The United States on Tuesday accused North Korea of responsibility for a global ransomware attack that locked down more than 300,000 computers in 150 countries earlier this year.
The U.S. now has enough evidence to support its assertion that Pyongyang was behind the WannaCry attack in May, Homeland Security Advisor Tom Bossert told reporters at a White House press briefing.
Bossert made the same accusation in an op-ed published Monday in The Wall Street Journal.
If the United States has new evidence linking North Korea to WannaCry, however, it hasn’t released any of it to the public, which could pose problems.
“Accurate attribution for cyberattacks is almost always a difficult task, and it’s doubly so when the evidence leading to the conclusion can’t be shared,” noted Tim Erlin, vice president of product management and strategy at Tripwire.
“If we’re going to have national security organizations delivering these types of conclusions on attribution to the public, we need to find a way to develop trusted output. The mantra of ‘trust us’ doesn’t cut it here,” he told TechNewsWorld.
The Problem With Attribution
Speculation has connected North Korea to WannaCry since June, when the NSA said it believed Pyongyang was behind the attack. The British government reached the same conclusion in October, and the CIA concurred in November.
While there is evidence indicating that North Korea launched the ransomware virus, that evidence isn’t definitive, maintained James Scott, a senior fellow at the Institute for Critical Infrastructure Technology.
“It is important to understand that attribution is rarely definitive because adversaries can easily obfuscate their actions using technical anti-analysis maneuvers,” he told TechNewsWorld.
“They plant false indicators to mislead attribution,” he continued. “They leap-frog through multiple foreign networks and systems, they outsource layers or the entirety of their attacks to cyber mercenaries, and they utilize malware available to multiple adversaries from Deep Web markets and forums.”
One strong indicator of North Korea’s involvement with WannaCry is the malware’s connection to the Lazarus Group, which has been tied to Pyongyang, observed Chris Doman, a threat engineer at AlienVault.
There are two data points that link Lazarus to WannaCry, he told TechNewsWorld: a number of rare code overlaps exist in the programs; and Lazarus planted an early version of WannaCry on a Symantec customer.
“The U.S. government may have additional information, but the evidence provided at the time by the private sector was pretty strong,” Doman said.
The evidence linking Lazarus to Pyongyang is equally strong, he added. “There are a very small number of publicly assigned Internet addresses assigned to North Korea, and they pop up in Lazarus attacks. The attacks have dated back to at least 2007, and often contain other clues, such as North Korean fonts.”
The Gang That Couldn’t Code Straight
Although the evidence is circumstantial, the case that North Korea was behind WannaCry is a good one, said Scott Borg, CEO of the U.S. Cyber Consequences Unit.
“WannaCry was incompetently written and managed — so we’re attributing to North Korea something that’s well within its capabilities, because it didn’t demonstrate a lot of capabilities. Unlike some of the other things that have been attributed to North Korea, this is plausible and highly likely.”
A number of recent reports have touted North Korea as a rising cyberpower, but Borg disputes that.
“WannaCry is an example of North Korea’s limitations. This was not a competently written piece of ransomware. The whole thing was badly bungled. I’m sure the criminal organizations making money off of ransomware were furious with the creators of WannaCry because they undermined the credibility of the whole racket,” Borg said.