Canada is among the governments that helped the United States conclude last spring’s WannaCry global ransomware attack was created by North Korea, a senior White House security advisor has told reporters.
Tom Bossert, the President’s Homeland Security advisor made the statement Tuesday, also crediting Microsoft and Facebook for gathering evidence that allowed the U.S. to come to the conclusion, according to the Washington Post.
Bossert said Canada, the United Kingdom, Australia and New Zealand — all members of the “Five Eyes” intelligence co-operative — as well as Japan agreed with the research.
In a statement Greta Bossenmaier, chief of the Communications Security Establishment (CSE), Canada’s electronic spy agency, said the U.S. assessment “is consistent with our analysis. The Government of Canada strongly opposes the use of cyberspace for reckless and destructive criminal activities. Using malware such as WannaCry to extort ransoms and disrupt services is unacceptable, whether conducted by an individual or a nation state. We remain committed to working with our allies and partners to maintain the open, reliable and secure use of cyberspace.”
“This was a careless and reckless attack,” Bossert was quoted as saying. “It affected individuals, industry, governments and the consequences were beyond economic. The computers affected badly in the U.K. in their health care system put lives at risk, not just money,” Bossert said.
CBS News also quoted him saying the U.S. “looked not only at operational infrastructure, but [also] tradecraft and routine used in past attacks” to reach its conclusion. Bossert also said North Korea used unnamed intermediaries outside the country to carry out the Wannacry attacks.
Bossert first made the allegation Monday in an op-ed piece in the Wall Street Journal, saying that “after careful investigation” it attributed the malware to the country. However, it came after British officials in October blamed the outbreak on North Korea. At the time it was quoted as saying the U.K. allegation was “beyond the limit of our tolerance” and was a “wicked attempt to lure the international community into harboring greater mistrust” of the country.
The fact that the “Five Eyes” partners were involved in the analysis takes the allegation “from possible to probable,” said David Swan, Alberta-based director of cyber intelligence at the Centre for Strategic Cyberspace and Security Science, a security consultancy.
Typically Microsoft doesn’t point fingers on attributing cyber attacks, he added, but on this it is allowing its name to be used. “That’s a massive indicator, right there.”
As for what CISOs should be considering with this allegation, Swan wonders if the traditional holiday break companies give their IT staff starting Dec. 25 — except retailers — will be a good time for another cyber attack. “I’d be damned good and worried,” he said.
It comes as tension rises between Western countries and North Korea over that nation’s nuclear weapons program. At the same time North Korea has bitterly objected to economic sanctions imposed by a number of countries, including Canada, and resolutions passed by the United Nations.
Hitting hundreds of thousands of computers in May, the malware has been dubbed Wanncry by threat researchers because it appends .WCRY to files it encrypts. It is a combination of exploits at least two of which — called “Eternal Blue” and “Double Pulsar” — are believed to have been stolen from the U.S. National Security Agency (NSA) by the ShadowBrokers. Eternal Blue exploits a vulnerability in Windows Server Messenger Block protocol, while DoublePulsar is a backdoor.
As Cisco Systems noted, Wannacry spread like a worm by scanning systems linked by a network to any machine it infected. Wannacry (sometimes called WannaCrypt) hit 150 countries but its spread was stopped only because a researcher disabled a URL the malware beaconed to.
It is not the first time North Korea has been accused by the U.S. of spreading malware. In November the U.S. Department of Homeland Security and the FBI issued technical alerts on two tools it says are used by the country: One is a remote administration tool (RAT) dubbed FallChill, the other a backdoor trojan called Volgmer. The group using these exploits has been dubbed Hidden Cobra. The statement says North Korea uses the tools to target the media, aerospace, financial, and critical infrastructure sectors in several countries.
“The North Korean government malicious cyber activity noted in these alerts is part of a long-term campaign of cyber-enabled operations that impact the U.S. Government and its citizens,” the statement said. It followed up on another technical alert and malware analysis report of a malware variant it calls DeltaCharlie that allegedly manages North Korea’s distributed denial-of-service (DDoS) botnet infrastructure.
North Korea is believed by many — but not all — cyber security experts to have been behind the 2014 Sony hack. It is also believed to have been behind the 2013 attacks on banks and media outlets in South Korea.
In an October, 17 article on North Korea’s cyber capabilities, the New York Times quoted experts as saying that hacking is an almost perfect weapon for a country that is isolated and has little to lose. “Cyber is a tailor-made instrument of power for them,” the article quotes Chris Inglis, a former deputy director of the National Security Agency, as saying. “There’s a low cost of entry, it’s largely asymmetrical, there’s some degree of anonymity and stealth in its use. It can hold large swaths of nation state infrastructure and private-sector infrastructure at risk. It’s a source of income.”
According to Reuters, North Korea’s main spy agency has a special cell called Unit 180 that some believe is behind a number of cyber attacks.