Global Weekly Executive Summary June 2, 2017

By MDL on June 2, 2017

WannaCry Attribution

Security researchers around the world have identified clues linking the global WannaCry cyberattacks to Lazarus Group, a prolific hacking group with suspected ties to North Korea, but is the WannaCry ransomware the work of a nation-state or does it just feel that way?

Security researchers studying early versions of WannaCry, including those working at Google, Symantec, and Kaspersky, seem to agree that they have identified a use of common code, tools, and IP addresses that link this ransomware worm to attacks previously attributed to Lazarus Group.

Lazarus Group is the suspected source of the 2014 Sony Pictures hack, the Bangladesh Central Bank heist in early 2016, and the 2013 cyberattack that targeted South Korean banks and broadcasting organizations. Lazarus was linked to North Korea, partly because of motive, but also through technical clues including the fact that a previous attack was traced to a North Korean IP address.

Linguists working to analyze the WannaCry ransom notes written in 28 languages believe that the original ransom note was written by a native Chinese speaker and a capable English speaker, and Google Translate was used to create the ransom notes in all other languages.

Logically, a ransomware attack that was intended to work on a global scale would include all of the most commonly used languages in the world, but the list of ransom note languages does not follow that pattern. There is no ransom note written in any Indian languages, and many of the notes are written in European languages that would not be among the most common languages in the world.

If North Korea was the force behind this ransomware attack, why were North Korea’s closest allies, Russia and China, the most heavily affected while the US and their allies largely unaffected? If the source was Russia or China where the majority of infections were based, why were their own state-run organizations among the victims? There may be technical clues that tie WannaCry to this country or another, but the motive and end results seem to be counterproductive for each of those countries.

One possibility could be that the code identified as originating from Lazarus could have been placed there intentionally as a false flag for the purpose of confusing security researchers trying to identify the source of the attacks. The use of false flags is not an uncommon tactic, and some researchers believe that Lazarus has also included poorly-translated Russian phrases in its code in the past to throw researchers off the scent.

Another likely possibility is that this group is not a nation-state actor or an experienced hacking group at all. Perhaps those responsible for WannaCry are simply a group of small-time cybercriminals or hackers trying out some very powerful tools.

Cyberattacks are often considered to be a nation-state level attack if they are highly sophisticated, unusually stealthy, or in the cases of large-scale attacks that inflict widespread damage or disruption. While WannaCry was able to affect hundreds of thousands of computers around the world within hours, it also included what Andy Greenberg of Wired called “amateur mistakes,” including the use of kill-switch and errors in the code that helped contain the infection and allowed for some data recovery.

WannaCry was not effective as a financial cybercrime scheme. The total ransom paid to the three bitcoin wallets associated with WannaCry is $118,115.71 USD, or about 50.65 BTC (bitcoin) as of May 31. This dollar amount is confoundingly low for a group with as much experience in financial cybercrime as Lazarus, who were able to steal nearly 81 million dollars last year by compromising the Bangladesh Central Banks’ SWIFT network. The bitcoin ransom paid by victims remains untouched in those accounts.

The scale of infections and the speed at which those infections spread made this cyberattack feel like the work of a nation-state actor, but WannaCry was mainly effective because of the exploits it used.

Exploit tool EternalBlue and backdoor tool DoublePulsar are sophisticated and effective, and they were created by a nation-state level actor, the NSA (allegedly).  The inclusion of these tools elevated flawed WannaCry to make it appear to be the work of a nation-state actor.

The Bottom Line: Powerful NSA exploit tools, stolen and released to the general public, now allow anyone with a bit of technical knowledge to unleash a cyberattack with the force, reach, and speed that were formerly only available to nation-state actors.    


Reuters, Cyber security firm: more evidence North Korea linked to Bangladesh heist

Ars Technica, Virulent WCry ransomware worm may have North Korea’s fingerprints on it

Ars Technica, A typo costs bank hackers nearly $1B

Wired, The WannaCry Ransomware Hackers Made Some Real Amateur Mistakes

SC Magazine, Analysis suggests WannaCry ransom note is native Chinese-speaker

Kaspersky, Securelist, WannaCry and Lazarus Group – the missing link?