Euro Security Watch with Mathew J. Schwartz

Fraud Management & Cybercrime , Governance & Risk Management , Next-Generation Technologies & Secure Development

WannaCry 'Link' to North Korea Remains Tenuous

Avoid the Cyber Attribution Follies: Stay Skeptical; Don't Fear the Bogeyman
WannaCry 'Link' to North Korea Remains Tenuous

In recent days, there's been a semantic shift in media discussions about the WannaCry ransomware campaign.

See Also: 5 Requirements for Modern DLP

A number of news organizations have run headlines suggesting that there's a "link" between the global ransomware campaign and the hacking team known as Lazarus. That hacking group has been previously linked to North Korea, especially in regard to the hack attack against Sony Pictures Entertainment.

Some media outlets have also reported that security firms are "increasingly confident" that the Democratic People's Republic of Korea is connected to WannaCry.

Polite and periodic reminder: Attribution remains very, very difficult. Beware of confirmation bias. And stay skeptical until overwhelming evidence either proves or disproves any supposed connection.

In fact, much of the evidence points to an amateurish campaign run by "a less than experienced malware developer," Alan Woodward, a computer science professor at the University of Surrey and cybersecurity adviser to Europol, the EU's law enforcement intelligence agency, says in a blog post.

Related signs include attack code that appears to have been cut and pasted from open source code, shared via GitHub, that was designed to help enterprises ascertain if they were vulnerable to the Windows SMB-targeting EternalBlue exploit. The ransomware operation's inability to easily scale is also a sign that this was likely a first attempt by whoever was behind it.

So far, no evidence proves - without a doubt - that North Korea or individuals operating on its behalf launched the WannaCry ransomware.

"Whilst I wouldn't put it past that regime to mount any form of attack, I've been very surprised at the certainty with which the attacks are being attributed to North Korea: The evidence is tenuous, and the attribution seems to ignore other evidence that appears to point elsewhere," Woodward says. "We seem to have created a new bogeyman in the form of the infamous North Korean Unit 180 - who are doubtlessly up to no good - but by settling for them as the culprits of this attack, there is a danger that we might stop looking and the real criminals might slink off into the dark."

Clues in Code: So Far, Inconclusive

Analysis by Matt Suiche, a security researcher who's part of incident response firm Comae Technologies in Dubai, has confirmed similarities between WannaCry and previous attack code attributed to the Lazarus group called Contopee. The similarities were first spotted by Google researcher Neel Mehta.

Based in part on that work, Symantec reports that it sees "substantial commonalities in the tools, techniques and infrastructure used by the attackers and those seen in previous Lazarus attacks."

Security firm Kaspersky Lab, meanwhile, has asked if the code reuse is a "missing link" between WannaCry and Lazarus, but says "more research is required" before that suggestion might be proved.

But code reuse proves nothing - and could even be a false flag operation designed to make Lazarus look responsible for this attack, as Kaspersky Lab notes.

Amateur Hour

Many security experts have highlighted aspects of the WannaCry campaign that bespeak inexperienced attackers. For starters, the ransomware includes a kludgy check - likely a sandbox evasion tool to foil security researchers - that inadvertently worked as a kill switch, blunting the outbreak.

"This oversight points to the amateur nature of the initial attack and would imply that if a DPRK actor did conduct this attack, they were not operating at the level normally associated with these groups," according to a report from security firm Cybereason.

The attack code was supposed to generate a new bitcoin wallet address for each victim to make it easier to see who had paid. But the code failed, and the ransomware defaulted to three hardcoded bitcoin addresses instead. In addition, security experts began warning that victims who paid may not have received bitcoins. If this had been a typical North Korean operation, the attackers most likely would have taken to social media channels to reassure victims.

The ransomware also didn't include the ability to automatically share a decryption key with anyone who paid. That means they've had to manually verify payments and generate decryption codes. "The success of ransomware has taught criminals that this process needs to be automated," Woodward says. Time is money.

Lazarus Group: Professional Hackers

Sloppiness is not a hallmark of cyberattacks attributed to the Lazarus group, which successfully hacked into Sony Pictures Entertainment and wiped hard drives, but not before stealing gigabytes of related data. That data was then leaked in an attempt to cause maximum reputational damage to the company.

Security experts say it's also extremely likely that North Korea authorized the February 2016 hack of Bangladesh Bank's account at the Federal Reserve Bank of New York. The Department of Justice is reportedly also prepping charges against Chinese middlemen in the attack who have ties to North Korea.

If that heist had gone completely to plan, the perpetrators would have walked away with $951 million. That's the equivalent of one-fortieth of impoverished North Korea's 2014 estimated gross domestic product, or one-quarter of the $4 billion stored in overseas bank accounts that South Korean intelligence agencies estimate leader Kim Jong-un inherited from his father, Kim Jong-il.

Meager Bitcoin Haul

Meanwhile, as the operational security expert known as the Grugq notes, WannaCry has just netted its 50th bitcoin, thanks to victims paying the ransom, which starts at $300 and doubles to $600 in seven days, if victims haven't paid. At the cryptocurrency's skyrocketing value, that means victims have paid the equivalent of just $133,000 so far.

That's a fraction of what the world's most successful cybercrime operations would expect to earn via malware or ransomware attacks (see Reports: Hackers Steal $31 Million from Russia's Central Bank).

WannaCry also caused scattershot damage and likely angered governments that attackers might ideally have avoided. Many British hospitals - and likely some in Australia too - were knocked offline. Russia's Interior Ministry, mobile operator MegaFon and the state rail monopoly, Russian Railways, all reported infections, as did the country's postal service, which remains partially disrupted, Reuters reports. In China, almost 30,000 organizations were affected.

Heatmap of WannaCry version 2 infections. Source: Symantec

It's unclear if the attackers will ever get to spend those bitcoins. Intelligence and law enforcement agencies have been developing advanced tools to help them watch how cryptocurrency moves, especially when it gets converted to cash (see Tougher to Use Bitcoin for Crime?).

No doubt multiple intelligence agencies are now hunting the perpetrators.

Connect the Dots

Until government agencies weigh in on the WannaCry perpetrators' identity, everything remains guesswork.

So far, however, Woodward sees multiple possibilities. One is that the Lazarus group - likely without North Korea's backing - was behind WannaCry. Another theory: The attack was the work of "some group of script kiddies who tried to cobble together the WannaCry payload with the EternalBlue worm and ended up with something far more virulent than they ever imagined," he says.

Stay tuned. Kaspersky Lab, for one, has urged other researchers to look into the evidence gathered so far and see what they find. "Looking back to the Bangladesh attack, in the early days, there were very few facts linking it to the Lazarus group," according to a blog post from the security firm. "In time, more evidence appeared and allowed us, and others, to link them together with high confidence. Further research can be crucial to connecting the dots."

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.