Pyongyang calling: GCHQ also now pins WannaCry on North Korea

News by Roi Perez

Not much is known of the investigation by the NCSC into the attack, but experts disagree on the validity of the claims.

The UK's National Cyber Security Centre (NCSC) has led an international investigation into the WannaCry ransomware attack and concluded that the perpetrator is the Lazarus hacking group which is believed to be from North Korea, the BBC is reporting.

The US's Computer Emergency Response Team (CERT) has also issued warnings about North Korean hacking, but refers to the Lazarus group as “Hidden Cobra”.

The NCSC would neither “confirm nor deny” the reports. But a Guardian reportsaid, “the NCSC had led the international investigation into the WannaCry bug and completed its assessment within the last few weeks.”

The report from the BBC follows similar claims by the US's National Security Agency (NSA), that the WannaCry attack is linked to North Korea.

The BBC says “Private sector cyber-security researchers around the world began picking apart the code to try to understand who was behind the attack soon after.” The NCSC investigation is said to be “based on wider information.”

Adrian Nish, cyber-threat intelligence expert from BAE Systems, spoke with the BBC and said he “saw overlaps with previous code developed by the Lazarus group. It seems to tie back to the same code-base and the same authors.” He adds, “The code-overlaps are significant."

Similar conclusions had been reached by security company SecureWorks, as it found similarities between the “wannadecryptor” malware, and an earlier piece of malware named “Brambul”.

Speaking with the Guardian, SecureWorks said: “Brambul is uniquely associated with North Korean threat group Nickel Academy (AKA Lazarus group). The same code overlap was also seen in another piece of malware used to attack the Polish banking regulator KNF, another operation attributed by SecureWorks to the Lazarus group.”

So is it really North Korea? Ross Rustici, senior director, intelligence services at Cybereason says, “This narrative was easy to build from a technical side but significantly flawed from an actor and motivation perspective.”

Writing for SC Media UK in an opinion piece, Rustici opines that: “This pandemic lacked the hallmarks of a traditional Democratic People's Republic of Korea operation. Nothing in North Korea's past cyber-campaigns or conventional military and foreign policy fit the attributes of this ransomware campaign. The country's cyber-programme which was developed from the ground up with over-engineered, indigenous malware, also follows this mantra. This philosophy has led to a cyber-programme with significant technical capabilities, skilled developers, and sophisticated intrusion campaigns.”

He adds: “The first red flag around attributing the WannaCry campaign to North Korea. The code that didn't leverage Shadow Broker exploits was crude, buggy and functioned poorly. The DPRK cyber-programme is technically and organisationally capable of producing and implementing much superior code.”

In an emailed statement  Brian Lord OBE, former deputy director GCHQ for Cyber and Intelligence, now management director of risk management company Protection Group International, said that in the scheme of things, the fact that North Korea could potentially be behind the attack doesn't matter “at all”.

He writes: “it is important to avoid the hand-wringing, defeatist, “it's a state attack, there's nothing we can do?!” response.  The basic measures and defences needed to counter Wannacry are no different to those identified before a potential linkage to Lazarus was made.  Cyber-hygiene counters and deters indiscriminate state operations as much as it does wider criminal or hacktivist activity.  It is just everyone needs to be aware of the risk of collateral damage as both State and organised crime groups continue to develop new innovative ways of achieving their esds.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews