Skip to main content

NSA Links WannaCry Ransomware Attack To North Korea

It's been a little over a month since the WannaCry ransomware compromised more than 300,000 computers around the world. That appears to be just enough time for the U.S. National Security Agency (NSA) to attribute the attack to North Korea's Reconnaissance General Bureau (RGB).

The Washington Post reported that the NSA linked the RGB to WannaCry after analyzing the attackers' "tactics, techniques, and targets." The report was sourced to U.S. intelligence officials who have seen the NSA's assessment on the WannaCry attack; we have not been able to independently confirm the claim at this time, though. It would make sense for North Korea to be involved, however, considering its suspected ties to other global hacking efforts.

North Korea came into the spotlight back in 2014 when it was accused of hacking Sony Pictures. The country was apparently furious about a movie called "The Interview" in which Seth Rogen and James Franco play journalists recruited by the CIA to assassinate North Korean leader Kim Jong-un. The hack revealed private information about Sony Pictures, its employees, and several films the studio was developing at the time.

In May 2016, Symantec attributed hacks of global banks to the Lazarus group, which has ties to North Korea. The group allegedly stole $81 million from the Bangladesh central bank and attempted to steal $1 million from Vietnam's Tien Phong Bank. It might also have stolen $12 million from Ecuador's Banco del Austro, but Symantec said it didn't have details about the tools used in that incident or if it's connected to the others.

That brings us to WannaCry. The ransomware struck in May, and it affected tens of thousands of computers shortly after it was unleashed on the world. It would go on to compromise hundreds of thousands more across 150 countries. Like other ransomware, WannaCry encrypted affected devices' hard drives and then offered to decrypt them if victims handed over enough Bitcoin. The attack was so severe that Microsoft released an emergency patch for otherwise unsupported versions of Windows (such as XP, 8, and so on) to prevent WannaCry from spreading further.

The Washington Post reported on the motivation behind the WannaCry attack:

WannaCry was apparently an attempt to raise revenue for the regime, but analysts said the effort was flawed. Though the hackers raised $140,000 in bitcoin, a form of digital currency, so far they have not cashed it in, the analysts said. That is likely because an operational error has made the transactions easy to track, including by law enforcement.

The effects of WannaCry are still being felt. Earlier this week, Microsoft said that its monthly Update Tuesday release included additional patches meant to prevent nation-state attackers from compromising Windows devices. Much like the patches released in May, these updates were released to legacy versions of Windows to make sure organizations that haven't moved to Windows 10 (and there are many) aren't defenseless.

The NSA might hesitate to publicly accuse North Korea of sponsoring or conducting the WannaCry attack for a few reasons. First, the attribution of cyberattacks is often tricky and requires a lot of evidence. The second is that many different countries are involved, which means the agency will have to be delicate. And the third is that, according to Microsoft, the NSA is at least partly responsible for the WannaCry attack.

Here's what the company's chief legal officer, Brad Smith, said in a blog post:

Finally, this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem.This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.

Chances are good that the NSA won't want to publicly call out North Korea for using an exploit stolen from the U.S. In the meantime, at least now we have a better idea about why the WannaCry attack occurred, and Microsoft seems to be set on preventing similar attacks in the future. Those efforts might prove futile, but at least people using legacy versions of Windows are being reminded how important it is to update their software.