The United States on Tuesday accused North Korea of responsibility for a global ransomware attack that locked down more than 300,000 computers in 150 countries earlier this year.
The United States now has enough evidence to support its assertion that Pyongyang was behind the WannaCry attack in May, Homeland Security Advisor Tom Bossert told reporters at a White House press briefing.
Bossert made the same accusation in an op-ed published Monday in The Wall Street Journal.
If the United States has new evidence linking North Korea to WannaCry, however, it hasn’t released any of it to the public, which could pose problems.
“Accurate attribution for cyberattacks is almost always a difficult task, and it’s doubly so when the evidence leading to the conclusion can’t be shared,” noted Tim Erlin, vice president of product management and strategy at Tripwire.
“If we’re going to have national security organizations delivering these types of conclusions on attribution to the public, we need to find a way to develop trusted output. The mantra of ‘trust us’ doesn’t cut it here,” he told .
The Problem With Attribution
Speculation has connected North Korea to WannaCry since June, when the NSA said it believed Pyongyang was behind the attack. The British government reached the same conclusion in October, and the CIA concurred in November.
While there is evidence indicating that North Korea launched the ransomware virus, that evidence isn’t definitive, maintained James Scott, a senior fellow at the Institute for Critical Infrastructure Technology.
“It is important to understand that attribution is rarely definitive because adversaries can easily obfuscate their actions using technical anti-analysis maneuvers,” he told .
“They plant false indicators to mislead attribution,” he continued. “They leap-frog through multiple foreign networks and systems, they outsource layers or the entirety of their attacks to cyber mercenaries, and they utilize malware available to multiple adversaries from Deep Web markets and forums.”
One strong indicator of North Korea’s involvement with WannaCry is the malware’s connection to the Lazarus Group, which has been tied to Pyongyang, observed Chris Doman, a threat engineer at AlienVault.
There are two data points that link Lazarus to WannaCry, he told: a number of rare code overlaps exist in the programs; and Lazarus planted an early version of WannaCry on a Symantec customer.
“The United States government may have additional information, but the evidence provided at the time by the private sector was pretty strong,” Doman said.
The evidence linking Lazarus to Pyongyang is equally strong, he added. “There are a very small number of publicly assigned Internet addresses assigned to North Korea, and they pop up in Lazarus attacks. The attacks have dated back to at least 2007, and often contain other clues, such as North Korean fonts.”
The Gang That Couldn’t Code Straight
Although the evidence is circumstantial, the case that North Korea was behind WannaCry is a good one, said Scott Borg, CEO of the United States. Cyber Consequences Unit.
“WannaCry was incompetently written and managed — so we’re attributing to North Korea something that’s well within its capabilities, because it didn’t demonstrate a lot of capabilities,” he told . “Unlike some of the other things that have been attributed to North Korea, this is plausible and highly likely.”
A number of recent reports have touted North Korea as a rising cyberpower, but Borg disputes that.
“WannaCry is an example of North Korea’s limitations. This was not a competently written piece of ransomware. The whole thing was badly bungled,” he said.
“I’m sure the criminal organizations making money off of ransomware were furious with the creators of WannaCry because they undermined the credibility of the whole racket,” Borg added.
Since there was strong public evidence of North Korea’s connection to WannaCry for months, the timing of the United States condemnation may be tied to other concerns.
For example, the United States may want to shine a spotlight on Lazarus.
“Lazarus has been particularly active recently,” AlienVault’s Doman said. “I’m seeing numerous new malware samples from them daily. A lot of their current activity involves stealing bitcoin and credit card numbers.”
The condemnation also comes on the heels of the administration’s announcement of a new security policy.
“They may have felt this was an appropriate time because they were going to be reaching out to other countries to do something about the cybersecurity threat and bad actors like North Korea,” James Barnett, a former Navy Rear Admiral and head of the cybersecurity practice at Venable, told .
The timing of the condemnation also could be part of the White House’s campaign to paint Pyongyang as a global threat.
“It’s more about the administration’s message that North Korea is a dangerous actor than it is about cybersecurity,” said Ross Rustici, senior director of intelligence services for Cybereason.
“They’re trying to lay the groundwork for people to feel like North Korea is a threat to the homeland,” he told .
Whatever response the administration decides to make to North Korea’s cyberattacks remains to be seen, but financial problems could render it a hollow one, according to Kris Lovejoy, president of BluVector.
“The United States government’s ability to procure technology to protect public sector institutions and private sector infrastructure is hampered because there’s no ability to execute on its procurement processes,” she told . “It’s ironic that we’re rattling our sabers while we’ve locked the cabinet and not allowed ourselves to get to the armor.”