Did Pyongyang Unleash WannaCry Worm? Be Sure Before Retaliating

Sarah Geary

Over the past few weeks, a critical question has been discussed amidst cybersecurity professionals and experts. Who would pair North Korean-linked malware with an alleged U.S. government cyber exploit leaked by the suspected Russia-affiliated Shadow Brokers to create a new variant of ransomware – a form of malware typically within the domain of cyber criminals? Sorting out the attackers’ intent further complicates this riddle. Why would an attacker infect over 300,000 computers in 150 countries, disabling operations at thousands of entities when there is relatively little monetary reward and no clear nation gaining the advantage?

Since May 12, it is estimated that the highly prolific WannaCry ransomware campaign cost victims hundreds of millions of U.S. dollars, including losses from reduced productivity, the cost of data restoration, and reputational risk. However, two weeks after deployment, it appears that the attackers had grossed less than $150,000 from victims paying the ransoms – a paltry amount for the risk they assumed and the attention they garnered from many governments globally.

Some have expressed skepticism that attribution even matters for WannaCry so long as the encrypted data is recoverable. However, whether the attackers are state or non-state actors determines where the liability lies for cyber insurance, and better knowledge of the attackers’ intent informs decisions about whether to pay the ransom or where network defenders should focus their efforts. For example, a nation-state campaign is more likely to be a targeted attack and may maintain persistence on a victim network. Attribution is particularly crucial as governments consider their response options.

The most telling piece of attribution-related evidence is that WannaCry shares code with malware previously attributed to North Korean actors. This code does not appear to be available in open source and would be very difficult for others to reverse engineer. The unique coding similarities have led FireEye and other cyber security researchers to conclude that, at a minimum, WannaCry attackers share software development resources with suspected North Korean cyber espionage actors.

These North Korean cyber espionage actors have demonstrated their ability to carry out advanced cyber operations, such as the destructive attack against Sony in 2014 and stealing $81 million from the central bank of Bangladesh last year. However, WannaCry has fundamental coding flaws not typically made by sophisticated actors, adding a wrinkle to the attribution. One flaw was the inclusion of code that functioned as a “kill-switch,” enabling researchers to disable the malware. Another flaw was the apparent lack of a method to identify who pays the ransom.

There are three scenarios that best explain these seeming inconsistencies given the current evidence:

  • North Korea had a less sophisticated hacking team work on its ransomware than the aforementioned cyber espionage actors;
  • WannaCry was still in its testing phase and the North Korean cyber espionage actors lost control of it prematurely, similar to how the advanced cyber tool Stuxnet propagated beyond its intended target of Iran’s nuclear program, leading to its discovery; and
  • North Korean hackers with access to the malware and tools moonlighted on their own and lacked the sophistication of their entire hacking team.

It is highly unlikely that this ransomware campaign was carried out exactly how the attackers planned. The motivation element of this puzzle would not make sense, regardless of whether the attackers were the North Korean government or another actor who hired North Korean hackers as contractors or otherwise acquired their proprietary toolset.

What would the North Korean government have to gain? North Korea is interested in obtaining funds on the order of millions, not thousands, of dollars. Furthermore, its neighbors, Russia and China, were among the hardest hit by WannaCry, which would not have been a smart move geopolitically. Another foreign state directing the operation would likely be deterred by the potential for WannaCry’s impact within its own borders. Cyber criminals pursuing financial gain would have wanted the ransomware to work correctly and not be disabled so quickly. Moreover, WannaCry also does not fit the profile of hacktivists who usually accompany cyber attacks with messaging about why they attacked to bring more attention to their perceived grievances.

Assuming the attackers were either a second-rate North Korean hacking team, a sophisticated North Korean team that lost control of its malware, or moonlighting North Korean hackers, those three scenarios would warrant very different responses. For the first, an argument could be made that the North Korean government sponsored the attack, even if it intended the WannaCry malware to operate differently. For the second, the North Korean government did not mean to deploy the ransomware – whether they would decide to deploy it in the future should not be a consideration in a decision about retribution. In the third scenario, the North Korean government was not even behind the attack.

These scenarios illustrate the importance of in-depth, thoughtful attribution that takes into account not just similarities in code, but also the level of sponsorship. Considering adversaries’ intent, not just technical indicators, helps narrow down the list of possible perpetrators, but there is still a long way to go in honing WannaCry’s attribution.

The international nature of the WannaCry attack probably will complicate any governmental response. Governments almost certainly will differ as to what constitutes an appropriate threshold for attribution, and even if there were to be consensus about the perpetrators’ identity, agreement over the appropriate response is highly unlikely. Another complicating factor is the indiscriminate nature of the attack with no one country’s computers specifically targeted. WannaCry does not require targeted distribution methods such as spearphishing emails but rather propagates automatically from computer to computer. Since no one country naturally takes primacy in the decision-making, it could lengthen the process for reaching international consensus.

The harder it is to reach an international consensus, the more appealing it is for governments to respond unilaterally. This increases the chances that governments with a lower threshold for attribution could prematurely accuse the North Korean government, and as a result, risk incorrectly laying blame that could incite retribution on North Korea’s part. Governments should avoid making the implications of WannaCry even worse by retaliating based on hasty attribution.

The Author is Sarah Geary

Sarah Geary is a senior analyst on FireEye's Horizons team, which conducts strategic forecasting to anticipate risks posed by emerging technologies and geopolitical developments. She specializes in cyber deception and advanced analytic tradecraft. Prior to joining FireEye, Geary served nearly a decade in government, focusing mostly on cyber threat analysis.

Learn more about The Cipher Brief's Network here.


Share your point of view

Your comment will be posted pending moderator approval. No ad hominem attacks will be posted. Your email address will not be published. Required fields are marked *