Fraud Management & Cybercrime , Next-Generation Technologies & Secure Development , Ransomware

British Security Services Tie North Korea to WannaCry

As Lazarus Group Attacks, Experts Question Organizations' Security Readiness
British Security Services Tie North Korea to WannaCry
GCHQ headquarters in Cheltenham, England. (Source: GCHQ)

Britain's security services have concluded that the WannaCry ransomware outbreak was launched by individuals tied to North Korea, the BBC reports.

See Also: OnDemand | Adversary Analysis of Ransomware Trends

Citing unnamed British government security sources, the BBC reported Friday that the U.K.'s National Cyber Security Center, part of the GCHQ intelligence agency, believes that the Lazarus hacking group launched the attack.

GCHQ couldn't be immediately reached for comment on the report.

Security experts have long recommended taking such reports with a grain of salt. "Let's hope everyone treats any analysis with all the caveats applied: We wouldn't want a cyber dodgy dossier justifying some future action," says Alan Woodward, a professor of computer security who advises Europol, the EU's law enforcement intelligence agency, on cybersecurity matters.

Many security firms have already noted that there appear to be numerous links suggesting a connection between WannaCry and Lazarus (see Is WannaCry the First Nation-State Ransomware?).

Adrian Nish, head of the cyber-threat intelligence team at British defense contractor BAE, says there's significant overlap between WannaCry and code that's been previously tied to Lazarus attacks. "It seems to tie back to the same code base and the same authors," he tells the BBC. "The code overlaps are significant."

But there are also clues suggesting that the ransomware campaign - or at least aspects of it - were not run by North Korea (see WannaCry's Ransom Note: Great Chinese, Not-So-Hot Korean).

Still, an intelligence service's hack-attack attribution would likely be based not just on apparent technical links, but on much more extensive signals of intelligence or even human intelligence. U.S. officials, for example, said that level of intelligence was behind the U.S. government's attribution of the 2014 Sony Pictures Entertainment hack to "North Korea actors."

US-CERT Issues Hidden Cobra Alert

Britain's reported WannaCry attribution to Lazarus follows the U.S. Computer Emergency Response Team, part of the Department of Homeland Security, warning Thursday in a technical alert that North Korean hackers have been targeting U.S. media, aerospace, financial and critical infrastructure sectors since 2009. US-CERT's nickname for the hacker group involved is Hidden Cobra, which is synonymous with Lazarus, as well as DarkSeoul, the Guardians of Peace, Silent Chollima and Bureau 121 (see U.S. Government Warns of North Korean Hacking).

Also on Thursday, the Washington Post, citing unnamed sources, reported that the National Security Agency has "moderate confidence" that WannaCry is linked to North Korea.

In an ironic twist, WannaCry spread so quickly because it was combined with a worm designed to target a server messaging block flaw in Windows that was revealed when the shadowy group known as the Shadow Brokers leaked a related attack tool. That SMB-targeting attack tool, codenamed EternalBlue, has been ascribed to the Equation Group, which many security experts believe is the NSA's own hacking team.

The May 12 WannaCry outbreak was accidentally - but fortuitously - blunted by British security researcher Marcus Hutchins, aka @MalwareTechBlog, after he registered a nonsensical domain name that the ransomware was referencing to see if it was being run in a sandbox. Such tools are often used by security researchers to study how malware functions (see How WannaCry Survives).

Microsoft quietly patched the related SMB flaw for currently supported operating systems in March, and issued emergency patches for three unsupported operating systems - including Windows XP - on May 12.

Even so, WannaCry went on to infect more than 200,000 systems around the world, including numerous systems operated by Britain's National Health Service. The attacks also triggered political fallout, as NHS trusts and government ministers struggled to defend their IT spending decisions (see NHS Denies Widespread Windows XP Use).

Impetus: Unclear

The impetus for the WannaCry campaign remains unclear. Of course, a well-written piece of ransomware could generate appreciable profits. But security experts say that whoever wrote the code made numerous mistakes, suggesting that they were not cybercrime veterans (see Teardown: WannaCry Ransomware).

For example, the developer - or developers - attempted to assign a unique bitcoin address to each infection, which would have made it easier to track which victims paid a ransom, to furnish them with a decryption key. But due to a coding error, the ransomware reverted to displaying one of three hard-coded bitcoin addresses to victims. As a result, security experts said it would have been almost impossible to scale the ransomware to the point where it could have been used to generate significant income.

That's led some information security experts to suggest that whoever developed WannaCry may have accidentally lost control of it, because the SMB-targeting worm proved more effective than they suspected.

Lazarus Hacks

The reported attribution of WannaCry to Lazarus adds to a bevy of attacks allegedly launched by the group. For example, the FBI tied Lazarus to the devastating 2014 wiper malware attack - and doxing campaign - against Sony Pictures Entertainment. That followed devastating cyberattacks against South Korea in 2013, disrupting its banking system, that have also been attributed to Lazarus.

More recently, security firms have seen strong signs that the group is tied to last year's heist of $81 million from the central bank of Bangladesh's account at the Federal Reserve Bank of New York, perpetrated via fraudulent SWIFT interbank money-moving messages (see Kaspersky Links North Korean IP Address to Lazarus). Multiple security firms also say there's strong evidence that Lazarus has targeted other banks, including banks in Europe, with similar attacks.

Security firm Kaspersky Lab says that a Lazarus subgroup, which it calls Bluenoroff, runs expertly planned and executed hacking operations against banks and other targets, including individual traders and casinos.

The precise relationship between the Pyongyang-based government of North Korea - officially known as the Democratic People's Republic of Korea and led by Kim Jong-un - and Lazarus remains unclear.

But the Bangladesh Bank heist originally targeted nearly $1 billion. For a country that in the words of the CIA "faces chronic economic problems," and which in 2015 had an estimated GDP of just $40 billion, the proceeds from the bank heist could have provided a much-needed boost.

After Attribution, What's Next?

While it can be interesting to attribute attacks to specific actors, security experts have long cautioned that attribution only serves diplomatic interests. In other words, it's up to governments to pursue offenders, via law enforcement and intelligence agencies, as well as to apply pressure at a diplomatic level.

From an awareness standpoint, however, the attribution of WannaCry to North Korea serves as a reminder that organizations are at risk not just from cybercrime groups, mercenaries and opportunistic nation states, but also potentially groups that combine aspects of all three.

Whatever the identity or impetus of the attacker, however, the next question must be: Are organizations prepared?

Security experts say that by and large, the answer is too often negative.

Matthieu Suiche, managing director of Dubai-based incident-response firm Comae Technologies, says it's a virtual certainty that many organizations in Africa, the Middle East and Asia, and especially central banks in Africa, would be unable to fend off a targeted hack attack or resist a ransomware campaign launched by the likes of Lazarus.

Whether WannaCry - and warnings of long-term campaigns being waged by North Korean hackers - serves as a wakeup call for those organizations, however, remains to be seen.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.