inside the body.
3:18:23 > 3:18:26When time is critical, such as with a stroke,
3:18:26 > 3:18:30radiologists like Navin Ramachandran help us to make quick, accurate,
3:18:30 > 3:18:32life-saving decisions.
3:18:34 > 3:18:36When a patient comes in,
3:18:36 > 3:18:38they turn up with typical symptoms,
3:18:38 > 3:18:41you can see they may not be able to feel an area, they may not be able
3:18:41 > 3:18:42an area, they may not
3:18:42 > 3:18:44be able to speak. That gives us an idea that there is something
3:18:44 > 3:18:47going on in the brain, but it doesn't necessarily tell us
3:18:47 > 3:18:49what the underlying cause is.
3:18:49 > 3:18:51So, it could be, if we look at this case,
3:18:51 > 3:18:56where a vessel to a part of the brain has got blocked off
3:18:56 > 3:18:59by a clot and that area is the part that has been
3:18:59 > 3:19:02- deprived of blood currently. - The treatment is to give
3:19:02 > 3:19:04a clot-busting drug as fast as possible,
3:19:04 > 3:19:08but there is jeopardy involved. You have to be sure precisely
3:19:08 > 3:19:10what type of stroke you're dealing with.
3:19:11 > 3:19:14The one thing you have to be aware of is that, once in a while,
3:19:14 > 3:19:16patients that come in with exactly the same symptoms,
3:19:16 > 3:19:19they are getting the same symptoms not because of the blocked vessel,
3:19:19 > 3:19:22but because of a bleeding vessel. In this case, this vessel
3:19:22 > 3:19:26has bled. With this patient, if you give them the clot-busting drug,
3:19:26 > 3:19:30that is catastrophic and can lead to death.
3:19:30 > 3:19:33And these two patients would look very similar at presentation?
3:19:33 > 3:19:36Without doing these scans, you really wouldn't know the difference?
3:19:36 > 3:19:39Exactly. The only thing that makes it possible is having access
3:19:39 > 3:19:42to these scans, to allow others to triage people into the right
3:19:42 > 3:19:45- treatment pathway. - The same is true for the whole
3:19:45 > 3:19:49of emergency medicine, from car accidents to cancer.
3:19:49 > 3:19:51Radiology is an essential front line asset.
3:19:53 > 3:19:55The whole department relies on computers.
3:19:55 > 3:19:58They run the scanning machines, display the images
3:19:58 > 3:20:00and send them on to doctors in A&E.
3:20:01 > 3:20:03If these computers were infected,
3:20:03 > 3:20:08hospital managers would have little choice but to close A&E.
3:20:08 > 3:20:09It simply wouldn't be safe to stay open.
3:20:11 > 3:20:14We were very lucky in that it didn't hit our services at all.
3:20:14 > 3:20:18We have had fully digital systems for over 10-15 years,
3:20:18 > 3:20:21whereas most of the rest of the hospital still uses paper.
3:20:21 > 3:20:23But we were completely unaffected.
3:20:23 > 3:20:25No change to the day.
3:20:25 > 3:20:30Some hospitals, like mine, UCLH, got away unscathed,
3:20:30 > 3:20:33but for those unlucky enough to be affected,
3:20:33 > 3:20:36there was still enough flex in the system to compensate.
3:20:36 > 3:20:38Nevertheless, patients were on the move,
3:20:38 > 3:20:41being transferred from hospital to hospital.
3:20:44 > 3:20:47The infection continued to spread
3:20:47 > 3:20:51and began to show up in GP surgeries across the country.
3:21:00 > 3:21:03So, this is one of the consulting rooms we are going into now.
3:21:03 > 3:21:07Dr George Farrelly is a GP working at a surgery in Tower Hamlets.
3:21:07 > 3:21:10This is our standard desktop PC and so on.
3:21:10 > 3:21:12Each consulting room has one of these.
3:21:15 > 3:21:17We have 15 machines. We do consultations with this.
3:21:17 > 3:21:21We access people's notes, we are able to make appointments,
3:21:21 > 3:21:24we send prescriptions to the chemist and plan care.
3:21:27 > 3:21:28So, this is our reception area.
3:21:31 > 3:21:36A lot happens here. This is like the information hub of the practice.
3:21:36 > 3:21:39We take our computer system a little bit for granted, I think,
3:21:39 > 3:21:40and only realised
3:21:40 > 3:21:43how reliant we are on it when we lose it.
3:21:51 > 3:21:53On Friday, 12th of May, we got a phone call
3:21:53 > 3:21:56from a neighbouring practice and they told us that they had been hit
3:21:56 > 3:21:59by some virus.
3:21:59 > 3:22:03So, we printed out the appointment for that day,
3:22:03 > 3:22:05which would give us some information, just in case
3:22:05 > 3:22:06we had the same problem.
3:22:10 > 3:22:14I was in a meeting with some colleagues discussing patients
3:22:14 > 3:22:19and the PC we were using suddenly blanked out.
3:22:23 > 3:22:27We had to shut all our computers down, to hopefully stop any more
3:22:27 > 3:22:30of them becoming infected.
3:22:30 > 3:22:31It was complete paralysis.
3:22:33 > 3:22:37Along with the hospitals, some GP surgeries were now struggling, too.
3:22:38 > 3:22:43They connect with the rest of the NHS via a network known as N3.
3:22:45 > 3:22:48N3 is the NHS's national broadband network,
3:22:48 > 3:22:51connecting all NHS locations
3:22:51 > 3:22:54and its 1.3 million employees across England.
3:22:56 > 3:22:58It's one of the largest networks in Europe,
3:22:58 > 3:23:01with in excess of 51,000 connections.
3:23:03 > 3:23:05N3 allows us to communicate with our colleagues
3:23:05 > 3:23:07who we share care with other people.
3:23:07 > 3:23:11For example, when we send e-mails to each other
3:23:11 > 3:23:14from our NHS net e-mail account, it's more secure.
3:23:14 > 3:23:19Our security antivirus and so on is done centrally,
3:23:19 > 3:23:21it's not something we worry about.
3:23:21 > 3:23:23We never have to do patches ourselves.
3:23:27 > 3:23:30They didn't know it at the time,
3:23:30 > 3:23:34but the N3 network was actually unaffected.
3:23:34 > 3:23:38However, Windows 7 machines without the patch WERE going down.
3:23:39 > 3:23:42So some teams disconnected their computers...
3:23:43 > 3:23:46..cutting off access to essential clinical systems,
3:23:46 > 3:23:48deepening the disruption.
3:23:50 > 3:23:52The people who've done this
3:23:52 > 3:23:54don't understand the implications of what they're doing.
3:23:55 > 3:23:58They hadn't thought them through.
3:23:58 > 3:24:01My guess is their project is to make money
3:24:01 > 3:24:04and they just send this stuff out and it lands wherever it lands
3:24:04 > 3:24:06and they don't give any thought to it.
3:24:10 > 3:24:13What they DID give some thought to is how they got paid.
3:24:16 > 3:24:19With the ransomware hitting thousands of computers,
3:24:19 > 3:24:23the hackers needed a secure, globally accepted form of payment
3:24:23 > 3:24:25that ideally would be untraceable.
3:24:27 > 3:24:30They decided to use Bitcoin -
3:24:30 > 3:24:34an entirely electronic form of so-called cryptocurrency.
3:24:36 > 3:24:38I've never used Bitcoin.
3:24:39 > 3:24:42But it's easy enough to buy some on a phone.
3:24:43 > 3:24:46And once loaded, you can spend it in all manner of places.
3:24:52 > 3:24:55- So, can I get a flat white and a mint tea, please?- Sure.
3:24:55 > 3:24:59I've come to a cafe in east London to meet Sarah Meiklejohn,
3:24:59 > 3:25:01an expert in Bitcoin,
3:25:01 > 3:25:05to find out why it's such an attractive currency for hackers.
3:25:07 > 3:25:11- Perfect. Can I pay with Bitcoin? - Sure.
3:25:11 > 3:25:15- OK. And I just... - £3.50, please. You just scan this.
3:25:15 > 3:25:17OK, I'll lean over and scan that.
3:25:18 > 3:25:22- That's it.- And it's as easy as that. - That's it.
3:25:22 > 3:25:24- Perfect, thank you very much. - Thank you.- Thank you.
3:25:24 > 3:25:25Marvellous, right.
3:25:27 > 3:25:29Explain to me, then, as a complete non-initiate,
3:25:29 > 3:25:32what Bitcoin is and how it works.
3:25:32 > 3:25:36Right, so, Bitcoin is basically a purely digital form of currency.
3:25:36 > 3:25:40So it's just a currency, like the dollar, the pound.
3:25:40 > 3:25:44The main differences are that it's not backed by any government,
3:25:44 > 3:25:47there's no central bank involved in generating Bitcoins
3:25:47 > 3:25:50and you don't need a bank account to use it.
3:25:50 > 3:25:52If I want to use Bitcoin, you know,
3:25:52 > 3:25:54I want to send people Bitcoins,
3:25:54 > 3:25:56I'm going to download a piece of software,
3:25:56 > 3:25:57and in doing that,
3:25:57 > 3:26:00I'm going to join Bitcoin's peer-to-peer network.
3:26:00 > 3:26:04So this network is basically collectively responsible for
3:26:04 > 3:26:06playing all the traditional roles
3:26:06 > 3:26:08that we're used to in traditional banking.
3:26:08 > 3:26:11The recent WannaCry attack, which affected many organisations,
3:26:11 > 3:26:14including the National Health Service,
3:26:14 > 3:26:19was conducted using Bitcoin as the currency of ransom.
3:26:19 > 3:26:21Why did they use Bitcoin?
3:26:21 > 3:26:24Opening a Bitcoin wallet, saying we're open for business,
3:26:24 > 3:26:27we can accept Bitcoins, takes very little time and effort,
3:26:27 > 3:26:31and then getting paid in Bitcoin equally takes very little effort.
3:26:31 > 3:26:34If I want to pay someone on the other side of the world,
3:26:34 > 3:26:35I can do that using Bitcoin
3:26:35 > 3:26:38and they'll get the payment instantaneously.
3:26:39 > 3:26:43It's the convenience and speed that makes it easy for hackers
3:26:43 > 3:26:44to gather their ransom.
3:26:44 > 3:26:49But as cyber security expert Mikko Hypponen explains,
3:26:49 > 3:26:53Bitcoin also offers a certain level of anonymity.
3:26:55 > 3:26:57The only thing we can see is that someone is sending money
3:26:57 > 3:27:01from one address to another address, and these addresses are
3:27:01 > 3:27:04these long lists of numbers and letters which look really random.
3:27:04 > 3:27:09They are tied to a user, but we have no idea who these users are.
3:27:09 > 3:27:13What was invented to ensure an individual's privacy
3:27:13 > 3:27:16had unforeseen consequences.
3:27:16 > 3:27:21So we very quickly started seeing Bitcoin being used in online crime.
3:27:21 > 3:27:23First, in online drug trade,
3:27:23 > 3:27:25cos when you're buying illegal drugs online,
3:27:25 > 3:27:27you don't want to use your credit card
3:27:27 > 3:27:31because the credit card will lead back to you and Bitcoins don't.
3:27:31 > 3:27:35And then we started seeing ransom attacks.
3:27:35 > 3:27:37Ransomware has been around for years and years,
3:27:37 > 3:27:39way before Bitcoin.
3:27:39 > 3:27:41But the megatrend which really made ransomware
3:27:41 > 3:27:44such a big problem is cryptocurrencies, like Bitcoin.
3:27:44 > 3:27:48By allowing transactions to take place between pseudonyms
3:27:48 > 3:27:50rather than real identities,
3:27:50 > 3:27:53Bitcoin became the go-to currency for cyber crime.
3:27:56 > 3:28:00But it turns out that the details of Bitcoin's original design
3:28:00 > 3:28:03could, for some criminals, actually be their undoing.
3:28:05 > 3:28:09Bitcoin was invented by a figure called Satoshi Nakamoto
3:28:09 > 3:28:11around six years ago.
3:28:11 > 3:28:14It's based on an innovation called blockchain,
3:28:14 > 3:28:19and blockchain basically means a public ledger of transactions.
3:28:20 > 3:28:23When a transaction is made between two Bitcoin users,
3:28:23 > 3:28:27the details of that transaction are locked into a permanent ledger,
3:28:27 > 3:28:30known as the blockchain.
3:28:31 > 3:28:35And the blockchain data isn't kept on a single computer or server -
3:28:35 > 3:28:38it's distributed across the entire network.
3:28:40 > 3:28:43Which means, even if an individual machine goes down,
3:28:43 > 3:28:45it can never be erased.
3:28:47 > 3:28:51So the entire history of every Bitcoin transaction
3:28:51 > 3:28:55is accessible to all users now and for ever.
3:28:56 > 3:28:57Until this point,
3:28:57 > 3:29:00what I understood by Bitcoin was that it was fully anonymous
3:29:00 > 3:29:03and therefore it's the perfect currency
3:29:03 > 3:29:06in which the underworld can operate.
3:29:06 > 3:29:07Is that not true?
3:29:07 > 3:29:09No, it's definitely not true.
3:29:09 > 3:29:13Bitcoin exchanges are what's responsible for trading Bitcoin
3:29:13 > 3:29:16with traditional, government-backed currencies.
3:29:16 > 3:29:19But the second you send your Bitcoins to this exchange,
3:29:19 > 3:29:24you've created a link between your activities in the Bitcoin network
3:29:24 > 3:29:27and your identity as a real person.
3:29:27 > 3:29:30The second I know that a given pseudonym
3:29:30 > 3:29:32belongs to a criminal or belongs to anyone,
3:29:32 > 3:29:36I can then start trying to understand what that user
3:29:36 > 3:29:37has done with that money.
3:29:37 > 3:29:39We've seen in the past
3:29:39 > 3:29:41that attackers have stolen Bitcoins
3:29:41 > 3:29:44and then they've sat on them for years,
3:29:44 > 3:29:47probably because they don't really know what to do with them next.
3:29:47 > 3:29:49Attribution is hard,
3:29:49 > 3:29:51this could have been anybody in the world
3:29:51 > 3:29:52carrying out this attack.
3:29:52 > 3:29:54If you're looking for my opinion,
3:29:54 > 3:29:56it's some script kiddie in a basement somewhere,
3:29:56 > 3:29:58not a government agency.
3:29:58 > 3:30:00And if he's got any sense whatsoever,
3:30:00 > 3:30:04he'll take his hard disk, smash it up with a sledgehammer
3:30:04 > 3:30:06and burn it in a bonfire.
3:30:06 > 3:30:08And he will not, whatever he does,
3:30:08 > 3:30:11go and try spend of those Bitcoins that ended up in his wallets,
3:30:11 > 3:30:14cos if he does, there's quite a number of governments
3:30:14 > 3:30:16would like to offer him some hospitality
3:30:16 > 3:30:18for quite a long period of his life.
3:30:23 > 3:30:26As the ransomware continued to spread,
3:30:26 > 3:30:29thousands of people faced the same dilemma -
3:30:29 > 3:30:32should they pay the ransom or not?
3:30:34 > 3:30:38It's a question that Moti Cristal has given a lot of thought.
3:30:44 > 3:30:47I'm a negotiator, by profession.
3:30:47 > 3:30:49I started my career in the political negotiations
3:30:49 > 3:30:51between Israel and the Arab world.
3:30:51 > 3:30:53And later on, I do hostage negotiations
3:30:53 > 3:30:55in high-intensity conflicts.
3:31:02 > 3:31:04In a hostage situation, you negotiate with a person
3:31:04 > 3:31:07but if you have the opportunity
3:31:07 > 3:31:11to talk him to come to the window and then shoot him in the head
3:31:11 > 3:31:14because he just killed three kids, you will do it,
3:31:14 > 3:31:17and without any moral hesitation.
3:31:17 > 3:31:21But in the cyber world, you cannot do that.
3:31:21 > 3:31:24The reliance on talk is
3:31:24 > 3:31:27significantly more important.
3:31:27 > 3:31:30Extortionists, like the people behind WannaCry,
3:31:30 > 3:31:35are increasingly abandoning the real world and moving online.
3:31:35 > 3:31:38It's lower risk and more profitable.
3:31:38 > 3:31:40But whilst the setting may have changed,
3:31:40 > 3:31:43Moti's job remains the same,
3:31:43 > 3:31:47and much of his work is now in cyber crime.
3:31:47 > 3:31:50There's always a human being behind the keyboard.
3:31:50 > 3:31:53So at the end of this ransomware attack,
3:31:53 > 3:31:57there are people that have feelings,
3:31:57 > 3:32:00logics, emotions...
3:32:00 > 3:32:02There's always a human being
3:32:02 > 3:32:05to whom you can, and you should try to, connect.
3:32:08 > 3:32:12No-one has been able to reach out to those behind WannaCry.
3:32:12 > 3:32:14But perhaps Moti can help shed light
3:32:14 > 3:32:18on how these criminal organisations think.
3:32:18 > 3:32:21In October 2015, he was called in
3:32:21 > 3:32:23to negotiate for a financial institution
3:32:23 > 3:32:26that had been attacked by another piece of malware.
3:32:27 > 3:32:30The hackers attempted to portray themselves
3:32:30 > 3:32:34as an arm of the Russian state, APT28.
3:32:36 > 3:32:38Moti reached out to them.
3:32:40 > 3:32:42You know, I teased them.
3:32:42 > 3:32:45I said, "Are you really APT28,
3:32:45 > 3:32:48"the Russian...proclaimed Russian team?"
3:32:48 > 3:32:49"Yes, correct."
3:32:49 > 3:32:52And I said, "If you are APT28,
3:32:52 > 3:32:58"why you start to do this low stuff of extortion
3:32:58 > 3:33:02"instead of the very fascinating cool government stuff?"
3:33:03 > 3:33:06Through this kind of engagement, over many months,
3:33:06 > 3:33:10Moti created a dialogue with the attackers.
3:33:10 > 3:33:12We already start moving towards a deal
3:33:12 > 3:33:14and they write to me.
3:33:14 > 3:33:17"The way we can do it..."
3:33:17 > 3:33:19Pay attention to the language -
3:33:19 > 3:33:22"the way WE can do it," we're already a team.
3:33:22 > 3:33:24"..is two equal payments.
3:33:24 > 3:33:29"After the first one, we tell you exactly how you were breached
3:33:29 > 3:33:32"and which systems are most vulnerable."
3:33:32 > 3:33:34So suddenly, after the first payment,
3:33:34 > 3:33:38they start actually to be my consultant, my advisers.
3:33:38 > 3:33:41They start to tell me how my system was breached,
3:33:41 > 3:33:43which is very valuable information.
3:33:43 > 3:33:46"This is something we never do.
3:33:46 > 3:33:50"But consider it as a gesture..."
3:33:50 > 3:33:52And then I immediately reply,
3:33:52 > 3:33:56"I never recommend moving forward
3:33:56 > 3:33:58"based on a virtual contract,"
3:33:58 > 3:33:59I'm telling them.
3:33:59 > 3:34:03"But with you, I feel we have this otnoshenya."
3:34:03 > 3:34:05The Russian word for relationship.
3:34:05 > 3:34:08To signal them that, "we are on the same page,
3:34:08 > 3:34:10"I do appreciate this."
3:34:11 > 3:34:15Though the ransom was paid, by negotiating with the hackers,
3:34:15 > 3:34:20Moti successfully ensured that the company's data were not released.
3:34:22 > 3:34:25But for those facing the ransom on the 12th of May attack,
3:34:25 > 3:34:28was paying the right thing to do?
3:34:28 > 3:34:32There are several costs involved when you pay the ransomware.
3:34:32 > 3:34:33And I do think, most important,
3:34:33 > 3:34:35is that you feel bad
3:34:35 > 3:34:38that, actually, you surrendered
3:34:38 > 3:34:40to this type of criminal.
3:34:40 > 3:34:43So if you pay, you feel bad.
3:34:44 > 3:34:46And there's another risk to paying.
3:34:46 > 3:34:49You open yourself up to further cyber attacks.
3:34:49 > 3:34:51I do believe, in the darknet,
3:34:51 > 3:34:53dark in the darknet,
3:34:53 > 3:34:55people do exchange lists
3:34:55 > 3:34:56of people who paid.
3:34:56 > 3:34:58Why? Because that's, again,
3:34:58 > 3:34:59a human pattern.
3:34:59 > 3:35:03If you've paid once, you might pay again and again.
3:35:13 > 3:35:17Ransoms paid in Bitcoin, hostage negotiators...
3:35:17 > 3:35:19It's all fine if you're a high-net-worth individual
3:35:19 > 3:35:21or a private mega-corporation,
3:35:21 > 3:35:24but none of that is going to work in the NHS.
3:35:24 > 3:35:25Even if it could pay -
3:35:25 > 3:35:27which it can't, because there's no money -
3:35:27 > 3:35:29it wouldn't be allowed to pay.
3:35:29 > 3:35:32The best you can hope for in that situation as a hacker
3:35:32 > 3:35:35is that you don't inadvertently kill somebody
3:35:35 > 3:35:38and, instead of the local cyber crime division,
3:35:38 > 3:35:41suddenly find the murder squad kicking down your front door.
3:35:43 > 3:35:45Those hospitals and GPs that had been infected
3:35:45 > 3:35:48had no option but to keep their computers off
3:35:48 > 3:35:51and hope that something could stop the spread.
3:35:53 > 3:35:56And incredibly, an answer was found,
3:35:56 > 3:35:59thanks to a bit of luck and Marcus's inquisitive nature.
3:36:06 > 3:36:07By late afternoon,
3:36:07 > 3:36:10he'd spotted something curious in the malware's code.
3:36:10 > 3:36:14It was trying to connect to one specific web address.
3:36:14 > 3:36:16A domain.
3:36:18 > 3:36:20I saw this domain was not registered,
3:36:20 > 3:36:24so my first idea was to just go and reserve it, just in case.
3:36:24 > 3:36:29By registering it, we could track the infection across the globe.
3:36:29 > 3:36:31Straight after registering the domain,
3:36:31 > 3:36:33we were seeing thousands of queries per second.
3:36:33 > 3:36:38Maybe 100,000 unique infections within the first hour.
3:36:38 > 3:36:40It was sort of, like, a bingo moment.
3:36:41 > 3:36:45He didn't yet realise it, but by registering the domain,
3:36:45 > 3:36:47at a cost of just 10,
3:36:47 > 3:36:49Marcus wasn't just tracking the infection -
3:36:49 > 3:36:52he was also preventing it from spreading.
3:36:52 > 3:36:55The plan was to track it and then look for a way to stop it,
3:36:55 > 3:36:58but it actually turned out the tracking it was stopping it.
3:37:02 > 3:37:05It was like finding a vaccine.
3:37:05 > 3:37:09For now, WannaCry could do no further damage.
3:37:11 > 3:37:13The NHS didn't realise it yet
3:37:13 > 3:37:16and were still relying on emergency systems,
3:37:16 > 3:37:19but the cyber attack was over,
3:37:19 > 3:37:22the malware defeated.
3:37:22 > 3:37:25"Kill switch" was, sort of, the term the media ran with.
3:37:25 > 3:37:27It sort of makes a lot of sense, cos it is a kill switch.
3:37:27 > 3:37:28It stops the malware.
3:37:28 > 3:37:31It seems silly that simply registering a domain
3:37:31 > 3:37:34would stop a global cyber attack, but it happened.
3:37:35 > 3:37:38In the days following the cyber attack,
3:37:38 > 3:37:40the NHS slowly came back online.
3:37:40 > 3:37:43Machines were given the patch,
3:37:43 > 3:37:47backup data was used to restore the encrypted files,
3:37:47 > 3:37:49and news of Marcus's cure spread.
3:37:49 > 3:37:51Well, as we've been hearing,
3:37:51 > 3:37:54the global cyber attack was halted almost by accident.
3:37:54 > 3:37:57It was a 22-year-old in the UK who checked the code
3:37:57 > 3:38:01and found a reference to an unregistered website name.
3:38:01 > 3:38:03With systems restored,
3:38:03 > 3:38:06Patrick finally got the news he was waiting for.
3:38:06 > 3:38:10I'd gone back to work, then I had a phone call to say
3:38:10 > 3:38:15that they had managed to get an operation date for me
3:38:15 > 3:38:18for next week, which...
3:38:18 > 3:38:22I was with a customer and I was, yeah, absolutely delighted.
3:38:25 > 3:38:29I can't describe the people who did the ransomware.
3:38:29 > 3:38:32I'm sure that wasn't in their thought process,
3:38:32 > 3:38:36to attack individual people,
3:38:36 > 3:38:40but that's the result of exactly what's happened.
3:38:45 > 3:38:47In a detached sort of way,
3:38:47 > 3:38:50you've got to have at least a bit of respect for the malware.
3:38:50 > 3:38:52As poorly constructed as it was,
3:38:52 > 3:38:54it still did a lot of damage.
3:38:54 > 3:38:57That's not unlike a real infection.
3:38:57 > 3:38:59Real viruses have a lot of flaws,
3:38:59 > 3:39:01and yet still go on to wreak havoc.
3:39:01 > 3:39:06Like a real infection, the malware was able to hide,
3:39:06 > 3:39:07evade natural defences,
3:39:07 > 3:39:10avoid surveillance, go dormant,
3:39:10 > 3:39:11and then go on to cause
3:39:11 > 3:39:13all of that chaos.
3:39:13 > 3:39:14But like a real infection,
3:39:14 > 3:39:16there was, in the end,
3:39:16 > 3:39:17a way to fight it,
3:39:17 > 3:39:19and so the NHS survived...
3:39:20 > 3:39:21At least this time.
3:39:33 > 3:39:36WannaCry soon disappeared from the front pages,
3:39:36 > 3:39:40but at a gathering of cyber security experts
3:39:40 > 3:39:44a fortnight after the attack, it was still making waves.
3:39:47 > 3:39:50WHISPERS: This is a long-planned cyber security conference.
3:39:50 > 3:39:53It predates the NHS cyber attack by many months,
3:39:53 > 3:39:56but it's clearly dominating the agenda here.
3:39:56 > 3:39:58Every single speaker has mentioned it.
3:39:58 > 3:40:01I wanted to know why, in this country,
3:40:01 > 3:40:04it was the NHS that seemed to bear the brunt
3:40:04 > 3:40:06of the ransomware infection.
3:40:06 > 3:40:11Thank you. I'm Kevin Fong. I'm a doctor in the NHS.
3:40:11 > 3:40:16We still can't quite understand how worried we should be
3:40:16 > 3:40:19or how vulnerable we continue to be.
3:40:19 > 3:40:21We had the person responsible
3:40:21 > 3:40:23for one of the trusts
3:40:23 > 3:40:27talking about her experiences and day-to-day life
3:40:27 > 3:40:29of running IT in the NHS.
3:40:29 > 3:40:34It really stuck with me and resonated that, actually,
3:40:34 > 3:40:39the amount of budget that she had to protect the IT
3:40:39 > 3:40:40was vanishingly small.
3:40:40 > 3:40:44They have one support person for 1,000 machines
3:40:44 > 3:40:45and things like that.
3:40:45 > 3:40:49That's just not a sustainable investment.
3:40:49 > 3:40:51I think the NHS really does need to think about
3:40:51 > 3:40:53its balance of investment.
3:40:53 > 3:40:55It must put more money into this.
3:40:55 > 3:41:01It's always a hard trade-off, to think patients versus IT,
3:41:01 > 3:41:04you know, but actually, you've got to have that infrastructure
3:41:04 > 3:41:07to be able to do a good job on the patients, I would say.
3:41:08 > 3:41:13Spending varies across the NHS, but it's been reported that in 2015,
3:41:13 > 3:41:18seven trusts spent nothing at all on IT security.
3:41:18 > 3:41:22If this is true, surely this needs urgent attention,
3:41:22 > 3:41:26now that weaknesses have been exposed by the WannaCry attack.
3:41:26 > 3:41:29I was shocked by what happened to the NHS.
3:41:29 > 3:41:32I think the shock is more in the vulnerability of the hospitals
3:41:32 > 3:41:36than it was in the way that the attack was executed.
3:41:37 > 3:41:40We are always afraid of the next attack
3:41:40 > 3:41:42hitting critical infrastructures,
3:41:42 > 3:41:47so now health care systems were hit,
3:41:47 > 3:41:51we are afraid that the electricity, the water departments,
3:41:51 > 3:41:56you know, those types of infrastructures being hit...
3:41:56 > 3:41:59That didn't happen, but it can happen,
3:41:59 > 3:42:02so I think that this is what we're kind of waiting for.
3:42:05 > 3:42:08I think there has to be a recognition that it's not an IT
3:42:08 > 3:42:11or a computer issue, this is about everyday life now.
3:42:11 > 3:42:14In a world where everything's online and where there are ever more
3:42:14 > 3:42:19online threats and where government agencies involved in security
3:42:19 > 3:42:22are much more interested in adding to the threat level
3:42:22 > 3:42:24than in adding to the defence level,
3:42:24 > 3:42:26there's an awful lot of conflicts there
3:42:26 > 3:42:28that we're going to have to manage.
3:42:30 > 3:42:34This attack affected Russian banks, Chinese universities,
3:42:34 > 3:42:38Spanish telecoms companies, even FedEx.
3:42:38 > 3:42:41The vulnerabilities were there for all of us
3:42:41 > 3:42:44across countries and continents, private and public sector,
3:42:44 > 3:42:46all walks of life.
3:42:46 > 3:42:50The NHS was simply one in a long list of casualties.
3:42:50 > 3:42:54Collateral damage in a global cyber war.
3:42:59 > 3:43:02The new reality is that we're all at risk.
3:43:02 > 3:43:04It's not only businesses and governments -
3:43:04 > 3:43:07anyone who's connected could be a target.
3:43:10 > 3:43:14As the world of network technology gets ever more complex,
3:43:14 > 3:43:17it opens up whole new realms of vulnerability.
3:43:19 > 3:43:23It's no longer just our computers that are at risk.
3:43:23 > 3:43:26Our homes and offices are now filled with devices
3:43:26 > 3:43:29that are online and ripe for hacking.
3:43:30 > 3:43:35- Which one are you pinning our hopes on being...?- The... Yeah, that one.
3:43:35 > 3:43:38Ken Munro leads a team of ethical hackers
3:43:38 > 3:43:42that test the security of internet-enabled household devices,
3:43:42 > 3:43:44the so-called internet of things,
3:43:44 > 3:43:46to find out where their weak spots are
3:43:46 > 3:43:48and to see how much havoc they could wreak.
3:43:48 > 3:43:52This is kind of the most fundamental aspect of hacking.
3:43:52 > 3:43:56You're in there at the nitty-gritty, at the level of the circuit board.
3:43:56 > 3:43:59Yeah, so that's what's different about the internet of things.
3:43:59 > 3:44:01Unlike, say, an eCommerce site,
3:44:01 > 3:44:04which is safely hosted in a data centre on a server somewhere,
3:44:04 > 3:44:07with the internet of things, you can go and buy the kit,
3:44:07 > 3:44:08you can dismantle it.
3:44:08 > 3:44:12You can find the chips and the hardware and then connect to it.
3:44:12 > 3:44:13So literally put logic probes,
3:44:13 > 3:44:15electric wires onto the circuit cables
3:44:15 > 3:44:18and then pull off the software and reverse-engineer
3:44:18 > 3:44:20how it works from 1s and 0s.
3:44:20 > 3:44:23Once you've got that, you can find security flaws.
3:44:25 > 3:44:30As Ken discovered, some devices are far easier to hack than others.
3:44:30 > 3:44:34This is your hackable shop of horrors.
3:44:34 > 3:44:36What have you got here?
3:44:36 > 3:44:39Probably the first one we look at, this is My Friend Cayla,
3:44:39 > 3:44:42she's an interactive kids' doll.
3:44:42 > 3:44:43She works over Bluetooth with an app,
3:44:43 > 3:44:46but the manufacturer forgot to put security
3:44:46 > 3:44:48on the Bluetooth connection, so, as a result,
3:44:48 > 3:44:50it means that someone could be sat on the street outside,
3:44:50 > 3:44:53could be listening to what's going on in the room,
3:44:53 > 3:44:54so snooping on your child,
3:44:54 > 3:44:57or potentially speaking to the child through the speaker.
3:44:57 > 3:44:58Our interest was we wanted to see
3:44:58 > 3:45:01if we could bypass her protection measures.
3:45:01 > 3:45:02You can't make her swear.
3:45:02 > 3:45:05But, of course, we discovered you could hack her,
3:45:05 > 3:45:06and she swears like a docker now.
3:45:06 > 3:45:10- RECORDED MESSAGE:- Hey, calm down or I will kick the shit out of you.
3:45:11 > 3:45:13Creepy, but it's a really serious issue.
3:45:13 > 3:45:15The German telecommunications regulator
3:45:15 > 3:45:19has now classified her as a covert bugging device
3:45:19 > 3:45:20and has banned her.
3:45:20 > 3:45:22It's illegal to own her in Germany now.
3:45:22 > 3:45:25All right, OK. So this is a wireless kettle,
3:45:25 > 3:45:29but I don't actually care if someone hacks my kettle.
3:45:29 > 3:45:31I mean, what can they possibly do with that?
3:45:31 > 3:45:32This is a Wi-Fi kettle, though.
3:45:32 > 3:45:35How else would you boil a kettle from the car home?
3:45:37 > 3:45:39So this is the scary bit. This is the Wi-Fi Module.
3:45:39 > 3:45:42We're going to show you how we managed to hack that.
3:45:42 > 3:45:44Imagine I'm outside your house.
3:45:44 > 3:45:46If I want to get your Wi-Fi key from your kettle,
3:45:46 > 3:45:47it's really surprisingly easy.
3:45:47 > 3:45:49All I need to do, I'm going to connect to it.
3:45:49 > 3:45:51I need to put a password in.
3:45:51 > 3:45:53You think, "Password - great security."
3:45:53 > 3:45:55Unfortunately, the password on these kettles is,
3:45:55 > 3:45:57believe it or not, six zeros.
3:45:57 > 3:45:59Once I connect to it, all I have to do is send one command,
3:45:59 > 3:46:02- and I can retrieve your wireless network encryption key.- No!
3:46:02 > 3:46:05That's the key that secures all of your traffic on your Wi-Fi network.
3:46:05 > 3:46:08So if I was a malicious hacker on your network,
3:46:08 > 3:46:12I can now intercept everything you do on your home wireless network.
3:46:12 > 3:46:15Online banking, your social media -
3:46:15 > 3:46:17everything you do, we can see,
3:46:17 > 3:46:19because we've got your wireless network key.
3:46:19 > 3:46:21I can see a thermostat over here.
3:46:21 > 3:46:24I think I have something similar in my house.
3:46:24 > 3:46:27What's the problem with a wireless thermostat?
3:46:27 > 3:46:29Unfortunately, we found some pretty shocking security
3:46:29 > 3:46:32on some brands of Smart thermostat.
3:46:32 > 3:46:34This one we managed to actually hold it to ransom.
3:46:34 > 3:46:37So just like you've heard with the NHS ransomware issue,
3:46:37 > 3:46:40holding critical devices to ransom, actually,
3:46:40 > 3:46:43we've found you can even hold your SmartStat to ransom,
3:46:43 > 3:46:47- to lock you out of heating unless you pay cash.- So...
3:46:47 > 3:46:49That would be quite unpleasant, but in the end,
3:46:49 > 3:46:51surely you just take it off the wall and reset it.
3:46:51 > 3:46:53I'm not so worried about that.
3:46:53 > 3:46:56What I'm more worried about is actually taking control
3:46:56 > 3:46:58of lots of Smart thermostats.
3:46:58 > 3:47:00Imagine you've got several hundred thousands of these
3:47:00 > 3:47:03and someone finds a way to compromise them, which we have.
3:47:03 > 3:47:06They could switch them on and off, synchronously.
3:47:06 > 3:47:08You can create unexpected power spikes
3:47:08 > 3:47:10using people's thermostats.
3:47:10 > 3:47:14So, in theory, you could knock out the grid on a bad day,
3:47:14 > 3:47:15if you wanted to.
3:47:15 > 3:47:17So, I mean, that's fascinating and terrifying.
3:47:17 > 3:47:20This is not about what it does to the individual.
3:47:20 > 3:47:23This is about what it might do to an entire nation's power grid.
3:47:23 > 3:47:24Damn right.
3:47:24 > 3:47:27Imagine you were a foreign power and you wanted to soften up
3:47:27 > 3:47:29a country on a particular day.
3:47:29 > 3:47:32I don't know, maybe an election day. You knocked out the power.
3:47:32 > 3:47:35That's going to influence the outcome of an election.
3:47:36 > 3:47:37All right.
3:47:42 > 3:47:46The internet of things has also arrived in health care.
3:47:46 > 3:47:49Devices that regulate drug dosages
3:47:49 > 3:47:52can now be operated over the internet,
3:47:52 > 3:47:56and some of the latest pacemakers are controlled by Bluetooth.
3:47:56 > 3:48:01A recent study revealed that there might be thousands of exploits.
3:48:01 > 3:48:05Do you think this fundamentally limits how useful
3:48:05 > 3:48:08the digital revolution might be in health care?
3:48:08 > 3:48:10Well, I think we've got things out of step.
3:48:10 > 3:48:14I think we've got amazing technical advances,
3:48:14 > 3:48:16fantastic technological steps forward, which are brilliant,
3:48:16 > 3:48:18which allow us to do cool stuff,
3:48:18 > 3:48:20that allows us much better diagnostics - brilliant.
3:48:20 > 3:48:23But we've got that out of step with the security.
3:48:23 > 3:48:24We're in a catch-up game.
3:48:24 > 3:48:28Once the security has caught up with the technological advances, great -
3:48:28 > 3:48:30we get fantastic medical benefits.
3:48:30 > 3:48:33But until then, it's all a little bit dangerous to me.
3:48:41 > 3:48:43We can't go back to the Stone Age.
3:48:43 > 3:48:46We need digital technology and all of its promise
3:48:46 > 3:48:49to push back the frontiers of medicine,
3:48:49 > 3:48:51so we have to learn how to protect ourselves.
3:48:51 > 3:48:53But there is hope.
3:48:53 > 3:48:56Hope, because there are people on our side in this fight.
3:48:56 > 3:48:57We've met some of them.
3:48:57 > 3:49:00Hope too because of all professions,
3:49:00 > 3:49:03medicine should be able to learn how to deal with this,
3:49:03 > 3:49:06because this is the feat of host immunity -
3:49:06 > 3:49:10of taking the hit from an infection, recognising it,
3:49:10 > 3:49:14and then continually evolving your defences until, eventually,
3:49:14 > 3:49:16you're impervious.
3:49:16 > 3:49:19Hope as well because, despite reports,
3:49:19 > 3:49:21the NHS never stopped.
3:49:21 > 3:49:25Yes, parts of its network were severely affected,
3:49:25 > 3:49:28but it kept doing what it always does.
3:49:28 > 3:49:32If the last few terrible weeks have taught us anything,
3:49:32 > 3:49:36it's that the NHS can take whatever you throw at it.
3:49:36 > 3:49:38It has a plan, it will learn
3:49:38 > 3:49:41and it will be ready for the next time.