Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

05:30 PM
Connect Directly

WannaCry: The North Korea Debate

Researchers split over whether an infamous North Korean hacking group, an affiliate, or another attacker altogether, is behind the epic ransomware worm.

Symantec this week doubled down on its theory that the epic WannaCry ransomware worm was the handiwork of hackers out of North Korea, but some security experts dismiss any connection to the DPRK.

WannaCry, which infected some 230,000 machines in 150 countries yet generated only about $110,000 in ransom since its launch on May 12, according to data from Trend Micro, was more of a loud wakeup call about the potential for a ransomware epidemic than it was a massive event. Though hospitals in the UK were the initial high-profile victims of the attacks and nations such as Russia suffered the brunt of the infections, overall, WannaCry's rapid-fire worm ultimately fizzled.

Attribution, especially with nation-state actors, is always a dicey practice: these attackers tend to be masters of disguise and false flags. But North Korea's nation-state cyber operations became a possible suspect in WannaCry early last week when famed Google researcher Neel Mehta, and then Kaspersky Lab, Symantec, and BAE, voiced strong suspicions of a link to the infamous North Korean Lazarus Group after spotting the conspicuous use of Lazarus code in WannaCry.

Researchers from Symantec now say they have more evidence that the North Korean Lazarus Group launched WannaCry, but with the caveat that the attack campaign was not a North Korea government-sponsored campaign. Other security firms, including Kaspersky Lab, still point at ties with the Lazarus Group, which was behind the massive 2014 breach of Sony Pictures. FireEye has "moderate confidence" that the attackers behind WannaCry are North Korean, notes John Hultquist, manager of the cybersecurity analysis team at FireEye.

Researchers traced a link between WannaCry and the Lazarus Group back to a February 2017 WannaCry cryptor sample that very closely resembles a malware sample from the Lazarus Group two years before.

Vikram Thakur, principal researcher manager at Symantec, says researchers at his firm studied further the technical crumbs from that earlier, non-worm outbreak of WannaCry as well as the recent worm-spread attack; they found enough overlap between the tools and code used to tie together the attack groups. "There's a decent amount of code overlap we see that can't be duplicated by copycats. It would require someone with access to the original source code, along with the Lazarus tools," Thakur says.

But the attackers didn't run WannaCry like a full-blown nation-state campaign, according to Symantec. "We don't believe WannaCry was the work of a nation-state," Thakur says. WannaCry didn't target the usual nation-state victims, nor did it operate as smoothly and effectively as a nation-state attack.

"They had buggy code on May 12," which was fixed 13 hours later, he says, and they weren't targeting intellectual property nor did they have a sustainable or effective monetization channel.

So how could it both be the Lazarus Group yet not the North Korean government? The attackers could have been a rogue element of the Lazarus Group trying to make some money, for example, or a defector from the group that still had access to the source code, Thakur suggests. North Korea's Lazarus hacking group has not targeted regular Internet users in the past: "They've gone after organizations, or intellectual property," he says. "That's the reason that the likelihood of it being a nation-state attack is very, very low."

Symantec points to three pieces of malware discovered on WannaCry victim machines that are linked to Lazarus: Trojan.Volgmer and two variants of Backdoor.Destover, the disk-wiping tool used in the Sony Pictures attacks. The big "'a-ha' moment," Thakur says, was connecting the dots between the malware used to plant WannaCry.

"We had a tool responsible for putting WannaCry on the machine, and that tool had similarities with Lazarus," the so-called Alphanc Trojan used to spread WannaCry in the March and April attacks, he notes. It's also a morphed version of a Lazarus tool calledBackdoor.Duuzer.

Another Trojan, Bravonc, uses the same IP addresses for its command-and-control as Duuzer and Destover, and has common code obfuscation methods as WannaCry and another Lazarus tool. Symantec also found shared code in WannaCry and a Lazarus backdoor called Contopee.

Even with Symantec's newly discovered clues, not all security firms are sold on the North Korea connection. Mike Oppenheim, global research lead with IBM X-Force IRIS, says while they're is indeed code overlap between WannaCry and the Lazarus Group's backdoor malware, that's not enough to confirm a connection right now. "More evidence beyond this single piece of data will be required before attribution is possible," he says. "The Lazarus Group malware has been widely discussed and publicized in recent years and it is possible that whoever is responsible for WannaCry had access to the same source code."

Ross Rustici, senior manager of intelligence research at Cybereason and an East Asia expert, says a more likely scenario is a wanna-be cybercriminal behind WannaCry. "It's plausible you had an aspiring cybercriminal start pulling at tools, and came across the Lazarus SMB worm" used in the Sony attack, he says. "They propagated the worm with the code, but didn't think through the implications of what that would do."

He doesn't believe it's North Korea because news of the ransomware attacks overshadowed North Korea's missile launch that following weekend. "That's out of cycle from a messaging standpoint," Rustici says. And a splinter group or rogue actor in North Korea would be taking a huge risk of physical harm because the nation keeps close tabs on its cyber program and people, according to Rustici.

"WannaCry was sloppy" and used poor coding infrastructure, he says. "The way they decrypted was amateurish and it doesn't have the hallmarks and tactics of professional hackers."

The problem with attribution is that it requires more than malware connections, says John Bambenek, manager of threat intelligence systems for Fidelis Cybersecurity. "It could be DPRK, or it could be Shadow Brokers, or a close associate, who wants to make it look like them. They were good enough to steal the Equation Group tools; surely they can mix in some Lazarus tools just for fun," he says.

WannaCry for a Long Time

WannaCry is the gift that keeps on giving: like any mass malware epidemic, infected machines will remain so for months and possibly years. The payload-less Conficker worm from 2008 is a prime example of how old malware dies hard: it's still spreading and living on Windows machines around the globe.

The attackers behind WannaCry have been spotted trying to resurrect it, and copycats and new variants are exploding. Security firm Trustlook has identified 386 different malware samples that contain the WannaCry ransomware.

The good news, of course, is that it was nowhere near as destructive as it could have been, and it served as a wakeup call for organizations worldwide. More than 95% of all of the infected machines were running Windows 7, according to Kaspersky Lab data.

Meantime, while some researchers drill down into the code to find clues of the attackers, other security experts maintain that it's more about the cleanup and lessons learned from WannaCry than who unleashed it.

"It's going to be an enigma for a long time," Cybereason's Rustici says. "We're not likely to have really solid answers in attribution near-term that's a smoking gun. It's going to stay a mystery for a while."

Related Content:

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
How SolarWinds Busted Up Our Assumptions About Code Signing
Dr. Jethro Beekman, Technical Director,  3/3/2021
'ObliqueRAT' Now Hides Behind Images on Compromised Websites
Jai Vijayan, Contributing Writer,  3/2/2021
Attackers Turn Struggling Software Projects Into Trojan Horses
Robert Lemos, Contributing Writer,  2/26/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: George has not accepted that the technology age has come to an end.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-03-06
Wazuh API in Wazuh from 4.0.0 to 4.0.3 allows authenticated users to execute arbitrary code with administrative privileges via /manager/files URI. An authenticated user to the service may exploit incomplete input validation on the /manager/files API to inject arbitrary code within the API service sc...
PUBLISHED: 2021-03-05
The Blog module in Kentico CMS 5.5 R2 build 5.5.3996 allows SQL injection via the tagname parameter.
PUBLISHED: 2021-03-05
Deutsche Post Mailoptimizer 4.3 before 2020-11-09 allows Directory Traversal via a crafted ZIP archive to the Upload feature or the MO Connect component. This can lead to remote code execution.
PUBLISHED: 2021-03-05
ssh-agent in OpenSSH before 8.5 has a double free that may be relevant in a few less-common scenarios, such as unconstrained agent-socket access on a legacy operating system, or the forwarding of an agent to an attacker-controlled host.
PUBLISHED: 2021-03-05
The npm package ansi_up converts ANSI escape codes into HTML. In ansi_up v4, ANSI escape codes can be used to create HTML hyperlinks. Due to insufficient URL sanitization, this feature is affected by a cross-site scripting (XSS) vulnerability. This issue is fixed in v5.0.0.