NSA Links WannaCry to North Korea
There’s evidence:
Though the assessment is not conclusive, the preponderance of the evidence points to Pyongyang. It includes the range of computer Internet protocol addresses in China historically used by the RGB, and the assessment is consistent with intelligence gathered recently by other Western spy agencies. It states that the hackers behind WannaCry are also called “the Lazarus Group,” a name used by private-sector researchers.
One of the agencies reported that a prototype of WannaCry ransomware was found this spring in a non-Western bank. That data point was a “building block” for the North Korea assessment, the individual said.
Honestly, I don’t know what to think. I am skeptical, but I am willing to be convinced. (Here’s the grugq, also trying to figure it out.) What I would like to see is the NSA evidence in more detail than they’re probably comfortable releasing.
More commentary. Slashdot thread.
Vesselin Bontchev • June 16, 2017 2:40 PM
I agree that whoever wrote WannaCry, had access to the source code of some of the tools used by the Lazarus group.
I agree that in the past attacks by the Lazarus group, they were on behalf of North Korea.
But I don’t see how from this they are jumping to the conclusion that North Korea was behind WannaCry.
The whole WannaCry operation was sloppy. It felt like a private op gone wrong – not like a state-sponsored op. The thing has several serious bugs. It wasn’t tested. It most likely escaped before it was ready. The Korean language of the ransom note is just awful. The Chinese note is much, much better.
And what would be the purpose? Financial gain? They didn’t take even a single Satoshi from the 300+ ransoms that were paid. If North Korea was behind this, they wouldn’t hesitate to take the money – what have they got to lose? Being afraid to take the money is more consistent with a private individual who is scared.
If the purpose was to troll the NSA, again it was done very badly. Could have been done much better. If the purpose was to install the DoublePulsar backdoor on many machines (e.g., for espionage purposes), this could have been done silently; not “noisily” with ransomware. It just makes no sense.
While Lazarus has acted on behalf of North Korea in the past, and have even used North Korean Internet infrastructure, we don’t really have any convincing evidence that they are North Korean. Could have just as well be mercenary hackers (probably Chinese), who were contracted by the North Koreans to conduct these attacks in the past. And then one of them used part of the tools to run a private op on his own – the WannaCry ransomware. That makes much more sense than North Korea releasing a buggy ransomware worm for no good reason and then ignoring the money.