Of all the things we do in threat hunting, attribution is the toughest and least reliable. This is not a spoiler alert, but I can tell you in the first paragraph of this blog (so I will) that there is no credible attribution of the WannaCry attacks yet. Of course, as I'm writing this that might change, but as I sit at my keyboard as far as I know it's a true statement. Let's do what we good threat hunters always do first: look at the facts and data as we know them.
Quite a number of researchers, bloggers, security companies, and publications (including this one) have reported on speculation that this is another attack by North Korea, the country we all seem to love to hate. The key word there is speculation. The attribution puzzle requires a lot of context to solve. I am not going to go deeply into this because, first, the total process as a discipline is beyond our scope here, and, second, because there is an excellent paper by Rid and Buchanan on the topic at Attributing Cyber Attacks. Figure 1 from that paper shows the cyber attribution process.
Figure 1 - The "Q" Model from the Rid and Buchanan paper
There is a detailed description of each of the layers in the paper and the takeaway from this is that, while the technical evaluation is, of course, critically important, it is by no means all you need. To date, the bulk of analyses have begun and ended with this aspect which the paper's authors refer to as part of tactical. The operational and strategic aspects, as represented in the model, have largely been ignored. Borrowing from the paper for a moment, tactical refers to helping...
...analysts ask the full range of relevant questions, to aid their critical thinking, and to put an investigation into context.
Operationally, the model helps integrate both technical and non- technical information into competing hypotheses.
Strategically, the model helps refine and extract the essence of the attribution process for external presentation in the appropriate estimative language. This language may inform political judgments with serious consequences.
In my view most current analysis has focused on the tactical without recourse to the operational or strategic aspects of attribution. Thus, we engage in rumor-mongering and hype. While I don't have time to go very deeply into all of the aspects, I am considering a paper on this since it is such a massive attack and since there are several possible attribution targets. If I decide to do that, of course it will be available here for download. I also solicit any input that my readers may want to contribute that can help my analysis because, as the Rid/Buchanan paper says, attribution is
a team sport — successful attribution requires more skills and resources than any single mind can offer.
I counter the prevailing hype that the campaign easily is attributable to North Korea with reliable intelligence that I have that points to Russian involvement. No, not a state-sponsored attack. This intel points to individual actors with limited skills stitching together a Frankenstein's Monster of weaponized ransomware from body parts stolen from NSA and some underground resources. It points to several - not many, really - actors who are little more than script kiddies trying to search out people in the underground forums - particularly vetted-membership Russian hacking forums - who actually know what they are doing and then trying to get help to sew up the monster. Adding the NSA tools brought down the lightening and the monster lived - all over the Internet.
Ignoring my deathless prose (please) let's take a closer look at what evidence might support that intel. The ransomworm - that's really what it is - made several mistakes. First and most obvious was the unregistered domain debacle. That, likely, was a juvenile effort at sandbox evasion, though, for the life of me, I can't see why they might think that would work. Perhaps the reasoning was that a registered domain might be a sinkhole (or be sinkholed). Imagine that! It was. Of course if the bad guys controlled the domain it would be less likely to be a sinkhole, but that didn't stop an enterprising researcher from creating a registered domain and sinkholing it. A little recursion can be a powerful thing!
Now let's look at the bitcoin wallets. There is a bit of a disconnect between the wallets and the victims paying up, though what that is seems a bit unclear. However, the bitcoin wallets are hard-coded into the malware so a simple reversing finds them easily. Worse, there are only three. This, Symantec reports, was a bug referred to as a race condition. The problem, of course, is that instead of creating, automatically, a bitcoin wallet to receive each victim's payment, the malware reverted to the hard-coded addresses. The difficulty is compounded by the fact that each victim's files are encrypted separately so no decryption can save more than its single victim.
Armed with the wallet addresses, we can follow the blockchain and, given the right tools and appropriate alignment of the planets we might be able to scratch out at least one of the IP addresses partly involved. Not likely, of course, but we threat hunters often are dreamers. The result has been that a ransomware that should have been a screaming success barely whimpered.
Back to the sandboxing theory, sandbox evasion is, of course, an attempt at obfuscation. There are other ways to do that but, as I wrote in my last blog, there are few, if any, such attempts written into the code. Very amateurish, indeed.
The bottom line is, if this is all North Korea can muster, I don't see them as much of a threat. However,
...according to Kim Heung-kwang, a former computer science professor in North Korea who defected to the South, "Unit 180 is engaged in hacking financial institutions (by) breaching and withdrawing money out of bank accounts" (Reuters, 21 May 2017).
Unit 180 generally operates outside of North Korea - Singapore is a favorite location - to take advantage of better Internet connectivity and easier obfuscation than might be available in the homeland.
So, of course it is possible that North Korea is involved, but this would appear to be a departure from Unit 180's typical MO, hacking financial institutions.
But, just in case, let's have a look at some of the "Kim dunnit" theories. The most prevailing one uses blocks of code that were part of known Korean hacks appearing in the WannaCry code as justification for pinning the attacks on NK. That's really not enough. These blocks of code are readily available in the underground and get reused regularly.
The assessment - which dealt with code and parts of a couple of viruses known to have been used against South Korea - referred to open source libraries used by the Lazarus Group and, of course, others. If I borrow and wear your brand new spiffy $10,000 business suit I'm still me, not you, no matter how great I look. This was part of the stitching together of the monster and it really points to nobody in particular if we take it without explicit attribution that says the Lazarus Group/Unit 180 used its own tools to build the monster. Even so, these state-sponsored hackers probably are not as amateurish as WannaCry suggests.
There are a lot of other assessments, and by now there are enough variants by enough copycats that the original trail is starting to get cold. So let's apply some good old formal logic and math. Some years back a CIA employee developed an algorithm to assess which of several hypothetical intelligence scenarios was most likely. The process is called ACH: Analysis of Competing Hypotheses. What follows is expounded in much greater detail in an excellent blog by Digital Shadows and I recommend it to you, not just for this, but as an ongoing analysis tool. This step is consistent with the Rig/Buchanan paper's Operational step. Their - the Digital Shadows team - conclusion is exactly the same as mine (which I evolved before reading their blog, but, it turns out, for many of the same reasons):
...the "WannaCry campaign launched by an unsophisticated cybercriminal actor was the most plausible scenario based on the information that is currently available".
Figure 1 shows the table with the analysis. The key is C=Evidence is consistent with the hypotheses, I=Evidence is inconsistent with the hypothesis and N=Evidence is neither consistent nor inconsistent with the hypothesis.
Figure 2 - ACH analysis of WannaCry attribution hypotheses
Notice that in hypothesis 2 - An unsophisticated financially-motivated cybercriminal actor - either is Consistent or Neither with the exception of the two pieces of evidence that are linked to North Korea. Those are both rated as Inconsistent. I highly recommend reading the entire blog for a lot of exceptional detail backed by good research.
The bottom line is that if we take all that we know - and remember, we have the Dark Web intel on Russian hackers (and, remember, ransomware is a Russian hacker MO) as well as some shaky supposition on NK attribution - we can draw a couple of conclusions: first, this likely wasn't a state-sponsored attack, and if it was, it was a pretty shoddy piece of work. Second, the motivation was financial and the malware was so poorly stitched together that, even though it spread like wildfire thanks to the NSA tools used to weaponize it, it failed to pay off for its creators.
Does that mean that we can't reliably attribute WannaCry? I'm not sure. There are a lot of very good people working on this at all levels from government to private sector to researchers. It's the kind of puzzle that threat hunters love and, of course, the payoff is that we may be able to stop this strain of malware in its tracks, disassemble the monster and put it back in its grave where it belongs.
Tools Used in This Blog:
The "Q" Model