WannaCry is back in the news, building on initial reports attributing the now infamous crypto-ransomware family to North Korea. But the absence of a “smoking gun” makes attribution challenging, and according to F-Secure Security Advisor Sean Sullivan, WannaCry seems to fit into a gray area between nation-states and cyber crime.
“It’s a challenge to attribute Russian malware to ‘Russia’ because of Russian cyber criminals and mercenaries, who could be acting on their own. Attribution is even murkier in the hermit kingdom of NK – but whatever the relationship between the hackers and the NK government – there’s far more to North Korean hackers than most people would have guessed 5 years ago.”
News broke today regarding new connections between the WannaCry ransomware family and the Lazarus group. The Lazarus group have been blamed for several high-profile attacks, and are widely believed to be linked to the North Korean government.
While initial reports linking WannaCry to the Lazarus Group were based on similarities of the code, new connections have now been made between WannaCry and the resources used in the Lazarus group’s previous attacks (such as instances of shared command-and-control infrastructure).
The new evidence does a lot to support the theory that the Lazarus group was behind the ransomware outbreak that affected hundreds of thousands of computers worldwide.
But even if the Lazarus group operates with support from North Korea, it doesn’t mean that the NK government was behind the WannaCry outbreak, in the sense that they directed it. Sean says that it’s not uncommon for individual hackers to “moonlight” as cyber criminals, or for cyber criminals to work on behalf of nation-states underneath the right circumstances.
For that reason, many believe it makes more sense to view the WannaCry outbreak as a cyber crime campaign in spite of apparent links to North Korea. But attributing attacks like these adds another layer of complexity, in that they exhibit links with both cyber crime and nation-states. F-Secure Labs recently published a white paper on a hacking group that also seemed to fit into both camps.
“The million dollar question isn’t whether the Lazarus group is linked with North Korea, it’s what that link actually is. The attacks on Sony and the Bank of Bangladesh also had financial elements, which is unusual for nation-states,” says Sean. “But given the current sanctions on North Korea, it makes sense for them to use cyber crime as a source of income.”
Sean adds that there are cyber attacks that have more traditional characteristics of nation-state attacks that seem to reflect North Korean interests. A UN committee investigating violations of North Korean sanctions was hit by a cyber attack earlier in the month.
“Many countries investing in cyber attack capabilities compartmentalize these operations, so one group can have different objectives and operations than the other,” adds Sean.