Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

05:30 PM
Connect Directly

WannaCry: The North Korea Debate

Researchers split over whether an infamous North Korean hacking group, an affiliate, or another attacker altogether, is behind the epic ransomware worm.

Symantec this week doubled down on its theory that the epic WannaCry ransomware worm was the handiwork of hackers out of North Korea, but some security experts dismiss any connection to the DPRK.

WannaCry, which infected some 230,000 machines in 150 countries yet generated only about $110,000 in ransom since its launch on May 12, according to data from Trend Micro, was more of a loud wakeup call about the potential for a ransomware epidemic than it was a massive event. Though hospitals in the UK were the initial high-profile victims of the attacks and nations such as Russia suffered the brunt of the infections, overall, WannaCry's rapid-fire worm ultimately fizzled.

Attribution, especially with nation-state actors, is always a dicey practice: these attackers tend to be masters of disguise and false flags. But North Korea's nation-state cyber operations became a possible suspect in WannaCry early last week when famed Google researcher Neel Mehta, and then Kaspersky Lab, Symantec, and BAE, voiced strong suspicions of a link to the infamous North Korean Lazarus Group after spotting the conspicuous use of Lazarus code in WannaCry.

Researchers from Symantec now say they have more evidence that the North Korean Lazarus Group launched WannaCry, but with the caveat that the attack campaign was not a North Korea government-sponsored campaign. Other security firms, including Kaspersky Lab, still point at ties with the Lazarus Group, which was behind the massive 2014 breach of Sony Pictures. FireEye has "moderate confidence" that the attackers behind WannaCry are North Korean, notes John Hultquist, manager of the cybersecurity analysis team at FireEye.

Researchers traced a link between WannaCry and the Lazarus Group back to a February 2017 WannaCry cryptor sample that very closely resembles a malware sample from the Lazarus Group two years before.

Vikram Thakur, principal researcher manager at Symantec, says researchers at his firm studied further the technical crumbs from that earlier, non-worm outbreak of WannaCry as well as the recent worm-spread attack; they found enough overlap between the tools and code used to tie together the attack groups. "There's a decent amount of code overlap we see that can't be duplicated by copycats. It would require someone with access to the original source code, along with the Lazarus tools," Thakur says.

But the attackers didn't run WannaCry like a full-blown nation-state campaign, according to Symantec. "We don't believe WannaCry was the work of a nation-state," Thakur says. WannaCry didn't target the usual nation-state victims, nor did it operate as smoothly and effectively as a nation-state attack.

"They had buggy code on May 12," which was fixed 13 hours later, he says, and they weren't targeting intellectual property nor did they have a sustainable or effective monetization channel.

So how could it both be the Lazarus Group yet not the North Korean government? The attackers could have been a rogue element of the Lazarus Group trying to make some money, for example, or a defector from the group that still had access to the source code, Thakur suggests. North Korea's Lazarus hacking group has not targeted regular Internet users in the past: "They've gone after organizations, or intellectual property," he says. "That's the reason that the likelihood of it being a nation-state attack is very, very low."

Symantec points to three pieces of malware discovered on WannaCry victim machines that are linked to Lazarus: Trojan.Volgmer and two variants of Backdoor.Destover, the disk-wiping tool used in the Sony Pictures attacks. The big "'a-ha' moment," Thakur says, was connecting the dots between the malware used to plant WannaCry.

"We had a tool responsible for putting WannaCry on the machine, and that tool had similarities with Lazarus," the so-called Alphanc Trojan used to spread WannaCry in the March and April attacks, he notes. It's also a morphed version of a Lazarus tool calledBackdoor.Duuzer.

Another Trojan, Bravonc, uses the same IP addresses for its command-and-control as Duuzer and Destover, and has common code obfuscation methods as WannaCry and another Lazarus tool. Symantec also found shared code in WannaCry and a Lazarus backdoor called Contopee.

Even with Symantec's newly discovered clues, not all security firms are sold on the North Korea connection. Mike Oppenheim, global research lead with IBM X-Force IRIS, says while they're is indeed code overlap between WannaCry and the Lazarus Group's backdoor malware, that's not enough to confirm a connection right now. "More evidence beyond this single piece of data will be required before attribution is possible," he says. "The Lazarus Group malware has been widely discussed and publicized in recent years and it is possible that whoever is responsible for WannaCry had access to the same source code."

Ross Rustici, senior manager of intelligence research at Cybereason and an East Asia expert, says a more likely scenario is a wanna-be cybercriminal behind WannaCry. "It's plausible you had an aspiring cybercriminal start pulling at tools, and came across the Lazarus SMB worm" used in the Sony attack, he says. "They propagated the worm with the code, but didn't think through the implications of what that would do."

He doesn't believe it's North Korea because news of the ransomware attacks overshadowed North Korea's missile launch that following weekend. "That's out of cycle from a messaging standpoint," Rustici says. And a splinter group or rogue actor in North Korea would be taking a huge risk of physical harm because the nation keeps close tabs on its cyber program and people, according to Rustici.

"WannaCry was sloppy" and used poor coding infrastructure, he says. "The way they decrypted was amateurish and it doesn't have the hallmarks and tactics of professional hackers."

The problem with attribution is that it requires more than malware connections, says John Bambenek, manager of threat intelligence systems for Fidelis Cybersecurity. "It could be DPRK, or it could be Shadow Brokers, or a close associate, who wants to make it look like them. They were good enough to steal the Equation Group tools; surely they can mix in some Lazarus tools just for fun," he says.

WannaCry for a Long Time

WannaCry is the gift that keeps on giving: like any mass malware epidemic, infected machines will remain so for months and possibly years. The payload-less Conficker worm from 2008 is a prime example of how old malware dies hard: it's still spreading and living on Windows machines around the globe.

The attackers behind WannaCry have been spotted trying to resurrect it, and copycats and new variants are exploding. Security firm Trustlook has identified 386 different malware samples that contain the WannaCry ransomware.

The good news, of course, is that it was nowhere near as destructive as it could have been, and it served as a wakeup call for organizations worldwide. More than 95% of all of the infected machines were running Windows 7, according to Kaspersky Lab data.

Meantime, while some researchers drill down into the code to find clues of the attackers, other security experts maintain that it's more about the cleanup and lessons learned from WannaCry than who unleashed it.

"It's going to be an enigma for a long time," Cybereason's Rustici says. "We're not likely to have really solid answers in attribution near-term that's a smoking gun. It's going to stay a mystery for a while."

Related Content:

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-20
An unsafe deserialization vulnerability in Bridgecrew Checkov by Prisma Cloud allows arbitrary code execution when processing a malicious terraform file. This issue impacts Checkov 2.0 versions earlier than Checkov 2.0.26. Checkov 1.0 versions are not impacted.
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where secrets in PAN-OS XML API requests are logged in cleartext to the web server logs when the API is used incorrectly. This vulnerability applies only to PAN-OS appliances that are configured to us...
PUBLISHED: 2021-04-20
An information exposure through log file vulnerability exists in Palo Alto Networks PAN-OS software where the connection details for a scheduled configuration export are logged in system logs. Logged information includes the cleartext username, password, and IP address used to export the PAN-OS conf...
PUBLISHED: 2021-04-20
A denial-of-service (DoS) vulnerability in Palo Alto Networks GlobalProtect app on Windows systems allows a limited Windows user to send specifically-crafted input to the GlobalProtect app that results in a Windows blue screen of death (BSOD) error. This issue impacts: GlobalProtect app 5.1 versions...
PUBLISHED: 2021-04-19
An out-of-bounds (OOB) memory access flaw was found in fs/f2fs/node.c in the f2fs module in the Linux kernel in versions before 5.12.0-rc4. A bounds check failure allows a local attacker to gain access to out-of-bounds memory leading to a system crash or a leak of internal kernel information. The hi...