Euro Security Watch with Mathew J. Schwartz

Endpoint Security , Fraud Management & Cybercrime , Next-Generation Technologies & Secure Development

Trump Administration: 'North Korea Launched WannaCry'

Why White House Is Suddenly Airing Ransomware Attribution
Trump Administration: 'North Korea Launched WannaCry'
WannaCry's ransom note

The U.S. government has belatedly announced that hackers tied to the government of North Korea were behind the WannaCry outbreak that began in May. The ransomware infected more than 200,000 endpoints across 150 countries.

See Also: The External Attack Surface Is Growing and Represents a Consistent Vulnerability

"It's Official: North Korea Is Behind WannaCry," reads the title of an op-ed published Monday in the Wall Street Journal, written by Thomas P. Bossert, assistant to the president for homeland security and counterterrorism.

"After careful investigation, the U.S. today publicly attributes the massive 'WannaCry' cyberattack to North Korea," Bossert writes. "It was cowardly, costly and careless. The attack was widespread and cost billions, and North Korea is directly responsible."

Now tell us something we didn't already know.

Spotlight: Lazarus Group

The U.S. government's allegations follow multiple reports from information security firms that fingered the Lazarus Group - a team of hackers with ties to the Democratic People's Republic of Korea - as the culprits. In May, The Washington Post reported that the National Security Agency had "moderate confidence" that WannaCry was linked to the KPRK. In June, the BBC also reported that a government source told it that the U.K.'s GCHQ intelligence agency believed Pyongyang was behind WannaCry. None have released evidence to prove that assertion.

Security researchers at Comae Technologies, Cybereason, Google, Kaspersky Lab, Microsoft and Symantec have also said that the tools used in the attack have been previously used by the Lazarus Group. Many see signs that Lazarus itself was involved while some others have doubts (see US Government Warns of North Korean Hacking).

Indeed, the tools could have been reused by anyone. And relatively speaking, WannaCry was mostly a dud. Mistakes in the ransomware code meant that developers couldn't tie individual victims' cryptolocked PCs to bitcoin payments. Poor coding also led to new infections of WannaCry being blocked after a British security researcher accidentally found the equivalent of a kill switch. "This oversight points to the amateur nature of the initial attack and would imply that if a DPRK actor did conduct this attack, they were not operating at the level normally associated with these groups," says security firm Cybereason.

Heatmap shows WannaCry outbreak. Source: Symantec

On the other hand, the Lazarus Group has also been tied to the theft of $81 million from the central bank of Bangladesh's New York Federal Reserve account via fraudulent SWIFT messages, the use of Adylkuzz cryptocurrency mining malware as well as other attacks aimed at stealing cryptocurrency (see Lazarus Hackers Phish For Bitcoins, Researchers Warn).

Hacking may now account for one-third of cash-strapped North Korea's gross domestic product, Cybereason CISO Sam Curry tells me.

Pyongyang, meanwhile, continues to deny ever having launched a cyberattack. "As we have clearly stated on several occasions, we have nothing to do with cyberattack and we do not feel a need to respond, on a case-by-case basis, to such absurd allegations of the U.S.," a government spokesman says, according to North Korea's state-sponsored KCNA news agency.

A Question of Timing

Seven months after WannaCry hit PCs worldwide, why is the White House only now blaming North Korea?

Figuring out who launched an attack often involves technical clues, although ideally, investigators will have visibility into not just the systems used in the attacks, but the precise identity of whoever was behind the keyboard.

After the hack of Sony Pictures Entertainment, the FBI announced that it had proof that North Korean hackers had launched the attack. Officials, however, said they weren't going to release that evidence. Seemingly, doing so might have revealed the extent to which U.S. intelligence was able to track and monitor individuals suspected of being tied to the regime.

Bossert said as much when fielding questions about the timing of the WannaCry attribution in a Tuesday press briefing. "Did we do it too slowly? ... My answer is, no," he told reporters. "The most important thing is to do it right and not to do it fast. We took a lot of time to look through classified, sensitive information. What we did was, rely on - and some of it I can't share, unfortunately - technical links to previously identified North Korean cyber tools, tradecraft, operational infrastructure. We had to examine a lot. And we had to put it together in a way that allowed us to make a confident attribution."

He added that Australia, Canada, Japan, New Zealand and the United Kingdom concur with the U.S. assessment.

"Our assessment has been that North Korean actors known as the Lazarus Group were very likely responsible for the WannaCry attack back in May this year," a spokesman for the U.K.'s government's National Cyber Security Center (NCSC), part of surveillance agency GCHQ, said this week.

Political Exercise

Whatever technical evidence intelligence agencies may gather, attribution remains a political exercise. If there's no good political reason to accuse another country of having done something, then it won't be done.

Timing-wise, the U.S. government imposed stronger sanctions on North Korea last month over the country's nuclear and ballistic missile programs, and it's likely that it's now seeking further diplomatic leverage. Indeed, Bossert's op-ed appeared the same day that President Donald Trump declared that the U.S. would take "all necessary steps" to denuclearize North Korea.

Those steps now include the White House officially accusing Pyongyang of being responsible for WannaCry.

"We will continue to use our maximum pressure strategy to curb Pyongyang's ability to mount attacks, cyber or otherwise," Bossert writes.


This blog has been updated with comments from Cybereason, DPRK and GCHQ.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.