But in the murky world of cyberspace, that doesn’t mean Pyongyang ordered the attack.
When the WannaCry ransomware exploded across the world on May 12, it shut down car factories, forced hospitals to turn away patients, and knocked out thousands of computers at the Russian Interior Ministry. Nearly two weeks later, computer security firms say a growing body of evidence points toward North Korean hackers as the authors of the worm.
But at this early stage, the conclusions by two firms — Symantec and FireEye — raise more questions than they answer. Researchers at Symantec have identified similarities in the WannaCry source code to hacking tools previously used by North Korean hackers, but those similarities are not enough to conclude that Pyongyang actually ordered the attack.
For years, Symantec, which makes anti-virus and other security software, has tracked the activities of a group it calls Lazarus, which is believed to have been responsible for a series of cyberattacks attributed to the North Korean government, including the devastating 2014 attack on Sony Pictures and last year’s digital heist of $81 million from a Bangladeshi bank.
“Whoever wrote WannaCry and its related tools had access to source code for the Lazarus tools,” Vikram Thakur, Symantec’s technical director, told Foreign Policy. “We cannot say that the latest WannaCry attacks are attributable to a government.”
The U.S. government has also observed these links, but does not have sufficient evidence to attribute the attack to Pyongyang, Director of National Intelligence Dan Coats said during an appearance on Capitol Hill Tuesday. “We do know that North Korea possesses the ability to do this kind of thing,” he said.
The WannaCry ransomware has infected more than 300,000 computers worldwide, and set off alarm bells about the vulnerability to attack of a huge variety of computer systems. When it infects a computer, the worm encrypts its contents and demands that its owner pay $300 to have its contents unlocked. So far, WannaCry’s authors have netted slightly more than $110,000 in ransom, according to a bot tracking payments into the author’s’ Bitcoin accounts.
WannaCry has become a huge headache for the U.S. government, as the worm uses code authored by the National Security Agency to make its way from one computer to another. In April, a group calling itself the Shadow Brokers dumped online a suite of NSA cyberweapons, including one called EternalBlue. The authors of WannaCry added EternalBlue to an earlier version of the ransomware, which allowed the worm to spread so rapidly across the globe.
As more evidence emerges, it may turn out that Pyongyang ordered its hacker corps to deploy WannaCry in an attempt to make money for the isolated and heavily sanctioned nation — North Korean hackers have hit banks around the world. But at this stage, Symantec believes WannaCry was the work of a rogue hacker.
One theory is that a member of Lazarus defected from the group, taking some hacking tools with him, and launched the ransomware campaign, said Thakur. It’s also possible a Lazarus member is moonlighting, using the tools to make some money on the side, he said.
The North Korean military is believed have its own team of elite hackers and to also employ freelance hackers based outside the hermit nation. One of these freelancers could conceivably have grown sufficiently disillusioned, frustrated, or hungry for extra cash to cobble together a virus in his spare time, Thakur said.
Symantec isn’t alone in seeing North Korean fingerprints on the WannaCry outbreak. The security firm FireEye also said on Tuesday that it has identified code previously used by North Korean hackers — and no one else — in the WannaCry worm. “What we are looking at is tools that are definitely being used by agents of the North Korean security services,” said John Hultquist, the director of cyber espionage analysis at FireEye.
Experts caution that it is difficult to discern the motive of the North Korean regime, and that attributing a cyberattack to Pyongyang requires a large amount of data that simply isn’t available at this early stage.
Cybersecurity researchers examining the WannaCry bug have been puzzled by what they have found. The first release of the bug was riddled with problems and included a so-called kill switch. When a 22-year-old British computer security researcher registered a domain name hidden in the code he was able to largely stop the worm’s spread.
Other researchers have speculated that the buggy code indicates that it escaped from a development system before its authors intended. Others have wondered why North Korea — a country whose hackers have mounted a sustained campaign in cyberspace to break into and steal huge amounts from global banks — would author a code that asked its victims to pony up a mere $300 ransom.
Robert M. Lee, the CEO of the industrial cybersecurity firm Dragos and a former cyber warfare operations officer for the U.S. Air Force, cautioned that analysts will always be limited in dealing with the unpredictable actions of Pyongyang’s hackers. “None of us are North Korean operators, and thus don’t think like North Korean operators,” he said.