Tokyo: The WannaCry cyberattack is certainly the biggest in history and it’s a scary preview of things to come we’re all going to have to get used to hearing the word “ransomware.” But one pertinent question stays, whether North Korea had anything to do with it.
Despite bits and pieces of evidence that suggest a possible North Korea link, experts warn there is nothing conclusive yet and a lot of reasons to be dubious. Why, for example, would Pyongyang carry out a big hack that hurt its two closest strategic partners more than anyone else? And for what appears to be a pretty measly amount of loot as of Friday the grand total of ransom that had been paid was less than $100,000.
Within days of the attack, respected cybersecurity firms Symantec and Kaspersky Labs hinted at a North Korea link. Google researcher Neel Mehta identified coding similarities between WannaCry and malware from 2015 that was tied to the North. And the media have since spun out stories on Pyongyang’s league of hackers.
But identifying hackers behind sophisticated attacks is a notoriously difficult task. Proving they are acting under the explicit orders of a nation state is even trickier.
When experts say North Korea is behind an attack, what they often mean is that Pyongyang is suspected of working with or through a group known as Lazarus. The exact nature of Lazarus is cloudy, but it is thought by some to be a mixture of North Korean hackers operating in cahoots with Chinese “cyber-mercenaries” willing to at times do Pyongyang’s bidding.
Lazarus is a serious player in the cybercrime world.
It is referred to as an “advanced persistent threat” and has been fingered in some very sophisticated operations, including an attempt to breach the security of dozens of banks this year. “The Lazarus Group’s activity spans multiple years, going back as far as 2009,” Kaspersky Labs said in a report last year. “Their focus, victimology, and guerrilla-style tactics indicate a dynamic, agile and highly malicious entity, open to data destruction in addition to conventional cyberespionage operations.”
But some experts see the latest attack as an anomaly.
WannaCry infected more than 200,000 systems in more than 150 countries with demands for payments of $300 in Bitcoin per victim in exchange for the decryption of the files it had taken hostage. Victims received warnings on their computer screens that if they did not pay the ransom within three days, the demand would double. If no ransom was paid, the victim’s data would be deleted.
Madden said the North, officially known as the Democratic People’s Republic of Korea, if it had a role at all, could have instead been involved by giving or providing parts of the packet used in the attack to another state-sponsored hacking group with whom it is in contact.
Other cybersecurity experts question the Pyongyang angle on different grounds.
Scott said he believes North Korea would likely have attacked more strategic targets — two of the hardest-hit countries, China and Russia, are the North’s closest strategic allies — or tried to capture more significant profits.
Very few victims of the WannaCry attack appear to have actually paid up. As of Friday, only $91,000 had been deposited in the three Bitcoin “wallet” accounts associated with the ransom demands, according to London-based Elliptic Enterprises, which tracks illicit Bitcoin activity.