The Malware Affair

Stephan Haggard (PIIE) and Aaron Crimmins (UCSD)



North Korea’s cyber ventures have become a staple of this blog: from malicious activity such as the Operation Troy cyberespionage campaign (2013) and Dark Seoul attacks against the South (also 2013), through the Sony hack (2014), the notorious bank heists of 2016 and the recent resurfacing of Lazarus; posts on these activities are linked below. Here, we review what we know about North Korea’s involvement in the malware affair.

Except for one 2016 incident attributed to state-sponsored Chinese hackers, this appears to be the first time that a sovereign state has been implicated in malware ransom-seeking (see Symantec on this point here). Attribution is one of the core problems with respect to malicious cyber activity, and the community is generally cautious; Symantec provides a nice timeline through May 14 of how suspicions converged. A researcher at Google appeared first out of the box, followed closely by Kaspersky and Symantec (see Cyberwire here and here for more detail). Analysts quickly noted the similarities between the WannaCry ransomware and code associated with the Lazarus Group, and the Contopee bank attacks attributed to the DPRK in particular. Drawing this connection was aided by a long technical report from Kaspersky Labs released only last month called Lazarus Under the Hood (.pdf) that tied together the attacks noted above while also separating out some of the Lazarus tools into a variant that they dubbed Bluenoroff.

Two other background factors are crucial to the case. The first, of course, is the ShadowBrokers’ dump of the EternalBlue exploit last month, which opened the door to the use of these tools by whoever saw the opportunity (see arsTechnica here). EternalBlue uses a fault in the file sharing apparatus of Windows’ XP, SE, and 7 operating systems. This fault opens a pathway for malicious attackers to inject and execute code of any kind on target devises, allowing malware to move through file-sharing protocols within organizations. The EternalBlue storyline is an important aspect of the case, as it and its sibling cyberweapons were allegedly developed by the US National Security Agency(NSA) in order to facilitate surveillance and espionage campaigns. This fact generated a quite public war of words between Microsoft and the government, with the company charging that the intelligence community should stop “stockpiling” tools to exploit against adversaries.

And second, WannaCry spread by exploiting a known Microsoft vulnerability that older systems and slower organizations had failed to update. This too generated controversy in Silicon Valley (see some of the legal issues at Cyberwire).  To be sure, the organizations should have updated. Yet it is also an open secret that software such as Windows XP and Server 2003 is kept alive through costly contracts that Microsoft signs with users, including public institutions like Britain’s National Health Service that are fiscally constrained.

Turning from the cyber forensics to the circumstantial evidence, two factors are at least consistent with the attribution. The first is the fact that as a ransomware attack, there is money to be made. If anything, North Korea is what Justin Hastings has called a Most Enterprising Country, continually seeking out new ways—both licit and illicit—to break the shifting constraints posed by sanctions. With those sanctions circling in on merchandise trade, services, and financial transactions, cyber no doubt seemed like a reasonable diversification.

But second, the attack would seem consistent with North Korea precisely because of its experimental quality and amateurishness. The WannaCry code is replete with “kit” code, taken from precompiled sets that are available for free on the web.  A relatively easy to find “killswitch,” which disables the ransomware by visiting an embedded link, was found by a young British cyber sleuth, putting a serious dent on the attack.  Researchers have posited that this malware was meant for a much smaller target set and poor code allowed it to proliferate much more widely than intended, using its ‘worm’-traits inherited from historical bugs such as Confiker.

Most indicative of WannaCry’s code deficiencies is the lack of an automated system to distribute the decryption keys to those who want to pay the ransom (Checkpoint blog here). In most instances of ransomware, the code of the malware includes a system to dispense a decryption key upon receipt of payment. Wannacry’s lack of such a system required that the attackers manually create and distribute keys for each ransom payer as needed, a time-consuming task to say the least.

If you want to know what it feels like to be hit by WannaCry (or WannaCrypt), Motherboard has a video that shows what the encryption looks like (on a virtual machine). The WannaDecryptOr messages ask for ransom, to be paid in Bitcoin. The attacks pose hard choices: to pay with uncertainty about whether you get your data back—blackmailer assurances to the contrary—or to not pay, always the favored approach for those trying to limit the spread of malware, but with loss of data.

As it turns out, two entities have developed sinkholes that allow for monitoring of the extent of the attack over time, one following unique IP addresses affected, the other the amount of money that actually found its way into the Bitcoin wallets. Malwaretech is tracking infections and shows about 417,000 as of the 19th (you can click through to a graphic that shows the time trend and geographical distribution). An irony: the US got off relatively easily, while a number of emerging markets—from China to Africa—were hit much harder. The geographic distribution suggests that entities in these countries were either running older systems or perhaps pirated versions of the software that did not have access to updates and patches at all.

Elliptic, working with Law enforcement, traced the ransom payments to a set of Bitcoin wallets.

All bitcoin transactions are public via a public distributed ledger dubbed the blockchain, though the identities of those involved in the transactions are obviously much more difficult to discern.  Having identified the wallets, Elliptic is standing ready to investigate the next movements of the Bitcoin held in those wallets, though at this point none has been reported.

But the main point is that not many people are paying, with the total value of the Bitcoin in the wallets at only $100,000. As of yet none of the currency has been moved. This is yet another feature of the operation that appears amateurish. It is possible that the hackers may have a party, spending the Bitcoin online. If they do choose to move the Bitcoin, it will open up another opportunity to identify who was involved.

If North Korea was involved, it remains a mystery exactly how. With a brigade or so of cyberwarriors, the attack could reflect a top-down effort. Some bright programmer proposed this idea, they tried it, and not only failed to score big but generated an attack that was the opposite of what most malware does: seek to fly beneath the radar. Yet a number of other possibilities exist. From what we know of other illicit networks, North Koreans could have provided or sold software to cybercriminals or cooperated with them off the books. The lack of movement in regards to the accumulated bitcoin may also simply hint at a forthcoming step in the attackers’ plan as they wait for the heat to die down.

Obviously, defense is—well—the first line of defense. But an interesting issue will be whether offense is coming down the pike. The CIA has now set up a dedicated North Korea cyber monitoring organization. The debate about whether we should focus solely on defense, or move toward offensive responses to these attacks is no doubt bubbling somewhere in the intelligence community.


Witness to Transformation posts related to cybersecurity issues:

More From

Related Topics