The WannaCry outbreak was a massive worldwide ransomware attack that used the EternalBlue exploit to rapidly propagate the malware over corporate LANs and wireless networks. A number of security experts, including those at Kaspersky Lab, have linked the WannaCry attacks to North Korea’s Lazarus Group, an outfit either within that country’s government or acting on its behalf.
“After careful investigation, the U.S. today publicly attributes the massive WannaCry cyberattack to North Korea,” Bossert wrote in an article for the Wall Street Journal on Tuesday.
Bossert said the U.S. shared its WannaCry analysis other governments, such as the United Kingdom, Australia, Canada, New Zealand and Japan, and that they also agreed to “denounce” North Korea for WannaCry attacks. He said Microsoft and others in the cycbersecurity community also helped trace WannaCry back to North Korea.
“North Korea has acted especially badly, largely unchecked, for more than a decade, and its malicious behavior is growing more egregious. WannaCry was indiscriminately reckless,” Bossert said.
Tim Erlin, VP of Product Management and Strategy at Tripwire, said accurate attribution for cyber attacks is almost always a difficult task. “It’s doubly so when the evidence leading to the conclusion can’t be shared,” he said.
“This conclusion about North Korea’s culpability isn’t new. The UK discussed the very same conclusion in October, with the very same caveats about sharing the actual evidence. You can’t arrest a nation-state, which inevitably prevents any real closure on an incident like WannaCry,” Erlin said. “If we’re going to have national security organizations delivering these types of conclusions on attribution to the public, we need to find a way to develop trusted output.”
Researchers said the attackers behind the May outbreak of WannaCry ransomware used EternalBlue, the codename for an exploit made public by the mysterious group that is in possession of offensive hacking tools allegedly developed by the NSA.
EternalBlue is a remote code execution attack taking advantage of a SMBv1 vulnerability in Windows. Microsoft patched the vulnerability on March 14, one month before the exploit was publicly leaked.
The attackers did not make a concerted effort to collect on ransom demands of approximately $300 in Bitcoin in exchange for a decryption key that would unlock any files encrypted during the WannaCry attack. Experts also said WannaCry’s well-documented killswitch was an odd choice to include in the ransomware, something that researchers still haven’t completely figured out.
Marcus Hutchins, the researcher hailed for his work in blunting the WannaCry ransomware outbreak in May, was arrested in August in Las Vegas and charged with creating and distributing the Kronos banking malware.
In a Wall Street Journal op-ed, Bossert called on the private sector to increase its “accountability in the cyber realm by taking actions that deny North Korea.” He also referenced action by Microsoft and “others” who “acting on their own initiative last week, without any direction or participation by the U.S.” disrupted the activities of North Korean hackers.
“Stopping malicious behavior like this starts with accountability. It also requires governments and businesses to cooperate to mitigate cyber risk and increase the cost to hackers. The U.S. must lead this effort, rallying allies and responsible tech companies throughout the free world to increase the security and resilience of the internet,” he said.