Clue suggests North Korean link with global cyber attack while researchers urge caution
As organisations and services return to their usual operations after Friday’s major cyber attack, researchers begin to dissect the malware for hints of its origins, and how it spread so quickly.
WannaCry, the ransomware responsible for the large-scale cyber attack, has infected more than 300,000 computers in 150 countries since Friday. The National Health Service and Spanish telecommunications provider Telefónica were among the major organisations affected.
Infected computers displayed a message warning the user that their files had been encrypted, and instructing them to pay $300 to $600 in bitcoin for the return of their data.
The ransomware is widely thought to be based on ‘Eternal Blue’, a hacking tool built by the US National Security Agency that exploits a vulnerability in Microsoft operating systems. Eternal Blue was leaked by a hacking group called the Shadow Brokers earlier this year.
Caleb Barlow, vice-president at IBM Security, commented that it is uncertain how the malware began to spread in the first place. Most cybersecurity companies have been quick to blame phishing emails – emails containing viruses in links or attachments – for installing WannaCry on computer systems. This is the conventional way in which ransomware spreads.
In searching through an IBM database of more than one billion emails, however, Barlow’s team found no links to the attack, and could not identify “how the hell” the infection began. Identifying the cause of an infection and understanding its propagation is vital for preventing fresh attacks.
“It’s statistically very unusual that we’d scan and find no indicators,” said Barlow. Some cybersecurity companies, however, announced that they have found samples of the malicious emails.
Once a certain number of infections were established, researchers agree, WannaCry was able to use the Microsoft vulnerability to propagate.
Commentators remain uncertain as to the purpose of the campaign. Most ransomware campaigns attempt to extort as much money as possible, but despite the enormous scale of the WannaCry attack – likely the “largest ransomware attack in history” – the campaign is thought to have collected only $50,000 in ransom.
“I believe that this was spread for the purpose of causing as much damage as possible,” said Matthew Hickey, co-founder of UK-based cyber consulting firm Hacker House.
Just three bitcoin wallets – which allow users to send and receive the cryptocurrency – have been found to be associated with the attack. Cyber security experts describe the attack as rudimentary compared with conventional ransomware campaigns, which often use sophisticated methods to convince victims to pay.
Jonathan Levin of Chainalysis, which monitors bitcoin payments, commented that while other ransomware attackers continually empty their bitcoin wallets, the bitcoin in these attackers’ wallets have remained: “they really aren’t set up well to handle their bitcoin payments,” he commented.
This lack of sophistication could support the suggestion of some researchers that North Korean hackers could be behind the cyber attack.
In the fallout of the attack, a Google security researcher called Neel Mehta identified and published a sample of code on Twitter which may be exclusive to North Korean hackers. The code, taken from an earlier version of the WannaCry malware, had previously appeared in programmes used by a North Korean hacking group, the Lazarus Group.
The Lazarus Group have been accused of a major cyber attack on film studio Sony Pictures in 2014, which was due to release a comedy film about a plot to assassinate North Korean dictator Kim Jong-Un. They were also traced to the theft of $81 million from the Bangladeshi central bank.
Symantec and Kaspersky Lab are investigating the possible link, with Kurt Baumgartner, a Kaspersky Lab researcher describing the code as “the best clue we have seen to date as to the origins of WannaCry”.
Representatives from both organisations, however, have said that it is too early to tell whether North Korea was involved in the attacks, and joined other industry experts in agreeing that the first step is to understand basic questions about the malware.
Simon Choi, a government adviser and senior research from Hauri Labs, South Korea, said today that North Korea has been developing a testing ransomware programmes for months. In one case, North Korean hackers demanded bitcoin payments in exchange for the return of stolen information from a South Korean shopping centre.
Anonymous US and European security officials have disclosed to Reuters that it is too early to say who is responsible for the attacks, but they did not rule out North Korea as a suspect.