Update 2: UK & US blame North Korea for WannaCry - 'directly responsible'

News by Teri Robinson

North Korea was behind the WannaCry ransomware that blazed a destructive path around the world last spring, wreaking havoc on companies of all stripes say both UK and US officials.

North Korea was behind the WannaCry ransomware that blazed a destructive path around the world last spring, wreaking havoc on hospitals, the financial sector, FedEx, and companies of all stripes, a high-ranking adviser in the US Trump administration said Monday.

Then today (19/12/2018) the UK Foreign Office Minister Lord Ahmad of Wimbledon backed up the assertions, also attributing the WannaCry ransomware incident to North Korean actors the Lazarus Group. "The decision to publicly attribute this incident sends a clear message that the UK and its allies will not tolerate malicious cyber activity," said the government release.

After the UK National Health service was severely impacted by Wannacry, the UK led the international investigation, and within weeks, in May 2017, the UK National Cyber Security Centre (NCSC) attributed the attack to North Korea.

The WannaCry ransomware incident impacted 300,000 computers in 150 countries including 48 NHS trusts.

Minister for Cyber, Lord Ahmad has now said: "The UK's National Cyber Security Centre assesses it is highly likely that North Korean actors known as the Lazarus Group were behind the WannaCry ransomware campaign – one of the most significant to hit the UK in terms of scale and disruption.  We condemn these actions and commit ourselves to working with all responsible states to combat destructive criminal use of cyber-space. The indiscriminate use of the WannaCry ransomware demonstrates North Korean actors using their cyber programme to circumvent sanctions.

"International law applies online as it does offline. The United Kingdom is determined to identify, pursue and respond to malicious cyber activity regardless of where it originates, imposing costs on those who wish to attack us in cyberspace. We are committed to strengthening coordinated international efforts to uphold a free, open, peaceful and secure cyberspace."

Referring to WannaCry as widespread, costly and “indiscriminately reckless,” US President Trump's homeland security adviser, Tom Bossert, said in a Wall Street Journal opinion piece that “North Korea is directly responsible.”

WannaCry was delivered via the backdoor malware DoublePulsar and the Microsoft exploit EternalBlue – tools allegedly created by the US National Security Agency and subsequently leaked by The Shadow Brokers hacking group. The wormable ransomware spread to more than 150 nations in the first three days.

North Korea has long been thought by many to be behind the attacks with speculation pinning it on the Lazarus Group believed to have been behind the 2014 Sony hack, but Bossert's allegations were the administration's first public declaration that the country was to blame.

“We do not make this allegation lightly. It is based on evidence. We are not alone with our findings, either. Other governments and private companies agree,” Bossert wrote. “The United Kingdom attributes the attack to North Korea, and Microsoft traced the attack to cyber affiliates of the North Korean government.”

Bossert said the US would continue to apply its “maximum pressure strategy to curb Pyongyang's ability to mount attacks, cyber or otherwise.”

Commenting on the attribution in an email to SC Media UK, Dmitri Alperovitch, CTO and co-founder, CrowdStrike, described it as, "...another step in establishing the importance for regularly attributing significant attacks to nation-states and criminal groups. It also raises public awareness about North Korea's growing offensive cyber-capabilities. CrowdStrike has tracked DPRK's cyber-activities going back to the mid-2000s, which started with espionage, then half a decade later evolved into destructive attacks and in the last few years delved into cyber-crime such as ransomware and bank heists. They are a very capable actor that is known to have developed 0-day exploits and their own unique malware code. As such, they pose a major threat to organisations globally, especially as tensions between the US and North Korea over the nuclear and missile programs continue to escalate.”

Tim Erlin, VP of Product Management and Strategy at Tripwire, emailed SC  to comment that: "Accurate attribution for cyber attacks is almost always a difficult task, and it's doubly so when the evidence leading to the conclusion can't be shared. With global public trust in the US government at a low point, it's not surprising that there's skepticism.

“If we're going to have national security organisations delivering these types of conclusions on attribution to the public, we need to find a way to develop trusted output. The mantra of ‘trust us' doesn't cut it here.

"This conclusion about North Korea's culpability isn't new. The UK discussed the very same conclusion in October, with the very same caveats about sharing the actual evidence.

You can't arrest a nation-state, which inevitably prevents any real closure on an incident like WannaCry.

“Whether North Korea is the threat actor or not doesn't change the lessons that organisations should take from this incident. These vulnerabilities are out there, and WannaCry demonstrated what can happen when the right condition is exploited. Defensive response should be to reduce the risk as much as possible."

Meanwhile Benjamin Read, manager, cyber-espionage analysis at FireEye has added weight to the attribution, emailing SC Media UK to report that: "FireEye has found the WannaCry malware shares unique code with WHITEOUT malware that we have previously attributed to suspected North Korean actors. While we have not verified other experts' observation of known DPRK tools being used to drop early versions of WannaCry, we have not observed other groups use the code present in both WannaCry and WHITEOUT and we do not believe it is available in open source. This indicates a connection between the two.

“Our analysis has found this unique code shared across additional North Korean malware, including NESTEGG and MACTRUCK. Significantly, while this code is present in the MACTRUCK malware, it is not used. The shared code likely means that, at a minimum, WannaCry operators share software development resources with North Korean espionage operators.

“In addition to the WannaCry activity, we believe that North Korean actors are using multiple vectors to engage in cyber-criminal actively, including, most prominently, the targeting of Bitcoin exchanges. FireEye assess that North Korea will continue to pursue financially motivated cyber-intrusion to supplement the government's income.”

However, not everyone is convinced. Ross Rustici, Cybereason's senior director of intelligence services still believes that WannaCry is unlikely to have been a state sponsored attack.

Rustici asserts that the attribution against North Korea provides no new evidence. Instead it rehashes old history as a way to increase FUD, reduce informed discussion on one of the most pressing security threats of 2018 and only serves to increase the likelihood of miscalculation and mistake. He says that nothing in North Korea's past cyber campaigns or in their conventional military and foreign policy fit this mould, adding that looking at national identity, foreign policy and strategic messaging will greatly reduce the likelihood that Pyongyang ordered this campaign.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews