In what's debatably the Trump administration’s largest cyber announcement so far, Thomas Bossert, the president’s homeland security adviser on Monday formally accused North Korea for creating WannaCry, a cyberattack that crippled organizations worldwide earlier this year.
In May the ransomware epidemic leveraged EternalBlue, a previously patched remote code execution SMBv1 vulnerability in Windows, locking victims out of systems unless they paid a ransom, $300 in Bitcoin.
While the attack mostly affected machines in Russia, Ukraine, India, and Taiwan, WannaCry also forced carmaker Honda to shut down production at a Japanese plant, knocked organizations run by the National Health Service (NHS) – the U.K.’s national healthcare system – offline, and adversely affected broadband and telecommunications provider Telefónica, Hitachi, and a handful of universities.
Bossert connected WannaCry to North Korea in an op-ed published in the Wall Street Journal on Monday night. Bossert said the U.S. was making the allegation based on evidence and insisted that Pyongyang, the capital of the Democratic People’s Republic of Korea, would be held accountable for its actions.
“North Korea has acted especially badly, largely unchecked, for more than a decade, and its malicious behavior is growing more egregious,” Bossert wrote, “WannaCry was indiscriminately reckless.”
“The consequences and repercussions of WannaCry were beyond economic… These disruptions put lives at risk,” Bossert wrote elsewhere in the column.
The news, which was backed up by a press conference Tuesday morning, isn’t exactly a revelation. If anything, it almost seems more like an inevitable formality.
Researchers at a handful of firms, including Google, Kaspersky Lab, Microsoft, and Comae Technologies, all went on record that there was a connection between WannaCry and North Korea earlier this year.
Neel Mehta, a researcher with Google, was one of the first - in May - to confirm that portions of WannaCry’s code were similar to those used by the Lazarus APT group. Lazarus is the same outfit purportedly behind the 2016 SWIFT attacks in Bangladesh and 2014’s Sony Pictures Entertainment hack, an attack the U.S. also officially pinned on North Korea.
“The attribution to Lazarus Group would make sense regarding their narrative which in the past was dominated by infiltrating financial institutions in the goal of stealing money,” Comae Technologies’ Matthew Suiche said in a report at the time. “If validated, this means the latest iteration of WannaCry would in fact be the first nation state powered ransomware.”
A Washington Post article published a month later, in June, corroborated those reports and cited an internal NSA assessment that stressed with “moderate confidence” that North Korea’s spy agency, the Reconnaissance General Bureau, was to blame for the malware.
Bossert wrote in his editorial that the United Kingdom agreed with the U.S.’s stance, and said during Tuesday’s press conference that New Zealand, Canada, Australia also concurred with the U.S.’s findings.
While the announcement serves as public condemnation for North Korea, it’s unclear exactly what the U.S.’s next steps will be.
Bossert said the U.S. “will act alone to impose costs and consequences for cyber malfeasance” when the time comes and that the government will work harder to “hold accountable those who harm or threaten us, whether they act alone or on behalf of criminal organizations or hostile nations.” Bossert didn’t specify how exactly the U.S. would carry out such actions.
The announcement comes almost three years to the day that the U.S. government called out North Korea for hacking Sony Pictures Entertainment. A press release issued by the FBI on December 19, 2014 said the bureau had enough information to conclude that the North Korean government was responsible for the SPE campaign.
