Threat Management, Malware, Ransomware, Threat Management

NSA, British security officials: North Korea behind global WannaCry ransomware attacks

The U.S. National Security Agency believes with “moderate confidence” that last month's WannaCry ransomware attacks were perpetrated by the government of North Korea, via its Reconnaissance General Bureau intelligence agency, the Washington Post has reported.

WannaCry ransomware paralyzed endpoints and organisations in more than 150 countries, including nearly 50 NHS trusts, US Fedex, Spanish Telefonica, French Renault factories, a Chinese energy company and the Russian interior ministry. The campaign was also notable not just for the scalps it claimed, but also for being the first combination of ransomware with a network worm.

The worm was EternalBlue, developed by the NSA to exploit a vulnerability in the Microsoft SMBv1 server and later released into the public domain by the hacking group Shadow Brokers.

Additionally, an investigation conducted by Britain's National Cyber Security Centre (NCSC) also points to North Korea as the culprit, according to a separate report from the BBC, citing British security officials.

Early analysis suggested that for all its reach and impact, WannaCry ransomware was not very sophisticated, though its worm aspect was. Using EternalBlue, the attackers managed to propagate what appeared to be a mediocre piece of ransomware on a massive scale.

If it was a money-making ploy by the North Korean government, then it appears to have failed. By the end of the attack, the wallets into which the victims were directed to pay the ransoms contained just over £109,000.

Jake Williams, founder of Rendition Infosec, told the Washington Post that the ransomware may have “gotten loose” during testing, which might explain its shortcomings.

North Korea was quickly blamed by a range of experts, including Symantec which said that the campaign bore the hallmarks of previous attacks the country is believed to have carried out.

Attribution is often a controversial practice and few claims are left unblemished with criticism. When fingers first pointed towards North Korea for the WannaCry attacks, a report from the Institute of Critical Infrastructure Technology (ICIT) called the claims “hasty” and the evidence “circumstantial at best”.

Incredulity might be understandable. Purely financial objectives are rarely what motivates APT groups. However, a nation state with the motivation of a cyber-criminal seems to be a unique characteristic of North Korea.

As a country isolated by its despotic regime, cultural autarky and historical hostility to the outside, North Korea is subject to heavy sanctions among the international community. A way of circumventing these sanctions has been engaging in illegal but lucrative activity. Foreign bureaus of the North Korean government have been known to engage in drug trafficking and counterfeiting operations among other illicit practices.

John Nilsson-Wright, a senior research fellow in the Asia program at Chatham House, told SC Media UK earlier in the year: “It's a well known fact that embassy personnel stationed overseas are required to raise money through fair means or foul.”

In a June 15 blog post, Insikt Group, the research arm of threat intelligence firm Recorded Future, addressed the NSA's findings in its own analysis of the North Korean cyber threat. "We assess that use of ransomware to raise funds for the state would fall under both North Korea's asymmetric military strategy and 'self-financing' policy, and be within the broad operational remit of their intelligence services," the post explains.

One recent development, which has been all but proven, is that the South Asian despotism now engages in cyber-crime to fill its meager state coffers. The group behind this, and many other attacks, is known as Lazarus.

Its fingerprints have been seen on the 2012 attack against Sony, which is believed to have been carried out in retaliation for the release of a film satirizing the North Korean dictator.

More recently Lazarus has been implicated in the attack on the Bangladesh Central Bank, in which robbers maneuvered US$81 million (£65 million) out of the bank's accounts by placing fraudulent money orders through the global SWIFT network, before exfiltrating the funds through a series of east Asian casinos.

If this was a cash grab, Ewan Lawson, senior fellow for military influence at the Royal United Services Institute, told SC, “It seems a fairly crass way to go about it.”

“I don't get what the strategic logic of North Korea doing it is. That's not me questioning the attribution at all because North Korea does quite a few things that are slightly crazy.”

A response, political or otherwise, has not yet been formulated, but considering the scale of the attack, it's hard to imagine there won't be one. North Korea is already heavily sanctioned, and Lawson expects yet more.

Though, Lawson assured SC, that whatever the impact of the attacks, “An invasion isn't going to happen any time soon.” One could “completely isolate them from the Internet”, added Lawson, “in purely cyberspace terms, I think that's all you could do.”

Additional reporting by Bradley Barth, senior reporter.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.