The Cable

White House Blames North Korea for Global Ransomware Outbreak

The announcement comes amid heightening tensions on the Korean Peninsula.

North Korean leader Kim Jong Un looks on during the launch of a Hwasong-12 missile. (STR/AFP/Getty Images)
North Korean leader Kim Jong Un looks on during the launch of a Hwasong-12 missile. (STR/AFP/Getty Images)

The Donald Trump administration has concluded that the North Korean government was behind a May ransomware outbreak known as WannaCry, adding the weight of the U.S. intelligence community to private-sector security firms’ conclusions that Pyongyang orchestrated the use of the virus.

In a briefing with reporters on Tuesday, White House counterterrorism and homeland security advisor Tom Bossert said the attack was “was directed by the government of North Korea” and that Pyongyang used intermediaries to carry out the operation.

“Everything that happens in North Korea happens with and by the direction of their leadership,” he added. The United Kingdom, Australia, Canada, New Zealand, and Japan have seen U.S. analysis “and they join us in denouncing North Korea for WannaCry,” he said.

Such a clear-cut statement from the U.S. government, which has put significant resources into countering North Korean cyber operations, represents the latest attempt in Washington to pressure Pyongyang amid rapidly escalating tensions. The United States and the United Nations have ramped up economic sanctions on North Korea in response to the country’s missile and nuclear tests.

But Bossert acknowledged that the United States is running out of options to force North Korea to abandon its disruptive activities, including firing off intercontinental missiles and launching cyberattacks around the world.

“President Trump has used just about ever lever you can use short of starving the people of North Korea to death to change their behavior,” Bossert said. “We don’t have a lot of room here left here to apply pressure to change their behavior.”

North Korean hackers continue to utilize American platforms for their work. On Tuesday, Facebook said it had deleted accounts last week operated by North Korean hackers to “make it harder for them to conduct their activities,” and Microsoft revealed that it disrupted malware used by Pyongyang’s cyber forces.

In calling out North Korea on Tuesday, Bossert appealed to countries that may be knowingly or inadvertently sheltering Pyongyang’s hackers to more aggressively go after those operatives. “North Koreans can travel outside of North Korea to hack, or they can rely on people outside of the country with better access to the internet to carry out this malicious activity,” Bossert said. “We need other countries, not just other companies, to work with us.”

In pointing at other countries, Bossert sidestepped the U.S. role in the bug’s development. North Korean hackers used a vulnerability discovered by the U.S. National Security Agency that was leaked online by a mysterious group known as the Shadow Brokers. In WannaCry, North Korean hackers effectively took a stolen American cyber weapon and pointed it at computer users around the world.

But they didn’t point a very effective weapon. Ransomware like WannaCry is designed to infect computers, encrypt their contents, the demand a ransom to decrypt the files. But WannaCry was sloppily written, and paying ransoms did not lead to decryption. If the virus was part of a plan to raise funds for a cash-starved regime, it failed: The hackers appear to have made no more than $140,000 from the operation.

Other cyberattacks have been more profitable. Security researchers have linked North Korean hackers to an audacious assault on Bangladesh’s central bank, which saw hackers initially make off with $81 million. Other reports have tied North Korean hackers to attacks on South Korean bitcoin exchanges, which are used to trade the cryptocurrency.

Still, the slapdash nature of WannaCry has baffled researchers and made it hard to figure out exactly how North Korea carries out its cyber offensives. The sloppy code has led some researchers to conclude the worm prematurely escaped from a development environment — essentially a closed-off computer system used to build digital tools — before it was ready for use. Others speculate the code might have been the project of freelance hackers who had carried out previous work for North Korea and were trying to make money on the side.

“How they operate is often a little mysterious,” Bossert acknowledged Tuesday. “With perfect knowledge, we would be able to address the North Korean problem with more clarity.”

Elias Groll is a staff writer at Foreign Policy covering cyberspace, its conflicts, and controversies. @eliasgroll

Trending Now Sponsored Links by Taboola

By Taboola

More from Foreign Policy

By Taboola