Threat Intelligence

05:30 PM
Connect Directly

WannaCry: The North Korea Debate

Researchers split over whether an infamous North Korean hacking group, an affiliate, or another attacker altogether, is behind the epic ransomware worm.

Symantec this week doubled down on its theory that the epic WannaCry ransomware worm was the handiwork of hackers out of North Korea, but some security experts dismiss any connection to the DPRK.

WannaCry, which infected some 230,000 machines in 150 countries yet generated only about $110,000 in ransom since its launch on May 12, according to data from Trend Micro, was more of a loud wakeup call about the potential for a ransomware epidemic than it was a massive event. Though hospitals in the UK were the initial high-profile victims of the attacks and nations such as Russia suffered the brunt of the infections, overall, WannaCry's rapid-fire worm ultimately fizzled.

Attribution, especially with nation-state actors, is always a dicey practice: these attackers tend to be masters of disguise and false flags. But North Korea's nation-state cyber operations became a possible suspect in WannaCry early last week when famed Google researcher Neel Mehta, and then Kaspersky Lab, Symantec, and BAE, voiced strong suspicions of a link to the infamous North Korean Lazarus Group after spotting the conspicuous use of Lazarus code in WannaCry.

Researchers from Symantec now say they have more evidence that the North Korean Lazarus Group launched WannaCry, but with the caveat that the attack campaign was not a North Korea government-sponsored campaign. Other security firms, including Kaspersky Lab, still point at ties with the Lazarus Group, which was behind the massive 2014 breach of Sony Pictures. FireEye has "moderate confidence" that the attackers behind WannaCry are North Korean, notes John Hultquist, manager of the cybersecurity analysis team at FireEye.

Researchers traced a link between WannaCry and the Lazarus Group back to a February 2017 WannaCry cryptor sample that very closely resembles a malware sample from the Lazarus Group two years before.

Vikram Thakur, principal researcher manager at Symantec, says researchers at his firm studied further the technical crumbs from that earlier, non-worm outbreak of WannaCry as well as the recent worm-spread attack; they found enough overlap between the tools and code used to tie together the attack groups. "There's a decent amount of code overlap we see that can't be duplicated by copycats. It would require someone with access to the original source code, along with the Lazarus tools," Thakur says.

But the attackers didn't run WannaCry like a full-blown nation-state campaign, according to Symantec. "We don't believe WannaCry was the work of a nation-state," Thakur says. WannaCry didn't target the usual nation-state victims, nor did it operate as smoothly and effectively as a nation-state attack.

"They had buggy code on May 12," which was fixed 13 hours later, he says, and they weren't targeting intellectual property nor did they have a sustainable or effective monetization channel.

So how could it both be the Lazarus Group yet not the North Korean government? The attackers could have been a rogue element of the Lazarus Group trying to make some money, for example, or a defector from the group that still had access to the source code, Thakur suggests. North Korea's Lazarus hacking group has not targeted regular Internet users in the past: "They've gone after organizations, or intellectual property," he says. "That's the reason that the likelihood of it being a nation-state attack is very, very low."

Symantec points to three pieces of malware discovered on WannaCry victim machines that are linked to Lazarus: Trojan.Volgmer and two variants of Backdoor.Destover, the disk-wiping tool used in the Sony Pictures attacks. The big "'a-ha' moment," Thakur says, was connecting the dots between the malware used to plant WannaCry.

"We had a tool responsible for putting WannaCry on the machine, and that tool had similarities with Lazarus," the so-called Alphanc Trojan used to spread WannaCry in the March and April attacks, he notes. It's also a morphed version of a Lazarus tool calledBackdoor.Duuzer.

Another Trojan, Bravonc, uses the same IP addresses for its command-and-control as Duuzer and Destover, and has common code obfuscation methods as WannaCry and another Lazarus tool. Symantec also found shared code in WannaCry and a Lazarus backdoor called Contopee.

Even with Symantec's newly discovered clues, not all security firms are sold on the North Korea connection. Mike Oppenheim, global research lead with IBM X-Force IRIS, says while they're is indeed code overlap between WannaCry and the Lazarus Group's backdoor malware, that's not enough to confirm a connection right now. "More evidence beyond this single piece of data will be required before attribution is possible," he says. "The Lazarus Group malware has been widely discussed and publicized in recent years and it is possible that whoever is responsible for WannaCry had access to the same source code."

Ross Rustici, senior manager of intelligence research at Cybereason and an East Asia expert, says a more likely scenario is a wanna-be cybercriminal behind WannaCry. "It's plausible you had an aspiring cybercriminal start pulling at tools, and came across the Lazarus SMB worm" used in the Sony attack, he says. "They propagated the worm with the code, but didn't think through the implications of what that would do."

He doesn't believe it's North Korea because news of the ransomware attacks overshadowed North Korea's missile launch that following weekend. "That's out of cycle from a messaging standpoint," Rustici says. And a splinter group or rogue actor in North Korea would be taking a huge risk of physical harm because the nation keeps close tabs on its cyber program and people, according to Rustici.

"WannaCry was sloppy" and used poor coding infrastructure, he says. "The way they decrypted was amateurish and it doesn't have the hallmarks and tactics of professional hackers."

The problem with attribution is that it requires more than malware connections, says John Bambenek, manager of threat intelligence systems for Fidelis Cybersecurity. "It could be DPRK, or it could be Shadow Brokers, or a close associate, who wants to make it look like them. They were good enough to steal the Equation Group tools; surely they can mix in some Lazarus tools just for fun," he says.

WannaCry for a Long Time

WannaCry is the gift that keeps on giving: like any mass malware epidemic, infected machines will remain so for months and possibly years. The payload-less Conficker worm from 2008 is a prime example of how old malware dies hard: it's still spreading and living on Windows machines around the globe.

The attackers behind WannaCry have been spotted trying to resurrect it, and copycats and new variants are exploding. Security firm Trustlook has identified 386 different malware samples that contain the WannaCry ransomware.

The good news, of course, is that it was nowhere near as destructive as it could have been, and it served as a wakeup call for organizations worldwide. More than 95% of all of the infected machines were running Windows 7, according to Kaspersky Lab data.

Meantime, while some researchers drill down into the code to find clues of the attackers, other security experts maintain that it's more about the cleanup and lessons learned from WannaCry than who unleashed it.

"It's going to be an enigma for a long time," Cybereason's Rustici says. "We're not likely to have really solid answers in attribution near-term that's a smoking gun. It's going to stay a mystery for a while."

Related Content:

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
New Free Tool Scans for Chrome Extension Safety
Dark Reading Staff 2/21/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-02-22
A Path Traversal vulnerability was discovered in MOPCMS through 2018-11-30, leading to deletion of unexpected critical files. The exploitation point is in the "column management" function. The path added to the column is not verified. When a column is deleted by an attacker, the correspond...
PUBLISHED: 2019-02-22
An XSS vulnerability was discovered in MOPCMS through 2018-11-30. There is persistent XSS that allows remote attackers to inject arbitrary web script or HTML via the form[name] parameter in a mod=column request, as demonstrated by the /mopcms/X0AZgf(index).php?mod=column&ac=list&menuid=28&am...
PUBLISHED: 2019-02-22
In the Linux kernel before 4.20.2, kernel/sched/fair.c mishandles leaf cfs_rq's, which allows attackers to cause a denial of service (infinite loop in update_blocked_averages) or possibly have unspecified other impact by inducing a high load.
PUBLISHED: 2019-02-22
In the Linux kernel before 4.20.5, attackers can trigger a drivers/char/ipmi/ipmi_msghandler.c use-after-free and OOPS by arranging for certain simultaneous execution of the code, as demonstrated by a "service ipmievd restart" loop.
PUBLISHED: 2019-02-22
In Eclipse Wakaama (formerly liblwm2m) 1.0, core/er-coap-13/er-coap-13.c in lwm2mserver in the LWM2M server mishandles invalid options, leading to a memory leak. Processing of a single crafted packet leads to leaking (wasting) 24 bytes of memory. This can lead to termination of the LWM2M server afte...