Attacks/Breaches

6/15/2017
06:20 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

NSA Reportedly Confident North Korea Was Behind WannaCry

But some say no evidence exists to unequivocally pin blame for attacks on Pyongyang.

The US National Security Agency (NSA) appears to have joined the ranks of those convinced that the North Korean government was behind the recent WannaCry ransomware epidemic even as many others remain skeptical of that conclusion.

The Washington Post Wednesday reported that NSA officials have determined with "moderate confidence" that the tactics and techniques used in the WannaCry attacks point to the Reconnaissance General Bureau, the North Korean intelligence agency. The motive for the attacks apparently was to try and raise money in the form of ransom payments from victims, the Washington Post said, citing sources within the NSA.

The NSA's assessment of WannaCry concludes that threat actors sponsored by the North Korean intelligence agency created two versions of WannaCry.

News of the NSA's reported analysis coincides with a somewhat oddly timed released this week of a US-CERT technical analysis linking the North Korean government to a botnet used to launch DDoS attacks worldwide.

Together, the developments suggest that the US government could be making a case for some sort of retaliatory action against the North Korean government for its alleged misbehavior in cyberspace, though it is too early to know for sure. Such a move would certainly jibe with the Trump Administration's overall get-tough stance against Pyongyang over the isolated nation's controversial missile program.

WannaCry crypto ransomware infected over 300,000 Windows computers worldwide earlier this year using a leaked NSA exploit dubbed EternalBlue to propagate itself to vulnerable systems.

The US government's apparent conclusions about its origins have at least some measure of support within the security industry. At a Congressional hearing Thursday on the lessons learned from the WannaCry outbreak, a senior executive from Symantec reiterated statements the company has made previously about its belief that North Korea had a hand in the attacks.

"There were very, very close similarities to other kinds of attacks we have seen, specifically attacks we attribute to a group called Lazarus," said Hugh Thompson in his testimony before the Joint Subcommittee on Oversight and Subcommittee on Research and Technology hearing.

"The malware, the reuse of strings in that malware the reuse of command and control infrastructure out on the Internet by that malware led our researchers to believe there is a strong link to the Lazarus group," which the FBI has linked to North Korea, he said. The same group was linked to the attacks on Sony and to the more than $81 million cyberheist from the Bank of Bangladesh last year, he said.

Other security experts are less sure of the connection and say there's not enough evidence available to unequivocally attribute the attacks to North Korea.

"We think it is ambiguous to conjecture over the origins of WannaCry," Salim Neino, chief executive officer of Kryptos Logic, said in his testimony at the hearing. Some of the pieces of code used in the WannaCry attacks suggest that a nation-state actor was involved. According to Neino, WannaCry may have impacted as many as 2 million systems worldwide, which is considerably more than previous estimates.

"But unfortunately, anyone could have created this level of attack," and then made it look like North Korea was behind it, he said. "I would compare it perhaps to photo-shopping a program to make it look a certain way. Or, it could have simply been what it is. What I can say is these attacks are very difficult to attribute," he noted.

Others have suggested that the authors of WannaCry have a Chinese connection. Security vendor FlashPoint, for instance, says its linguistic analysis of the 28 ransomware messages used in the WannaCry attacks suggest the authors are from China or are Chinese-speaking.

"Many researchers have linked the WannaCry malware to the “Lazarus Group,” which is itself believed affiliated with North Korea," FlashPoint said in a separate intelligence report earlier this month. "Flashpoint’s own analysis of the 28 odd foreign language ransom notes, however, strongly suggests a Chinese-speaking author of the notes themselves," the note said. "These two findings—the link to North Korea and a Chinese-speaking author of the ransom notes—are not mutually exclusive, however," the company added.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
cybersavior
100%
0%
cybersavior,
User Rank: Strategist
6/16/2017 | 2:54:43 PM
Headline:
"U.S. government accuses North Korea of unleashing a malware attack that was devised from computer exploits developed by the U.S. government for attacking computers"
Armanor
50%
50%
Armanor,
User Rank: Apprentice
6/16/2017 | 2:01:04 AM
Question about WannaCry
Does WannaCry only target companies or can it attack everybody ? I thought it was only targeting companies
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Privacy Ops: The New Nexus for CISOs & DPOs
Amit Ashbel, Security Evangelist, Cognigo,  2/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-8955
PUBLISHED: 2019-02-21
In Tor before 0.3.3.12, 0.3.4.x before 0.3.4.11, 0.3.5.x before 0.3.5.8, and 0.4.x before 0.4.0.2-alpha, remote denial of service against Tor clients and relays can occur via memory exhaustion in the KIST cell scheduler.
CVE-2019-1698
PUBLISHED: 2019-02-21
A vulnerability in the web-based user interface of Cisco Internet of Things Field Network Director (IoT-FND) Software could allow an authenticated, remote attacker to gain read access to information that is stored on an affected system. The vulnerability is due to improper handling of XML External E...
CVE-2019-1700
PUBLISHED: 2019-02-21
A vulnerability in field-programmable gate array (FPGA) ingress buffer management for the Cisco Firepower 9000 Series with the Cisco Firepower 2-port 100G double-width network module (PID: FPR9K-DNM-2X100G) could allow an unauthenticated, adjacent attacker to cause a denial of service (DoS) conditio...
CVE-2019-6340
PUBLISHED: 2019-02-21
Some field types do not properly sanitize data from non-form sources in Drupal 8.5.x before 8.5.11 and Drupal 8.6.x before 8.6.10. This can lead to arbitrary PHP code execution in some cases. A site is only affected by this if one of the following conditions is met: The site has the Drupal 8 core RE...
CVE-2019-8996
PUBLISHED: 2019-02-21
In Signiant Manager+Agents before 13.5, the implementation of the set command has a Buffer Overflow.