|Photo by: typographyimages via Pixabay|
The Trump Administration officially declared North Korea as the attackers behind a series of ransomware attacks that plagued the internet earlier this year.
When a series of WannaCry ransomware attacks broke out seven months ago, Google researcher Neel Mehta attributed the attacks to North Korea.
Mehta tweeted portions of code from an early version of WannaCry that it shares with a backdoor program called Contopee used by a group called Lazarus, which Wired called “a hacker cabal increasingly believed to operate under the North Korean government’s control”.
Matt Suiche, a Dubai-based security researcher and founder of the security firm Comae Technologies, said that “there’s no doubt” that the two programs are sharing a unique code.
The Lazarus group became notorious after a series of high-profile attacks, including the Sony Pictures hack in late 2014 that US intelligence agencies attributed to North Korea, the Bangladesh bank heist which successfully transferred $81 million USD from the Central Bank of Bangladesh, and the DarkSeoul Cyberattack on television broadcasting companies, banks, and financial companies.
Following Mehta’s tweet, Kaspersky wrote a blog post which detailed the similarities in the two code samples. Kaspersky called it “the most significant clue to date regarding the origins of WannaCry”.
“Pyongyang will be held accountable,” Tom Bossert, White House cybersecurity chief, wrote in an opinion piece for the Wall Street Journal last week, belatedly confirming what Mehta and others had been suspecting from the start.
“As we talk about to whom to attribute the WannaCry attack, it’s also important to remember to whom to attribute the source of the tools used in the attack: the NSA,” Kevin Bankston, director of the New America Foundation’s Open Technology Institute, said. “By stockpiling the vulnerability information and exploit components that made WannaCry possible, and then failing to adequately shield that information from theft, the intelligence community made America and the world’s information systems more vulnerable,”
Bankston was referring to the National Security Agency’s secret hacking technique called EternalBlue which, according to Wired, “exploits flaws in a Windows protocol … to remotely take over any vulnerable computer”. A group of hackers called the Shadow Brokers were able to obtain and publicly released a bunch of stolen NSA code.
Jake Williams, a former NSA hacker and founder of Rendition Infosec, said that Bossert’s statement about the accountability of North Korean hackers failed to hold NSA accountable.
“North Korea couldn’t have done this without us. We enabled the operation by losing control of those tools,” he added. “To have a discussion about accountability for North Korea without the discussion of how they got the material for the attack in the first place is irresponsible at best and deceptive at worst.”