Report

Security Firms Tie WannaCry Ransomware to North Korea

But in the murky world of cyberspace, that doesn’t mean Pyongyang ordered the attack.

By
TOPSHOT - This picture taken on May 14, 2017 and released from North Korea's official Korean Central News Agency (KCNA) on May 15 shows North Korean leader Kim Jong-Un (2nd L) reacting during a test launch of a ground-to-ground medium long-range strategic ballistic rocket Hwasong-12 at an undisclosed location. / AFP PHOTO / KCNA VIA KNS / STR / South Korea OUT / REPUBLIC OF KOREA OUT ---EDITORS NOTE--- RESTRICTED TO EDITORIAL USE - MANDATORY CREDIT "AFP PHOTO/KCNA VIA KNS" - NO MARKETING NO ADVERTISING CAMPAIGNS - DISTRIBUTED AS A SERVICE TO CLIENTS THIS PICTURE WAS MADE AVAILABLE BY A THIRD PARTY. AFP CAN NOT INDEPENDENTLY VERIFY THE AUTHENTICITY, LOCATION, DATE AND CONTENT OF THIS IMAGE. THIS PHOTO IS DISTRIBUTED EXACTLY AS RECEIVED BY AFP. / (Photo credit should read STR/AFP/Getty Images)
TOPSHOT - This picture taken on May 14, 2017 and released from North Korea's official Korean Central News Agency (KCNA) on May 15 shows North Korean leader Kim Jong-Un (2nd L) reacting during a test launch of a ground-to-ground medium long-range strategic ballistic rocket Hwasong-12 at an undisclosed location. / AFP PHOTO / KCNA VIA KNS / STR / South Korea OUT / REPUBLIC OF KOREA OUT ---EDITORS NOTE--- RESTRICTED TO EDITORIAL USE - MANDATORY CREDIT "AFP PHOTO/KCNA VIA KNS" - NO MARKETING NO ADVERTISING CAMPAIGNS - DISTRIBUTED AS A SERVICE TO CLIENTS THIS PICTURE WAS MADE AVAILABLE BY A THIRD PARTY. AFP CAN NOT INDEPENDENTLY VERIFY THE AUTHENTICITY, LOCATION, DATE AND CONTENT OF THIS IMAGE. THIS PHOTO IS DISTRIBUTED EXACTLY AS RECEIVED BY AFP. / (Photo credit should read STR/AFP/Getty Images)
TOPSHOT - This picture taken on May 14, 2017 and released from North Korea's official Korean Central News Agency (KCNA) on May 15 shows North Korean leader Kim Jong-Un (2nd L) reacting during a test launch of a ground-to-ground medium long-range strategic ballistic rocket Hwasong-12 at an undisclosed location. / AFP PHOTO / KCNA VIA KNS / STR / South Korea OUT / REPUBLIC OF KOREA OUT ---EDITORS NOTE--- RESTRICTED TO EDITORIAL USE - MANDATORY CREDIT "AFP PHOTO/KCNA VIA KNS" - NO MARKETING NO ADVERTISING CAMPAIGNS - DISTRIBUTED AS A SERVICE TO CLIENTS THIS PICTURE WAS MADE AVAILABLE BY A THIRD PARTY. AFP CAN NOT INDEPENDENTLY VERIFY THE AUTHENTICITY, LOCATION, DATE AND CONTENT OF THIS IMAGE. THIS PHOTO IS DISTRIBUTED EXACTLY AS RECEIVED BY AFP. / (Photo credit should read STR/AFP/Getty Images)

When the WannaCry ransomware exploded across the world on May 12, it shut down car factories, forced hospitals to turn away patients, and knocked out thousands of computers at the Russian Interior Ministry. Nearly two weeks later, computer security firms say a growing body of evidence points toward North Korean hackers as the authors of the worm.

When the WannaCry ransomware exploded across the world on May 12, it shut down car factories, forced hospitals to turn away patients, and knocked out thousands of computers at the Russian Interior Ministry. Nearly two weeks later, computer security firms say a growing body of evidence points toward North Korean hackers as the authors of the worm.

But at this early stage, the conclusions by two firms — Symantec and FireEye — raise more questions than they answer. Researchers at Symantec have identified similarities in the WannaCry source code to hacking tools previously used by North Korean hackers, but those similarities are not enough to conclude that Pyongyang actually ordered the attack.

For years, Symantec, which makes anti-virus and other security software, has tracked the activities of a group it calls Lazarus, which is believed to have been responsible for a series of cyberattacks attributed to the North Korean government, including the devastating 2014 attack on Sony Pictures and last year’s digital heist of $81 million from a Bangladeshi bank.

“Whoever wrote WannaCry and its related tools had access to source code for the Lazarus tools,” Vikram Thakur, Symantec’s technical director, told Foreign Policy. “We cannot say that the latest WannaCry attacks are attributable to a government.”

The U.S. government has also observed these links, but does not have sufficient evidence to attribute the attack to Pyongyang, Director of National Intelligence Dan Coats said during an appearance on Capitol Hill Tuesday. “We do know that North Korea possesses the ability to do this kind of thing,” he said.

The WannaCry ransomware has infected more than 300,000 computers worldwide, and set off alarm bells about the vulnerability to attack of a huge variety of computer systems. When it infects a computer, the worm encrypts its contents and demands that its owner pay $300 to have its contents unlocked. So far, WannaCry’s authors have netted slightly more than $110,000 in ransom, according to a bot tracking payments into the author’s’ Bitcoin accounts.

WannaCry has become a huge headache for the U.S. government, as the worm uses code authored by the National Security Agency to make its way from one computer to another. In April, a group calling itself the Shadow Brokers dumped online a suite of NSA cyberweapons, including one called EternalBlue. The authors of WannaCry added EternalBlue to an earlier version of the ransomware, which allowed the worm to spread so rapidly across the globe.

As more evidence emerges, it may turn out that Pyongyang ordered its hacker corps to deploy WannaCry in an attempt to make money for the isolated and heavily sanctioned nation — North Korean hackers have hit banks around the world. But at this stage, Symantec believes WannaCry was the work of a rogue hacker.

One theory is that a member of Lazarus defected from the group, taking some hacking tools with him, and launched the ransomware campaign, said Thakur. It’s also possible a Lazarus member is moonlighting, using the tools to make some money on the side, he said.

The North Korean military is believed have its own team of elite hackers and to also employ freelance hackers based outside the hermit nation. One of these freelancers could conceivably have grown sufficiently disillusioned, frustrated, or hungry for extra cash to cobble together a virus in his spare time, Thakur said.

Symantec isn’t alone in seeing North Korean fingerprints on the WannaCry outbreak. The security firm FireEye also said on Tuesday that it has identified code previously used by North Korean hackers — and no one else — in the WannaCry worm. “What we are looking at is tools that are definitely being used by agents of the North Korean security services,” said John Hultquist, the director of cyber espionage analysis at FireEye.

Experts caution that it is difficult to discern the motive of the North Korean regime, and that attributing a cyberattack to Pyongyang requires a large amount of data that simply isn’t available at this early stage.

Cybersecurity researchers examining the WannaCry bug have been puzzled by what they have found. The first release of the bug was riddled with problems and included a so-called kill switch. When a 22-year-old British computer security researcher registered a domain name hidden in the code he was able to largely stop the worm’s spread.

Other researchers have speculated that the buggy code indicates that it escaped from a development system before its authors intended. Others have wondered why North Korea — a country whose hackers have mounted a sustained campaign in cyberspace to break into and steal huge amounts from global banks — would author a code that asked its victims to pony up a mere $300 ransom.

Robert M. Lee, the CEO of the industrial cybersecurity firm Dragos and a former cyber warfare operations officer for the U.S. Air Force, cautioned that analysts will always be limited in dealing with the unpredictable actions of Pyongyang’s hackers. “None of us are North Korean operators, and thus don’t think like North Korean operators,” he said.

STR/AFP/Getty Images

Twitter: @EliasGroll
Tags: Cyber Security & Hacking, East Asia, North Korea

Editors’ Picks

  1. 1
    The Battle for Eurasia
  2. 2
    Iran’s Growing Rift Between Theocrats and Security Elites
  3. 3
    Is Saudi-Israeli Normalization Worth It?
  4. 4
    A BRICS Currency Could Shake the Dollar’s Dominance
  5. 5
    Pakistani Authorities Give Imran Khan a Taste of His Own Medicine
  6. 6
    6 Swing States Will Decide the Future of Geopolitics

More from Foreign Policy

Keri Russell as Kate Wyler walks by a State Department Seal from a scene in The Diplomat, a new Netflix show about the foreign service.
Keri Russell as Kate Wyler walks by a State Department Seal from a scene in The Diplomat, a new Netflix show about the foreign service.

At Long Last, the Foreign Service Gets the Netflix Treatment

Keri Russell gets Drexel furniture but no Senate confirmation hearing.

Chinese President Xi Jinping and French President Emmanuel Macron speak in the garden of the governor of Guangdong's residence in Guangzhou, China, on April 7.
Chinese President Xi Jinping and French President Emmanuel Macron speak in the garden of the governor of Guangdong's residence in Guangzhou, China, on April 7.

How Macron Is Blocking EU Strategy on Russia and China

As a strategic consensus emerges in Europe, France is in the way.

Chinese President Jiang Zemin greets U.S. President George W. Bush prior to a meeting of APEC leaders in 2001.
Chinese President Jiang Zemin greets U.S. President George W. Bush prior to a meeting of APEC leaders in 2001.

What the Bush-Obama China Memos Reveal

Newly declassified documents contain important lessons for U.S. China policy.

A girl stands atop a destroyed Russian tank.
A girl stands atop a destroyed Russian tank.

Russia’s Boom Business Goes Bust

Moscow’s arms exports have fallen to levels not seen since the Soviet Union’s collapse.

Trending

  1. The Battle for Eurasia
    Analysis |
    Hal Brands

  2. 6 Swing States Will Decide the Future of Geopolitics
    Analysis |
    Cliff Kupchan

  3. Is Saudi-Israeli Normalization Worth It?
    Analysis |
    Aaron David Miller, Steven Simon

  4. Pakistani Authorities Give Imran Khan a Taste of His Own Medicine
    Analysis |
    Lynne O’Donnell

  5. Iran’s Growing Rift Between Theocrats and Security Elites
    Analysis |
    Sajjad Safaei