North Korea Becomes Usual Suspect in
WannaCry Cyber Attack
May 16, 2017
Cyber security experts admit the technical evidence linking North Korea
to the global WannaCry "ransomware" cyber attack is somewhat tenuous,
but Pyongyang has the advanced cyber capabilities and the motive to
compensate for lost revenue due to economic sanctions, to be considered
a likely suspect.
Since Friday, the WannaCry software virus has infected more than 300,000
computers in 150 countries, paralyzing factories, banks, government
agencies, hospitals and transportation systems across the globe.
On Monday analysts with the cyber security firms Symantec and Kaspersky
Lab said some code in an earlier version of the WannaCry software had
also appeared in programs used by the Lazarus Group, which has been
identified by some industry experts as a North Korea-run hacking
“Right now we've uncovered a couple of what we would call weak
indicators or weak links between WannaCry and this group that's been
previously known as Lazarus. Lazarus was behind the attacks on Sony and
the Bangladesh banks for example. But these indicators are not enough to
definitively say it's Lazarus at all," said Symantec Researcher Eric
Symantec has linked the Lazarus group to a number of cyber attacks on
banks in Asia dating back years, including the digital theft of $81
million from Bangladesh's central bank last year.
The U.S. government blamed North Korea for the hack on Sony Pictures
Entertainment that leaked damaging personal information after Pyongyang
threatened “merciless countermeasures” if the studio released a dark
comedy movie that portrayed the assassination of Kim Jong Un. And South
Korea had accused the North of attempting to breach the cyber security
of its banks, broadcasters and power plants on numerous occasions.
Pyongyang is believed to have thousands of highly trained computer
experts working for a cyber warfare unit called Bureau 121, which is
part of the General Bureau of Reconnaissance, an elite spy agency run by
the military. There have been reports the Lazarus group is affiliated
with Bureau 121. Some alleged North Korean-related cyber attacks have
also been traced back to a hotel in Shenyang, China near the Korean
“Mostly they hack directly, but they hack other countries first and
transfer (the data), so various other countries are found when we trace
back, but a specific IP address located in Pyongyang can be found in the
end,” said Choi Sang-myung, a senior director of the cyber security firm
Hauri Inc. in Seoul.
It is not clear if the purpose of the WannaCry malware is to extort
payments or to cause widespread damage.
The WannaCry hackers have demanded ransoms from users, starting at $300
to end the cyber attack, or they threatened to destroy all data on
infected computers. So far the perpetrators have raised less than
$70,000 according to Tom Bossert, a homeland security adviser for U.S.
President Donald Trump.
The countries most affected by WannaCry to date are Russia, Taiwan,
Ukraine and India, according to Czech security firm Avast.
under increased economic sanctions for its nuclear and ballistic missile
programs, it would not be surprising for North Korea to attempt to make
up for lost revenue through illicit cyber theft and extortion. But the
WannaCry ransomware is more advanced than anything North Korean hackers
have used in the past.
“Previous ransomwares required people to click an attachment in an email
or access a specific website to get infected, but this time (computers)
can be infected without getting an email or access to a website, just by
connecting an Internet cable,” said Choi.
FireEye Inc., another large cyber security firm, said it was also
investigating but cautious about drawing a link to North Korea.
In addition to past alleged cyber attacks, North Korea had also been
accused of counterfeiting $100 bills which were known as “superdollars”
or “supernotes” because the fakes were nearly flawless.