The United States, Canada, Japan, Australia and New Zealand have all officially accused North Korea this week of being behind the WannaCry campaign. They join the United Kingdom, which blamed Pyongyang for the attack back in October.
While some security firms pointed the finger at North Korea shortly after the attack, Japan and the Five Eyes countries claim their intelligence agencies reached the same conclusion after conducting their own investigations and sharing data with each other.
North Korea has once again denied the accusations, claiming that Washington was demonising it.
Some industry professionals point to evidence showing that these governments’ assessment is accurate, while others highlight that attribution is a difficult task, and warn that the world is not ready for the next WannaCry.
And the feedback begins…
Benjamin Read, Manager, Cyber Espionage Analysis, FireEye:
“FireEye has found the WannaCry malware shares unique code with WHITEOUT malware that we have previously attributed to suspected North Korean actors. While we have not verified other experts’ observation of known DPRK tools being used to drop early versions of WannaCry, we have not observed other groups use the code present in both WannaCry and WHITEOUT and we do not believe it is available in open source. This indicates a connection between the two.
Our analysis has found this unique code shared across additional North Korean malware, including NESTEGG and MACTRUCK. Significantly, while this code is present in the MACTRUCK malware, it is not used. The shared code likely means that, at a minimum, WannaCry operators share software development resources with North Korean espionage operators.
In addition to the WannaCry activity, we believe that North Korean actors are using multiple vectors to engage in cyber-criminal actively, including, most prominently, the targeting of Bitcoin exchanges. FireEye assess that North Korea will continue to pursue financially motivated cyber intrusion to supplement the government’s income.”
Tim Erlin, VP of Product Management and Strategy, Tripwire:
“Accurate attribution for cyber attacks is almost always a difficult task, and it’s doubly so when the evidence leading to the conclusion can’t be shared.
With global public trust in the US government at a low point, it’s not surprising that there’s skepticism. If we’re going to have national security organizations delivering these types of conclusions on attribution to the public, we need to find a way to develop trusted output. The mantra of ‘trust us’ doesn’t cut it here.
This conclusion about North Korea’s culpability isn’t new. The UK discussed the very same conclusion in October, with the very same caveats about sharing the actual evidence. You can’t arrest a nation-state, which inevitably prevents any real closure on an incident like WannaCry.”
Chris Doman, Threat Engineer, AlienVault:
“WannaCry was linked to a group known as Lazarus, which others have linked to North Korea. There were two data points linking WannaCry to Lazarus – a number of rare code overlaps between WannaCry and Lazarus malware, and Symantec saw an early version of WannaCry manually deployed by Lazarus on one of their clients. The US government may have additional information, but the evidence provided at the time by the private sector was pretty strong.
The evidence linking Lazarus to North Korea is similarly strong. There are a very small number of publicly assigned internet addresses assigned to North Korea, and they pop up in Lazarus attacks. The attacks have been dated back to at least 2007, and often contain other clues such as North Korean fonts.
Things take time to come out of the government – but the timing today may have to do with other events. Lazarus have been particularly active recently – I’m seeing numerous new malware samples from them daily. A lot of their current activity involves stealing bitcoin and credit card numbers.”
Dmitri Alperovitch, CTO and Co-founder, CrowdStrike:
“[The US Government’s announcement] of its official public attribution of the WannaCry attack to North Korea regime is another step in establishing the importance for regularly attributing significant attacks to nation-states and criminal groups. It also raises public awareness about North Korea’s growing offensive cyber capabilities. CrowdStrike has tracked DPRK’s cyber activities going back to the mid-2000s, which started with espionage, then half a decade later evolved into destructive attacks and in the last few years delved into cybercrime such as ransomware and bank heists. They are a very capable actor that is known to have developed 0-day exploits and their own unique malware code. As such, they pose a major threat to organizations globally, especially as tensions between the US and North Korea over the nuclear and missile programs continue to escalate.”
Joseph Carson, Chief Security Scientist, Thycotic:
“Cyber attribution is one of the most difficult tasks in cybersecurity today. Unless the devices are persistent, it is almost impossible to identify who was sitting behind the keyboard, let alone who was instructing that person to carry out the malicious activity without any advanced cyber forensics tools. When attribution is pointing to a nation state, it is crucial that the attribution is communicated by the impacted government and not any private company or entity. Private companies should focus on getting back to a secure and operational state and assist in evidence that assist the government in accordance to any compliance requirements. In my experience, when cybercrime crosses international borders, it is difficult to claim attribution without cooperation of the country to where the evidence leads.
The challenge with calling out a group like Lazarus, which is widely believed to be associated with North Korea and several previous cyber-attacks, is that it is important to be clear that this is a group and motives can change depending on who is paying. I have found when researching hacking groups they can one day be working for one government under one alias and another using a different alias. This means that association in cyberspace means nothing. In my experience in digital forensics, I have always followed two rules when analyzing a cyber-crime: follow the motive or follow the money — either one will lead to the criminal.
In both WannaCry and NotPetya it looks like the motive was not financial. To me, it is clear that multiple bad actors played a part in the creation and malicious use of the ransomware. The payload and financial portion of the crime appears to be constructed by two different groups of cybercriminals. Remember, the real purpose of ransomware can be a combination of motives, or involve multiple threat actors with different motives. It is always important to step back and think: if this was your crime how would you have done it? It’s crucial to be able to think and look at the world through the eyes a hacker or cyber-criminal.”
Michael Daly, CTO, Raytheon Cybersecurity and Special Missions:
“The message for any company doing business on the internet is that North Korea sees you as a target. So do other rogue nation-states, and so do transnational crime organizations. For them, ransomware is an irresistible crime. It keeps hundreds of millions of dollars in untraceable cryptocurrency flowing in, all the while causing chaos in places like hospitals, power plants, train stations, financial institutions and telecommunications companies.
It’s no coincidence the administration announced its findings in a publication they knew would reach the people who have the power and influence to strengthen networks in the commercial sector. Stronger networks are more expensive to attack, and when we increase the cost of cybercrime, we undermine the incentive for the attack.”
Travis Farral, Director of Security Strategy, Anomali:
“Attributing certain attacks or specific malware to an actor, group, or nation-state is difficult in the cyber world. Often, attribution is made as a best-guess based on available evidence. In the case of WannaCry, a handful of prominent security companies noted clues that pointed to the Lazarus Group, a North Korea associated actor group, as the potential culprits behind the malware. The cited links connecting North Korea to WannaCry have been far from conclusive, however. The U.S. Government claims to have evidence indicating that North Korea was indeed behind WannaCry. They may have such evidence, but because they have not shared the details with the public, it is a case of trusting their judgment on the matter.”
Atif Mushtaq, CEO, SlashNext:
“The interesting thing about malware is that, like any other product that works effectively, it can become widely-adopted. We recently blocked an exploit called “EternalBlue” which takes advantage of a Microsoft Windows Security flaw to gain entry using the network file sharing protocol (TCP ports: 139, 445). Similarities, including infection vectors, code sequences, infrastructure and exploitation techniques, link this to the APT called “Unit 180,” as well as a backdoor program called Contopee, originating from Lazarus, a North Korean hacking group. The core malware gets used but each hacking group modifies their attack strategy in order to evade signature- or sandbox-based detection mechanisms.”
Chris Morales, Head of Security Analytics, Vectra:
“Most industry experts believe that North Korea is engaged in finding alternative means for funding their efforts as they have been cut off from traditional financial channels. When WannaCry was first detected, we saw similarities in the code used for that ransomware attack with previous attacks attributed to North Korea, like the Sony hack. North Korea has been targeting banks directly with banking malware while using ransomware against other organizations to acquire a large volume of Bitcoin. North Korea has benefited greatly from with the meteoric rise in bitcoin over the past year. With the success in financial gain they have received from cybercrime, we can expect to see more.
We anticipate that many more ransomware attacks will continue to occur. They will have different names and use different exploits. What won’t change is the nature of the attacks and their associated behavior. While we don’t know when the next big attack will occur, enterprises need to be ready for it. Ongoing advances in AI have allowed technology to augment the efforts of cybersecurity teams. And there must be a seismic shift in the cybersecurity industry to identify attacker behaviors fast and early to stop ransomware attacks.”
Eddie Habibi, Founder and CEO, PAS:
“While attribution is an important question to answer, the real question is are we prepared for the next WannaCry? The lifeblood of critical infrastructure plants – where electricity is generated, fuel is produced, and drinking water is cleaned – are industrial control systems. They are responsible for process safety, production uptime, and environmental protection. Attacks on these systems have increased seven-fold since 2010, and the bad guys are achieving greater success with every attack.
Even after WannaCry initially hit, many plants had systems that remained unpatched. Just last week, attackers were successful taking control of safety systems in a plant with malware called TRITON/TRISIS. They did not need a vulnerability to assert control; they only needed specific process knowledge and an unprepared plant environment.
The threat landscape is fluid, and risk is increasing for critical infrastructure companies. Traditional IT security controls are not keeping pace with the requirements of operational technology systems, and industries need better methods to increase visibility into their most critical cyber assets – eighty percent of which are largely invisible to security personnel today. The basic fact is, you cannot protect what you cannot see.”