The BBC reported on the 16th of June 2017 that unnamed security sources had informed them the UK’s National Cyber Security Centre (NCSC) “believes that a hacking group known as Lazarus launched the attack.” The Lazarus group is the name attributed to state-linked North Korea hackers by some experts in the cyber security industry.
The BBC’s report speculates that “private sector cyber security researchers reverse engineered the code but the British assessment by the NCSC – part of the intelligence agency GCHQ – is likely to have been made based on a wider set of sources.”
“Because of the lack of substance in the BBC reports, I called the NCSC, who are part of GCHQ. Their only reply, as I anticipated, is that they can “neither confirm nor deny” the report.”
The article also quotes Adrian Nish, who they say leads the cyber threat intelligence team at BAE. According to the report his team “saw overlaps with previous code developed by the Lazarus group.”
“It seems to tie back to the same code-base and the same authors…the code-overlaps are significant,” Nish said.
North Korean hackers have been attributed responsibility previously for financially motivated attacks, including a 2016 hack on SWIFT payment systems which netted them $81m from the central bank of Bangladesh.
The BBC quotes BAE representative Nish as saying “it was one of the biggest bank heists of all time in physical space or in cyberspace.”
The May 2017 Ransomware attack, which primarily hit European Telecomms, Manufacturing plants, Transport Networks, the NHS, and other such networks, saw incredibly low ransom demands – at around $300 – which was notably unusual, and also resulted in a payment total of only around $150,000 to three Bitcoin wallets which have been left completely untouched.
The report also repeats a line first used by the poorly briefed Home Secretary, Amber Rudd, that the attack was “random” rather than targeted.
“Beau Woods, deputy director of the Cyber Statecraft Initiative at the Atlantic Council, told CNBC that the Korean language used in some versions of the WannaCry ransom note “was not that of a native speaker, making a Lazarus connection unlikely.””
There are issues, with all of this.
Firstly, from a strategic point of view, the attack benefitted two parties above all others. Trump and Putin.
Secondly, there was at the time insufficient evidence to attribute the attack to North Korea based on an assessment of old code in the Ransomware providing the link alone. The experts I spoke to at FireEye have told me this morning that nothing has changed in their assessment.
Because of the lack of substance in the BBC reports, I called the NCSC, who are part of GCHQ. Their only reply, as I anticipated, is that they can “neither confirm nor deny” the report.
The thrust of an NCND declaration is not to comment but not to dissuade anyone from believing the veracity of the report indicating that the DPRK and their state-backed Lazarus hackers are potentially linked to the May attack using Wannacry. However, there is only a moderate level of confidence in the assessment.
Moderate confidence generally means credibly sourced and plausible information, but not of sufficient quality or corroboration to warrant a higher level of confidence. It means that at the NCSC there is no difference in the information they hold to that I’ve uncovered as regards the code – essentially there is a link via the code but also doubt as to what it actually means.
As a result, I am able to say with a high level of confidence that FireEye is right and nothing has changed over the last month.
I have, of course, been in touch with industry experts from the start of the attack and while I have no doubt there was DPRK code in the previous versions of the ransomware, and some of the delivery mechanism tools, it is my understanding that those similarities in earlier versions are not significant enough to attribute Wannacry version 2 to Lazarus.
Also, once the “sandpit” defect was identified, the software was rapidly adapted twice to remove the so-called kill-switch facility. There is no known NK code in those updates either.
I have also read the most recent US-CERT bulletin from the NSA/FBI which confirms older programming indicates previous versions of ransomware used NK code and deployment methods (in the Sony attack in 2014) but adds nothing to change the view I’ve established on the software itself. The most recent bulletin focuses on DDoS attacks and system vulnerabilities unrelated to those used in the Wannacry attack.
I remain deeply conscious as regards the original source of the NK finding having been Kaspersky, largely due to the public declarations of the US intelligence community about the firm being a Russian asset and the concerns the USIC raised over the Kaspersky software posing a risk to US Government systems due to potential exposure to Kremlin access. In light of other reports, including the previous JARs and the CIA declassified report, it appears highly probable that the Kaspersky assessment is more than feasible, which throws doubt on everything they say and do.
Lazarus themselves are a professional outfit with a broadly successful history and rapidly developing technology and finances. Their last, highly targeted, heist in 2016 was the $81 million Bangladesh central bank attack. It’s subsequently a safe assumption that they have developed well beyond the Sony days and this does not sit well with the low-value Bitcoin demand – or the value achieved, currently about $140,000. The Bitcoin wallets have also been left untouched. Broadly the concern, with a high level of confidence across the security sector, is that the whole ransom aspect of the attack was nothing more than a ruse. This does not fit the DPRK pattern and does not fit the clumsy privateer theory either.
Sitting alongside the Wannacry issue are growing concerns over other cyber weapons, such as
CrashOverride – a Russian tool which is linked to APT28/29 (Fancy Bears and Cozy Bears) both of whom are Russian intel outfits. The weapon was last successfully deployed in Ukraine in 2016, targeting utility networks and cutting power to one-fifth of Kiev.
Through my own network of contacts, the broader concern under discussion – and that’s as far as I’m willing to go at the moment – is that the Wannacry episode was, in fact, a weapons test, with the payload swapped out and seeded to deliberately point elsewhere.
It is thought Russia was simply testing the delivery mechanism for weapons like
CrashOverride, and gauging the spread and impact. This also is largely supported by low levels of collateral damage in Russia which were “localised” very quickly, with only minor disruption, and was followed almost immediately by Putin’s statement in China that intelligence agency led programs sometimes are accompanied by accidents. The Russians are hardly known for finesse, let’s be honest.
“It is thought Russia was simply testing the delivery mechanism for weapons like
CrashOverride, and gauging the spread and impact.”
APT28/29 subsequently dovetail into this scenario for two further reasons.
Firstly, access points. They were running an active spear-phishing operation exploiting Windows vulnerabilities in the run-up to the attack. They got caught out partially because they used a NATO email and it was picked up by the Romanian embassy.
The initial entry point for Wannacry, despite its network spread, almost certainly involved some degree spear-phishing and payload adaptation to existing worms has been all but ruled out. There remains a question over “zero day” access but taking into account all the facts available, spear-phishing through emails or cookies appears more likely and Wannacry only needed access to one networked computer to then self-propagate due to the Eternal Blue (or similar) capability.
Secondly, the involvement of the Shadow Brokers is questionable. A theory has developed they are also a deniable asset of APT28/29 and, in part, their broken language pattern is helpful. It is also a feature repeated in the story of the Guccifer 2.0 hack of the DNC (which was Russia) and also in the North Korean code.
Beau Woods, deputy director of the Cyber Statecraft Initiative at the Atlantic Council, told CNBC that the Korean language used in some versions of the WannaCry ransom note “was not that of a native speaker, making a Lazarus connection unlikely.”
Even Kaspersky’s worldwide staff have started to throw doubt on the claims of North Korean responsibility.
Asia research director, Vitaly Kamluk, said it was not conclusive evidence. “It’s unusual,” they added.
Presently, the shadow brokers are threatening to auction data on nuclear systems belonging to Iran, NK, and Russia, as well as other stolen US intelligence tools.