North Korea implicated in WannaCry ransomware attack – NSA

This article was updated 15th June 2017 at 14:10


The NSA have this week confirmed that North Korea was most likely the perpetrator behind the unprecedented WannaCry ransomware attack last month, which affected 150 countries – with seemingly no prejudice as to who was targeted.

Hitesh Sheth, CEO at Vectra Networks comments that this latest update comes as no surprise: “Cyber security experts have been speculating that the nation-state was responsible for the attack since they began analysing the code in May, and the real question now is how the Trump administration will respond. Under former President Obama, we saw swift sanctions following the Sony breach, and I expect to see the same under the current administration. More importantly, however, is how the government responds from a technological perspective.”

“The lack of skilled cyber security workers has disproportionally affected the public sector, so this isn’t a problem that will be solved by hiring more people. Until the government figures out a way to use artificial intelligence to automate basic security processes, in order to free up their full-time security analysts, the US will continue to fight an uphill battle.”

Indeed, it seems the US government has taken this threat seriously, and this week issued an alert on the activities of a hacking group it called “Hidden Cobra,” saying the group was part of the North Korean government. The joint alert from the U.S. Department of Homeland Security and the Federal Bureau of Investigation said that “cyber actors of the North Korean government” had targeted the media, aerospace and financial sectors, as well as critical infrastructure, in the United States and globally.

Commenting on this, Sean Newman, director at Corero Network Security, said: “Recent reports of the way in which North Korea’s has been executing DDoS attacks, is completely in line with the types of attacks Corero sees on a regular basis – most attacks are relatively small, and often surgically crafted, aiming to complete their mission without triggering detection mechanisms or raising suspicion that an attack might be in progress.This is counterintuitive to most people’s perception of DDoS attacks, but is set to be the new normal where DDoS is used as part of broader multi-vector attacks.”

Original article

The unprecedented cyber attack last weekend affected 150 countries, with seemingly no prejudice as to who was targeted. Organisations, both public and private, were hit by the intrusive ransomware – WannaCry.

The hunt for the perpetrators is now on, and some security researchers have identified North Korea as a notable suspect – although the current evidence is far from conclusive and wouldn’t stand up in a court of law.

The Lazarus Group is a hacking organisation believed to be based out of China, but working for North Korea. The hack on Sony Pictures in 2014 – to prevent the release of The Interview (a comedy mocking North Korean leader Kim Jong-Un) and on a Bangladeshi bank in 2016 were linked to the cybercrime group.

>See also: The global ransomware attack a cyber wake-up call

Google security researcher Neel Mehta has now linked the attack this weekend to the group. He said he found similarities between the code found within the WannaCry ransomware and other tools that were created by the Lazarus Group.

“Neel Mehta’s discovery is the most significant clue to date regarding the origins of WannaCry,” said Russian security firm Kaspersky, but it noted a lot more information is needed.

Indeed, this evidence is tenuous. Security expert Professor Alan Woodward told the BBC via email that “it’s pretty thin and all circumstantial…However, it’s worth further investigation.”

“It wouldn’t stand up in court as it is. But it’s worth looking deeper, being conscious of confirmation bias now that North Korea has been identified as a possibility.”

>See also: NHS Trust successfully fought back WannaCry ransomware with AI

Kaspersky said “We believe it’s important that other researchers around the world investigate these similarities and attempt to discover more facts about the origin of WannaCry,” the company added.”

“Looking back to the Bangladesh attack, in the early days, there were very few facts linking them to the Lazarus Group. In time, more evidence appeared and allowed us, and others, to link them together with high confidence. Further research can be crucial to connecting the dots.”

Indeed, if it was the Lazarus Group acting on behalf of North Korea, why would the hack target China – it’s biggest allay? It was among the countries that was worst hit and not accidentally. The version of WannaCry that infected organisations based deliberately had a ransom message written in Chinese.

Ultimately, this attack was widely indiscriminate, with no particular target evident – not usually North Korea’s modus operandi. If the attack was political it would have been more targeted. And if financial gain had been the aim, then the cyber attack certainly failed, with only around £46,500 being paid in ransoms from 200,000 infected devices.

>See also: The cyber threat landscape is looking more and more dangerous

An alternative theory is, if indeed it was the Lazarus Group, that it was working alone, simply to cause a degree of chaos. It is incredibly difficult to attribute blame, as is the nature of cyber warfare, unless an organisations takes credit for the attack.

For a long time cyber attacks were discussed, and people and businesses knew the threat and based policies on them, to an extent. But this attack really was on an unprecedented scale, dominating media attention. It could represent a turning point in business practice, government policy and population attitudes towards cyber security. The threat from the web has truly been exposed.


The UK’s largest conference for tech leadership, Tech Leaders Summit, returns in September with 40+ top execs signed up to speak about the challenges and opportunities surrounding the most disruptive innovations facing the enterprise today. Secure your place at this prestigious summit by registering here

Avatar photo

Nick Ismail

Nick Ismail is a former editor for Information Age (from 2018 to 2022) before moving on to become Global Head of Brand Journalism at HCLTech. He has a particular interest in smart technologies, AI and...