Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

5/24/2017
05:30 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

WannaCry: The North Korea Debate

Researchers split over whether an infamous North Korean hacking group, an affiliate, or another attacker altogether, is behind the epic ransomware worm.

Symantec this week doubled down on its theory that the epic WannaCry ransomware worm was the handiwork of hackers out of North Korea, but some security experts dismiss any connection to the DPRK.

WannaCry, which infected some 230,000 machines in 150 countries yet generated only about $110,000 in ransom since its launch on May 12, according to data from Trend Micro, was more of a loud wakeup call about the potential for a ransomware epidemic than it was a massive event. Though hospitals in the UK were the initial high-profile victims of the attacks and nations such as Russia suffered the brunt of the infections, overall, WannaCry's rapid-fire worm ultimately fizzled.

Attribution, especially with nation-state actors, is always a dicey practice: these attackers tend to be masters of disguise and false flags. But North Korea's nation-state cyber operations became a possible suspect in WannaCry early last week when famed Google researcher Neel Mehta, and then Kaspersky Lab, Symantec, and BAE, voiced strong suspicions of a link to the infamous North Korean Lazarus Group after spotting the conspicuous use of Lazarus code in WannaCry.

Researchers from Symantec now say they have more evidence that the North Korean Lazarus Group launched WannaCry, but with the caveat that the attack campaign was not a North Korea government-sponsored campaign. Other security firms, including Kaspersky Lab, still point at ties with the Lazarus Group, which was behind the massive 2014 breach of Sony Pictures. FireEye has "moderate confidence" that the attackers behind WannaCry are North Korean, notes John Hultquist, manager of the cybersecurity analysis team at FireEye.

Researchers traced a link between WannaCry and the Lazarus Group back to a February 2017 WannaCry cryptor sample that very closely resembles a malware sample from the Lazarus Group two years before.

Vikram Thakur, principal researcher manager at Symantec, says researchers at his firm studied further the technical crumbs from that earlier, non-worm outbreak of WannaCry as well as the recent worm-spread attack; they found enough overlap between the tools and code used to tie together the attack groups. "There's a decent amount of code overlap we see that can't be duplicated by copycats. It would require someone with access to the original source code, along with the Lazarus tools," Thakur says.

But the attackers didn't run WannaCry like a full-blown nation-state campaign, according to Symantec. "We don't believe WannaCry was the work of a nation-state," Thakur says. WannaCry didn't target the usual nation-state victims, nor did it operate as smoothly and effectively as a nation-state attack.

"They had buggy code on May 12," which was fixed 13 hours later, he says, and they weren't targeting intellectual property nor did they have a sustainable or effective monetization channel.

So how could it both be the Lazarus Group yet not the North Korean government? The attackers could have been a rogue element of the Lazarus Group trying to make some money, for example, or a defector from the group that still had access to the source code, Thakur suggests. North Korea's Lazarus hacking group has not targeted regular Internet users in the past: "They've gone after organizations, or intellectual property," he says. "That's the reason that the likelihood of it being a nation-state attack is very, very low."

Symantec points to three pieces of malware discovered on WannaCry victim machines that are linked to Lazarus: Trojan.Volgmer and two variants of Backdoor.Destover, the disk-wiping tool used in the Sony Pictures attacks. The big "'a-ha' moment," Thakur says, was connecting the dots between the malware used to plant WannaCry.

"We had a tool responsible for putting WannaCry on the machine, and that tool had similarities with Lazarus," the so-called Alphanc Trojan used to spread WannaCry in the March and April attacks, he notes. It's also a morphed version of a Lazarus tool calledBackdoor.Duuzer.

Another Trojan, Bravonc, uses the same IP addresses for its command-and-control as Duuzer and Destover, and has common code obfuscation methods as WannaCry and another Lazarus tool. Symantec also found shared code in WannaCry and a Lazarus backdoor called Contopee.

Even with Symantec's newly discovered clues, not all security firms are sold on the North Korea connection. Mike Oppenheim, global research lead with IBM X-Force IRIS, says while they're is indeed code overlap between WannaCry and the Lazarus Group's backdoor malware, that's not enough to confirm a connection right now. "More evidence beyond this single piece of data will be required before attribution is possible," he says. "The Lazarus Group malware has been widely discussed and publicized in recent years and it is possible that whoever is responsible for WannaCry had access to the same source code."

Ross Rustici, senior manager of intelligence research at Cybereason and an East Asia expert, says a more likely scenario is a wanna-be cybercriminal behind WannaCry. "It's plausible you had an aspiring cybercriminal start pulling at tools, and came across the Lazarus SMB worm" used in the Sony attack, he says. "They propagated the worm with the code, but didn't think through the implications of what that would do."

He doesn't believe it's North Korea because news of the ransomware attacks overshadowed North Korea's missile launch that following weekend. "That's out of cycle from a messaging standpoint," Rustici says. And a splinter group or rogue actor in North Korea would be taking a huge risk of physical harm because the nation keeps close tabs on its cyber program and people, according to Rustici.

"WannaCry was sloppy" and used poor coding infrastructure, he says. "The way they decrypted was amateurish and it doesn't have the hallmarks and tactics of professional hackers."

The problem with attribution is that it requires more than malware connections, says John Bambenek, manager of threat intelligence systems for Fidelis Cybersecurity. "It could be DPRK, or it could be Shadow Brokers, or a close associate, who wants to make it look like them. They were good enough to steal the Equation Group tools; surely they can mix in some Lazarus tools just for fun," he says.

WannaCry for a Long Time

WannaCry is the gift that keeps on giving: like any mass malware epidemic, infected machines will remain so for months and possibly years. The payload-less Conficker worm from 2008 is a prime example of how old malware dies hard: it's still spreading and living on Windows machines around the globe.

The attackers behind WannaCry have been spotted trying to resurrect it, and copycats and new variants are exploding. Security firm Trustlook has identified 386 different malware samples that contain the WannaCry ransomware.

The good news, of course, is that it was nowhere near as destructive as it could have been, and it served as a wakeup call for organizations worldwide. More than 95% of all of the infected machines were running Windows 7, according to Kaspersky Lab data.

Meantime, while some researchers drill down into the code to find clues of the attackers, other security experts maintain that it's more about the cleanup and lessons learned from WannaCry than who unleashed it.

"It's going to be an enigma for a long time," Cybereason's Rustici says. "We're not likely to have really solid answers in attribution near-term that's a smoking gun. It's going to stay a mystery for a while."

Related Content:

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
A Realistic Threat Model for the Masses
Lysa Myers, Security Researcher, ESET,  10/9/2019
USB Drive Security Still Lags
Dark Reading Staff 10/9/2019
Virginia a Hot Spot For Cybersecurity Jobs
Jai Vijayan, Contributing Writer,  10/9/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-14832
PUBLISHED: 2019-10-15
A flaw was found in the Keycloak REST API before version 8.0.0 where it would permit user access from a realm the user was not configured. An authenticated attacker with knowledge of a user id could use this flaw to access unauthorized information or to carry out further attacks.
CVE-2017-10022
PUBLISHED: 2019-10-15
In haml versions prior to version 5.0.0.beta.2, when using user input to perform tasks on the server, characters like < > " ' must be escaped properly. In this case, the ' character was missed. An attacker can manipulate the input to introduce additional attributes, potentially executing ...
CVE-2019-10759
PUBLISHED: 2019-10-15
safer-eval before 1.3.4 are vulnerable to Arbitrary Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code.
CVE-2019-10760
PUBLISHED: 2019-10-15
safer-eval before 1.3.2 are vulnerable to Arbitrary Code Execution. A payload using constructor properties can escape the sandbox and execute arbitrary code.
CVE-2019-17397
PUBLISHED: 2019-10-15
In the DoorDash application through 11.5.2 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.