Ross Rustici, senior director, intelligence services, Cybereason
Ross Rustici, senior director, intelligence services, Cybereason

As WannaCry infected computers around the globe, half a dozen security firms were quick to name Lazarus Group as the perpetrator. This group is supposedly connected to the North Korean government and carried out the 2014 Sony Pictures attack, among other high-profile hacks. These firms reached this conclusion after a technical analysis revealed a similarity in the code of an early WannaCry variant and some legacy North Korean tools that became public during the Sony Pictures hack.

This narrative was easy to build from a technical side but significantly flawed from an actor and motivation perspective. This pandemic lacked the hallmarks of a traditional Democratic People's Republic of Korea operation. Nothing in North Korea's past cyber campaigns or conventional military and foreign policy fit the attributes of this ransomware campaign. Studying national identity, foreign policy and strategic messaging greatly reduces the likelihood that Pyongyang ordered this campaign.

North Korea's national identity is largely defined by a principle of self-reliance. This principle dictates every facet of life, from economic policy to defence priorities. The country's cyber-program which was developed from the ground up with over engineered, indigenous malware, also follows this mantra. This philosophy has led to a cyber-program with significant technical capabilities, skilled developers, and sophisticated intrusion campaigns. And here's where we see the first red flag around attributing the WannaCry campaign to North Korea. The code that didn't leverage Shadow Broker exploits was crude, buggy and functioned poorly. The DPRK cyber-program is technically and organisationally capable of producing and implementing much superior code.

From a foreign policy perspective, the WannaCry attack, if carried out by North Korean assets, was disastrous. Tensions on the Korean Peninsula have been escalating at a rapid pace since the beginning of 2017 and China, North Korea's traditional supporter, has been slowly distancing itself from the North. This leaves North Korea with one powerful neighbor and occasional supporter: Russia. But Russia, along with China, were disproportionately attacked by WannaCry. Infecting computers in the two countries that the closest things you have to allies is a very risky foreign policy strategy, particularly when excluding their networks from the randomisation function would have been a trivial coding change.

Complicating matters further, most of the known North Korean cyber activity originates in China, and North Korea's only Internet access transits China and Russia. Also, China can identify and jail DPRK cyber actors who are operating inside the country. Adding these variables to the attribution equation shows that North Korea's cyber-program could incur serious harm - including the possibility of being wiped out - if the country launched an attack on the scale of WannaCry against China and Russia.

Additionally, North Korea has a tightly controlled and effective strategic messaging campaign. The country utilises its nuclear program, strategic missile program and cyber-program to broadcast messages to adversaries. In every other instance of a DPRK destructive attack, there has been a strong messaging component designed to deter and terrorise the intended target. Chaos for the sake of chaos does not benefit the regime and cyber has traditionally been used to signal displeasure and in direct response to actions taken by the victim.

Finally, the DPRK would never intentionally dilute the messaging around their missile program with a cyber event. Cyber is an asymmetric tool to reach out and strike those who transgress against the state. The missile program is a symbol of national pride and a deterrent crafted to ensure regime survival. On 14 May, North Korea tested an IRBM that has the capability to hit U.S. military installations on Guam. This event, which in any other news week would have garnered international headlines, was buried as a result of the WannaCry pandemic that began two days before the launch. The DPRK does not bury its own lead in this manner.

As a community, we need to move beyond purely technical analysis when attempting to identify the actors behind high-profile attacks. In the age of code reuse and obfuscation, understanding the why of an attack often yields more insight on the who.

Contributed by Ross Rustici, senior director, intelligence services, Cybereason 

Also see counter arguments from the NSA and GCHQ supporting the premise that it was North Korea.

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.