NSA links cyberattack to Pyongyang |

NSA links cyberattack to Pyongyang

The Washington Post
A customer walks by the notice about 'ransomware' at CGV theater in Seoul, South Korea, Monday, May 15, 2017. The letters read 'Due to ransomware affection, we are unable to screen advertisement. The movie is going to start 10 minutes after the ticket time.'

The National Security Agency has linked the North Korean government to the creation of the WannaCry computer worm that affected more than 300,000 people in some 150 countries last month, according to U.S. intelligence officials.

The assessment, which was issued internally last week and has not been made public, is based on an analysis of tactics, techniques and targets that point with “moderate confidence” to North Korea’s spy agency, the Reconnaissance General Bureau, according to an individual familiar with the report.

The assessment states that “cyber actors” suspected to be “sponsored by” the RGB were behind two versions of WannaCry, a worm that was built around an NSA hacking tool that had been obtained and posted online last year by an anonymous group calling itself the Shadow Brokers.

It was the first computer virus to be paired with ransomware, which encrypts data on victims’ computers and demands a ransom to restore access.

WannaCry was apparently an attempt to raise revenue for the regime, but analysts said the effort was flawed. Though the hackers raised $140,000 in bitcoin, a form of digital currency, so far they have not cashed it in, the analysts said. That is likely because an operational error has made the transactions easy to track, including by law enforcement.

As a result, no online currency exchange will touch it, said Jake Williams, founder of Rendition Infosec, a cybersecurity firm. “This is like knowingly taking tainted bills from a bank robbery,” he said.

Though the assessment is not conclusive, the preponderance of the evidence points to Pyongyang. It includes the range of computer Internet protocol addresses in China historically used by the RGB, and the assessment is consistent with intelligence gathered recently by other Western spy agencies. It states that the hackers behind WannaCry are also called “the Lazarus Group,” a name used by private-sector researchers.

One of the agencies reported that a prototype of WannaCry ransomware was found this spring in a non-Western bank. That data point was a “building block” for the North Korea assessment, the individual said.

The linkage shows that despite the Obama and Trump administrations’ efforts to deter North Korean aggression, the hermit kingdom does not appear to have been discouraged from launching one of the most wide-ranging cyberattacks the world has seen.

“What it really confirms is that . . . you don’t have to be the best in the business to cause a lot of disruption,” said Michael Sulmeyer, director of the cybersecurity project at Harvard’s Kennedy School. “And that’s what they showed they were willing and able to do.”

The NSA declined to comment.

North Korea is one of the world’s most isolated countries, with very little computer infrastructure. Yet it has managed to deploy cyber capabilities to harass and annoy its rival, South Korea, and to generate revenue for the authoritarian regime.

Last year, security researchers identified North Korea as the culprit behind a series of cyber-enabled heists of banks in Asia, including one in Bangladesh that netted more than $81 million by manipulating the bank’s global payments messaging system.

The fact of a nation-state using cyber tools to rob banks, then-NSA Deputy Director Richard Ledgett said in March, represented “a troubling new front in cyberwarfare.” He did not name North Korea, but the allusion was clear. “This is a big deal,” he said.

North Korea in 2014 hacked Sony Pictures Entertainment and demanded that the movie studio pull a film that satirized the country’s leader, Kim Jong Un. The hackers disabled computers and released embarrassing company emails. But what tipped the scale for President Barack Obama was the threat to do more damage if the studio did not yank the movie – a move that the administration viewed as an assault on free speech. The administration publicly blamed Pyongyang for the attack and imposed new economic sanctions on the regime.

The NSA cyber tool at the base of WannaCry was an exploit dubbed EternalBlue by the agency. It took advantage of a software flaw in some Microsoft Windows operating systems and enabled an attacker to gain access to those computers.

Although Microsoft, after being notified by the NSA, issued a patch for the software flaw in March, many companies around the world and some in the United States failed to update their machines and fell victim to the virus. Michael Daniel, president of the Cyber Threat Alliance, a nonprofit group devoted to improving cyberdefenses through data sharing, said there were a “reasonable number” of victims in the United States.

Microsoft declined to comment for this report.

Williams, who has closely studied the code, said he is convinced that the ransomware accidentally got loose in a testing phase. That would explain some of its shortcomings, such as an inability for the attacker to tell who has paid the ransom or not, he said.

Nonetheless, he said, “this is a case where you’ve got a weaponized, government-sponsored exploit ⅛or hacking tool⅜ being used to deliver ransomware,” he said. “If North Korea goes unchecked with this, I would expect other developing nations to follow suit. I think that would change the cyberthreat landscape quite a bit.”

Daniel, who was Obama’s cybersecurity coordinator, said there needs to be “a broad-based approach to deterring North Korea across the board” in the physical world and in cyberspace.

Federal prosecutors have been probing North Korea’s role in the Bangladesh bank theft and indictments could be issued. The Justice Department in recent years has used indictments as a tool to try to hold accountable hackers from other nation states, including China and Iran.

Rep. Adam B. Schiff, Calif., the top Democrat on the House Intelligence Committee, which is investigating Russian interference in the 2016 election, has said the Obama administration’s response to North Korea after the Sony attack was not bold enough. “I . . . think the Russians were watching and decided that, well, we didn’t respond to that. They could get away with a cyberattack,” he said at a recent public discussion with Washington Post columnist David Ignatius.

When the South Koreans want to respond to North Korea, he said, they use a form of information warfare. “They do it with loudspeakers,” he said. “They do it by telling people in the North what a terrible regime they live under that’s starving their own people.”

TribLIVE commenting policy

You are solely responsible for your comments and by using you agree to our Terms of Service.

We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.

While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.

We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers

We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.

We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.

We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.

We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.