North Korea Linked to 'Reckless' Global Cyber Attack

Pyongyang hackers behind WannaCry malware used software flaw first uncovered by NSA

Tom Bossert, White House homeland security adviser, and Jeanette Manfra, chief of cybersecurity for the Department of Homeland Security
Tom Bossert, White House homeland security adviser, and Jeanette Manfra, chief of cybersecurity for the Department of Homeland Security / Getty Images
December 20, 2017

North Korea conducted a "reckless" global cyber attack affecting governments and businesses around the world, the Trump administration revealed on Tuesday.

"After careful investigation, the United States is publicly attributing the massive WannaCry cyberattack to North Korea," said Tom Bossert, White House homeland security and counterterrorism chief.

"We do not make this allegation lightly. We do so with evidence, and we do so with partners," he added.

The WannaCry malware is considered a ransomware worm that spread very rapidly through global computer networks in May. The malware affected Windows computers and encrypted files on hard drives then demanded ransom payments in bitcoin to unscramble the data.

One significant victim was Britain's National Health Care Service networks.

Officials and security experts say the North Korean hackers behind the attacks were able to exploit an operating system vulnerability first uncovered by National Security Agency cyber intelligence-gathering hackers.

WannaCry was initially suspected of being a variant of Russian Petya malware. Since May, NSA, other U.S. intelligence agencies, and private security firms, however, were able to trace the origin of the malware to North Korea.

WannaCry infected computers in over 150 nations and some victims who paid ransom to the hackers to unlock frozen data found after paying they were unable to decrypt their data.

"This was a careless and reckless attack," Bossert told reporters. "It affected individuals, industry, governments, and the consequences were beyond economic. The computers affected badly in the UK and their healthcare system put lives at risk, not just money."

Bossert said other governments and private security firms agreed with the U.S. findings. They include Britain, Australia, Canada, New Zealand, and Japan.

Microsoft was able to trace the attack to hackers linked to the North Korean government, he added.

The WannaCry ransomware attack is the second major cyber attack blamed on North Korea.

In late 2014, the U.S. government revealed that North Korea carried out a damaging and high profile hack of networks at Sony Pictures Entertainment, stealing data and publishing it online as well as destroying computer systems.

The NSA determined North Korea conducted the Sony attack since its own hackers had successfully penetrated many computer networks used by North Korean hackers. NSA spying on North Korea was revealed in documents made public by renegade NSA contractor Edward Snowden.

Bossert said North Korea has been conducting nefarious hacking activities largely unchecked for more than a decade. "Its malicious behavior is growing more egregious, and stopping that malicious behavior stops with this step of accountability," he said.

Bossert said tech companies including Microsoft and Facebook recently disabled a number of North Korean "cyber exploits," and disrupted operations of North Koreans that were infecting computers around the world. "They shut down accounts the North Korean regime hackers used to launch attacks and patched systems," he said.

North Korea is known to use third country locations, including China and Thailand for many of its cyber attacks, according to security experts.

Disclosure of the North Korean WannaCry hack comes a day after President Trump released his administration's first national security strategy that focuses significant attention on countering damaging cyber attacks and cyber espionage.

The new strategy states that the administration will do more to identify threats and security risks in cyber space.

"To improve the security and resilience of our critical infrastructure, we will assess risk across six key areas: national security, energy and power, banking and finance, health and safety, communications, and transportation," the strategy report says.

"We will assess where cyberattacks could have catastrophic or cascading consequences and prioritize our protective efforts, capabilities, and defenses accordingly."

Jeanette Manfra, Homeland Security assistant secretary for cybersecurity and communications, said WannaCry attacks began May 12 and began in Asia and spread to Europe.

After the British healthcare network was attacked, "we knew we were dealing with a serious issue, and began to activate our domestic-industry partnership," said Manfra, who briefed reporters with Bossert.

DHS then shared what it knew about WannaCry with all major internet service providers.

The quick information-sharing response limited the damage but the danger of new and more damaging cyber attacks continues.

"We are seeing increased activity and sophistication from both nation-states and non-state actors,' Manfra said. "In many instances, these are the same adversaries we have faced in the past. They are just now operating in a different space."

DHS and FBI warned in a technical report published in August that North Korea was continuing to use botnet attacks in targeting critical U.S. infrastructures.

The report said North Korean government hackers were targeting media, aerospace, financial, and critical infrastructure sectors in the United States and around the world.

The botnets, or networks of hijacked computers, are being used by the North Koreans for denial of service attacks that disrupt the use of computer networks.

The two agencies then warned in November that North Korean hackers were continuing to engage in cyber attacks.

Manfra said one problem with such attacks is that the internet was designed for interoperability, trust, and openness, but without engineering good security features into the system.

As a result, "attackers only have to be right once but defenders have to be right all the time," she said.

Manfra said defending against internet-based attacks will require greater government and private sector cooperation.

"Government and industry must work together now more than ever if we are serious about improving our collective defense," she said. "We cannot secure our homeland alone. A company can't single-handedly defend itself against a nation-state attacker. Cybersecurity is a shared responsibility. We all play a part in keeping the internet safe."

The problem for many tech companies is a lack of trust in working with government following disclosures several years ago by Snowden showing NSA cyber spying. As a result, many companies are leery of working with the government over privacy concerns.

"To prevent another attack like WannaCry, we are calling on all companies to commit to the collective defense of our nation," Manfra said.

Bossert denied the government was slow to respond to the WannaCry attack. "We took a lot of time to look through classified, sensitive information," he said.

The evidence of North Korean links included technical connections to cyber tools used by Pyongyang's hackers, along with indicators of North Korean cyber tradecraft and operational infrastructure.

Many cyber security specialists credited cyber security expert Marcus Hutchins for mitigating the effects of the malware. Hutchins spotted WannaCry early in the May attack and found a way to limit its spread.

Hutchins discovered a flaw in the malware—a digital kill switch—and turned it on. "He took a risk, it worked, and it caused a lot of benefit," Bossert said. "Next time, we're not going to get so lucky."

Without elaborating, Bossert said "we're comfortable in this case … that it was directed by the government of North Korea."

Intermediaries of the government were used in WannaCry and they were traced to North Korean government cyber attacks in the past.

The activities of North Korean hacker squads and their operating methods are not well known.

Bossert said the administration's new pressure policy on North Korea is aimed at forcing Pyongyang to halt the cyber attacks.

The amount of money the North Koreans may have raised with the ransomware is not known. However, the operation did not appear similar to criminal ransomware attacks that are designed to raise cash.

"They didn’t want to get a lot of money out of this," Bossert said. "If they did, they would have opened computers if you paid. Once word got out that paying didn’t unlock your computer, the payment stopped."

Instead of cash, the North Koreans were engaged in a cyber attack designed to cause havoc and destruction with money as an ancillary benefit.

Bossert said exposing the North Korean role in WannaCry ransomware is a first step in alerting the regime that the United States is "going to move to stop their behavior."

The White House adviser also noted that the administration recently moved to block the government from using Kaspersky Lab security software because of worries the software reports back to the Russian government on those that use it.

"I think we're leading to take bad actors—whether they be Russia, North Korea, at times China and Iran—off the internet and knocking them off their game," Bossert said.

The government waited for months before going public with the findings on WannaCry to avoid mistakenly blaming someone else.

"It's hard to find that smoking gun, but what we've done here is combine a series of behaviors," Bossert said. "We've got analysts all over the world, but also deep and experienced analysts within our intelligence community that looked at not only the operational infrastructure, but also the tradecraft and the routine and the behaviors that we've seen demonstrated in past attacks. And so you have to apply some gumshoe work here, not just some code analysis."

A shadowy hacker group called the Shadow Brokers is believed to have exposed publicly that NSA had uncovered the flaw in the Microsoft operating system that was exploited by the North Koreans.

Bossert said the U.S. government reveals 90 percent of such flaws that it finds to help private companies fix the flaws.

The flaws that are kept secret are used for national security purposes.

Bossert said the U.S. government needs to better protect its cyber intelligence tools, and he noted that when such tools leak it is very unfortunate.