NSA Links WannaCry to North Korea

There's evidence:

Though the assessment is not conclusive, the preponderance of the evidence points to Pyongyang. It includes the range of computer Internet protocol addresses in China historically used by the RGB, and the assessment is consistent with intelligence gathered recently by other Western spy agencies. It states that the hackers behind WannaCry are also called "the Lazarus Group," a name used by private-sector researchers.

One of the agencies reported that a prototype of WannaCry ransomware was found this spring in a non-Western bank. That data point was a "building block" for the North Korea assessment, the individual said.

Honestly, I don't know what to think. I am skeptical, but I am willing to be convinced. (Here's the grugq, also trying to figure it out.) What I would like to see is the NSA evidence in more detail than they're probably comfortable releasing.

More commentary. Slashdot thread.

Posted on June 16, 2017 at 2:11 PM • 14 Comments


Vesselin BontchevJune 16, 2017 2:40 PM

I agree that whoever wrote WannaCry, had access to the source code of some of the tools used by the Lazarus group.

I agree that in the past attacks by the Lazarus group, they were on behalf of North Korea.

But I don't see how from this they are jumping to the conclusion that North Korea was behind WannaCry.

The whole WannaCry operation was sloppy. It felt like a private op gone wrong - not like a state-sponsored op. The thing has several serious bugs. It wasn't tested. It most likely escaped before it was ready. The Korean language of the ransom note is just awful. The Chinese note is much, much better.

And what would be the purpose? Financial gain? They didn't take even a single Satoshi from the 300+ ransoms that were paid. If North Korea was behind this, they wouldn't hesitate to take the money - what have they got to lose? Being afraid to take the money is more consistent with a private individual who is scared.

If the purpose was to troll the NSA, again it was done very badly. Could have been done much better. If the purpose was to install the DoublePulsar backdoor on many machines (e.g., for espionage purposes), this could have been done silently; not "noisily" with ransomware. It just makes no sense.

While Lazarus has acted on behalf of North Korea in the past, and have even used North Korean Internet infrastructure, we don't really have any convincing evidence that they are North Korean. Could have just as well be mercenary hackers (probably Chinese), who were contracted by the North Koreans to conduct these attacks in the past. And then one of them used part of the tools to run a private op on his own - the WannaCry ransomware. That makes much more sense than North Korea releasing a buggy ransomware worm for no good reason and then ignoring the money.

some1June 16, 2017 3:12 PM

@Vesselin Bontchev - Well, maybe the North Koreans are incompetent ? Maybe "state-sponsored" doesn't always mean "done extremely right" ?

AndrewJune 16, 2017 4:49 PM

This is very different from Sony hack. That required multiple access to network which increased attackers exposure.
WannaCry might have had a single "patient zero"..that's it one single access from an internet cafe or open wifi in a different country, under a VPN/tor. During this single access the very first computer might have been infected.
Very difficult to link this to anything, I have my doubts.

Vesselin BontchevJune 17, 2017 2:48 AM

@some1, from what I've seen from the Lazarus group, "incompetent" isn't how I would describe them. How many incompetent criminals can boast a $81 million heist from a central bank?

No, they aren't top-notch like the NSA guys, or the Russians, or the Israeli, but they are pretty good, like just about every other state-sponsored actor.

The WannaCry op was very, very sloppy. Without convincing evidence, I refuse to believe that a state was behind it.

NemoJune 17, 2017 2:52 AM

I am always cautious when an agency says the have evidence. If I recall correctly, there was a document published that the NSA possess tools to forge false "fingerprints" leading to other countries. I don't know who it really was, but I sometime find it hard to believe that it is always the russians, chinese or north koreans - and that the evidence is just so easy to interpret. If the NSA is able to make a fingerprint profile of certain states, then I guess other states are also capable of finding a pattern in cyber attacks from other states - and ergo also trying to forge this fingerprint, to put the blame to North Korea or Russia....
And as some have said - cui bono? I am unable to see who could profit from this - and I don't see especially how North Korea could profit from this - except maybe this is some great PR stunt to advertise their new operation system (Red Star OS)? Just kidding though

albertJune 17, 2017 8:33 AM

"...What I would like to see is the NSA evidence in more detail than they're probably comfortable releasing...."

Then, why not get clearance? A man of your integrity and stature should be able to get it. It's passed the time for the NSA to put its money where its mouth is. Or are they all hat and no cattle?

. .. . .. --- ....

gordoJune 17, 2017 5:30 PM

The Washington Post article stated that the confidence level assigned to the reported assessment was one of "moderate confidence" (par. 2).

What does this mean?

Levels of analytic confidence in national security reports

Moderate confidence generally means credibly sourced and plausible information, but not of sufficient quality or corroboration to warrant a higher level of confidence.


See also:

Joint Publication 2-0 Joint Intelligence 22 October 2013"
(Appendix A, Figure A-1. Expressing Confidence in Analytic Judgments)

Regarding evidence:

What We Mean When We Say: An Explanation of Estimative Language

Some analytical judgments are based directly on collected information; others rest on previous judgments, which serve as building blocks. In either type of judgment, we do not have "evidence" that shows something to be a fact or that definitely links two items or issues.

Source document: 2007 NIE on Iran’s Nuclear Intentions and Capabilities (p. 5)

"Evidence" is apparently not requisite.


Somewhat off-topic:

a context-engineering cartoon
[context of cartoon]
Cartoon quote sources.

Clive RobinsonJune 17, 2017 11:34 PM

@ gordo,

"Evidence" is apparently not requisite.

As far as I can tell that is true of all Intel Reports, and why I treat them or their --political-- product with a great deal of caution. It's not just cognative bias, peer preasure, group think and a whole truck load of similar bias you need to be cautious of. The intel game is fundementally one of Smoke, Mirrors and Red flags, all done to deceive others to protect secrets, and an analyst no matter how unbiased is always acting on at best impartial knowledge. You only have to go back to the cold war to see how far off US estimates of Soviet capabilities were compared to the now available Soviet production and other records.

Thus all intel reports based on oposition free will human activity are in effect hypothesises based on axioms (assumptions viewed as truths). Which is why where possible, I run an anti-hypothesis based on my own knowledge and experience.

The first thing we know is that no matter how omnipresent and omnipotent the likes of various SigInt agencies appear or wish to appear the reality is they are not even fractionaly close.

If you want a current popular entertainment analogy they are like the "undead vampires" that can only go where they are invited or alowed, and they only get your life blood if you allow them, their only advantages being fear and persistence, where those --methods-- fail them they need living agents --sources-- to act for them, to "open doors" as it were.

The reality is the SigInt chosen "methods" or signals capabilities are quite limited and very much rely on the lack of knowledge or mistakes of those they seek to surveill. Where their targets are more knowledgeable and carefull the SigInt agencies job rapidly becomes very resource intensive for often very little gain.

Thus their job of "join the dots" is played where they have very few dots they can join if any, near the target of interest. Like most resource limited entities the agencies have an over riding need to minimize resource usage. That is they want to appear "efficient". For longer than this blog or it's preceding newsletter has been around I've been making a point about the seesaw nature of "Efficiency -v- Security". That is in the general case the more you have of of one the less you have of the other. The same applies with "Efficiency -v- Intel", which can give a significant advantage to an entity with a desire to keep secret it's activities by hiding from sight or behind a false front to misdirect those who wish to uncover the activities.

As I've also pointed out SigInt has distinct limitations, which is why you also need humint. That is whilst you might know an electronic data source, you can not know for certain via technical means the data sink. The simple case is "the broadcast model" you have a powerfull transmitter covering a vast area in which there can be from zero to many receivers. Whilst some receivers can be found by electronic means by no means all can. But even where they can it requires specialised equipment that has to be very very close to the receiver, and only when it is opperating. Thus if a receiver can be mobile and your finding resources are limited you have no way of knowing the locations of an unknown number of receivers.

The same applies in networked systems, you may know the data source and be able to see the traffic leaving it and at various nodes along a path to what appears to be a data sink. But can you actually verify that what you think is the data sink is what you think it is and more importantly that the data has not been tapped / teed off at some point along the data path. Without going into the tedious details the answer is no you can not.

Further we have good reason to belive that other members of the Intelligence Community carry out false/red flag activities. Whereby the look to make attacks look like a third party to gain an advantage of some kind.

When you start to consider how easy this can be, as well as playing to other peoples confirmation biases it becomes easy to see why atribution can be difficult and accurate attribution impossible.

Thus when technical "methods" are unreliable you have to go for boots on the ground "sources" or HumInt. The problem is that is also unreliable. As we saw with the ex MI6 man who took money from both the Republicans and Democrats to get dirt on Donald Trump, if you do not excercise extream caution your source / agent will give you not what you want, but what they think you want to hear. Hence the "Pros Pee on the bed" story, that realy can not be verified one way or the other, but on balance is unlikely (after all having been "entertained" that way where do you sleep?.. and who pays for the clean up etc).

Thus "facts" in Intel Reports are very unlikely to be anything close to what most would consider guesses, let alone evidence.

Which is why you should always ask the simple questions of "Could this be Faked, and how difficult would it be to do?" and the answers with technology is almost always "Yes" and "Easy"...

Tar ballJune 18, 2017 9:34 PM

There could be a simple explanation why the WannaCry code was a bit shit- they were up against the clock. The thing is, if Microsoft had patched enough of the systems then it becomes pointless to launch an attack. But even more pressingly, if somebody else had attacked the vulnerability, then their window would have closed. So it could well be that somebody had just told the coders to 'ship'. So you end up with slightly lame code, for which (unluckily for then) a kill switch could be used.

tyrJune 19, 2017 12:17 AM


One of my favourite quotes:

The rules of evidence are not in abeyance
for the New Age...T McKenna

The hilarious story of the cold war Russian
threat of massive bomber fleets were from
religious zealots who wanted to rethrone a
Tsar. This in turn was passed through the
Gehlen Apparat to the credulous bumpkins
of spookery in America and leaked to the
populace who were out with binoculars doing
a scan for the massive soviet bomber attack.

This scam lasted until the treacherous Americans
flew some U2 camera flights and couldn't find
the huge fleet of B29 copies anywhere. There
were only four made not the hundreds reported
as having been built.

Those who cozy up to Tsarist nuts and Nazi
spooks with excess credulity are going to get
burned every time.

If you think the moderne versions of this are
not happening then you need a refresher course
in human nature.

Clive RobinsonJune 19, 2017 1:03 AM

@ tyr,

... religious zealots who wanted to rethrone a Tsar

I don't know where they thought they would get one from... As Leon As Trotsky pointed out, "The Tsar's family was a victim of the principles that form the very axis of monarchy: dynastic inheritance". Thus their deths were assured, especially as outside of Russia the Romanov's were still regarded in all ways as the heads of state.

We now know where the bodies are, all but two are buried in the reburied in the Peter and Paul Cathedral in Saint Petersburg their identitoes having being confirmed by DNA. The grave of the other two children was not discovered untill 2007 and for what appears to be politicaly inspired behaviour instigated by the Roman Orthodox Church to deny who they are, their remains are kept in a state repository "pending further DNA tests".

So the religious zelotry contiues to this day (for more earthly reasons(.

Clive RobinsonJune 19, 2017 1:28 AM

@ tyr,

The above is proof that you should not try to multitask when one task is part of the morning activitie involving public transportation...

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.