The WCry Attack: North Korea to Blame?

Stan Ward

Stan Ward

May 17, 2017

By now you probably know that the internet has been attacked and held hostage around the globe by a ransomware worm called WannaCry (or WCry).  In one of the largest attacks ever carried out, hospitals, companies, universities and governments across at least 150 countries were hit by a cyberattack that locked computers and demanded a ransom.

The number of those affected by the attack is now believed to exceed 300,000 users. The initial attack seems to have been stymied, and now the focus has shifted to who is behind the attack.

The finger of blame may point toward North Korea, as this assault bears the fingerprints of attacks on Sony Pictures, Bangladesh Central Bank, and several South Korean banks, going back about four years.

The possibility was raised by a Google security researcher, Neel Mehta, who referenced an identical code found in the WCry sample to a malicious backdoor used by the Lazarus Group – a north Korean cybercrime team that has been operating since 2011. It has previously been linked to the aforementioned attacks.

More examination of coding links will be needed to support the conclusion that the group, which has operated before on behalf of the impoverished rogue regime, is responsible. But amidst all the uncertainty, Kapersky Labs found one kernel of certainty:

One thing is for sure—Neel Mehta’s discovery is the most significant clue to date regarding the origins of WannaCry.

Another reason for discounting that the attack was initiated by a civilian or privately sponsored hacking group, is that a few telling techniques were discerned, which in the past have been deemed to be common in the malware written by nation-sponsored hackers – namely “kill switches”. As Martijn Grooten, a security researcher for Virus Bulletin, explained to Ars Technica,

Malware authors rarely wonder ‘What if this totally gets out of hand?’ Kill switches in malware are rare, and I can only think of government malware with those built in. Governments care about collateral damage far more than criminals do. And North Korea has recently been active as the Lazarus group.

He went on to add that it’s not beyond believable that North Korea could have remained somewhat “hands-off,” and distanced itself from the debacle by hiring a hacking group.

Putting the onus on North Korea at this early stage could be premature, however. Similarities in the  code don’t always mean the same hacking group is responsible. An entirely different group may have simply reused Lazarus group’s backdoor code from 2015 to confuse anyone trying to identify the perpetrator. As Kapersky Lab noted in a blog post,

We believe it’s important that other researchers around the world investigate these similarities and attempt to discover more facts about the origin of WannaCry.

But some are of the opinion that money alone may not have been the sole motive.

“I believe that this was spread for the purpose of causing as much damage as possible,” said Matthew Hickey, co-founder of British cyber consulting firm Hacker House.

This idea is bolstered by the fact that in 2016, by appropriating the SWIFT code, the group was able to siphon some $1 billion from the Bangladesh Central Bank. That figure would dwarf any prospective haul from this caper. It has also been suggested that North Korea sought to embarrass the NSA and the US – especially in light of the current nuclear tensions and name-calling from the leaders of the respective countries.

What can’t be lost or dismissed in this fiasco is the role by played by the NSA, and its voracious appetite for citizens’ private information. Wcry used leaked NSA-developed codes in its expansive attack. It has been posited that the WannaCry exploits used in the attack were drawn from a trove of data stolen from the NSA by the Shadow Brokers in August 2016.

The NSA and other government agencies around the world create and collect vulnerabilities in popular pieces of software (such as Windows) to use for intelligence gathering and cyberwarfare.

“We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits,” said Brad Smith, president and chief legal officer of Microsoft.

Jeremy Wittkop, chief technology officer of security company Intelisecure, also chimed in, admonishing governments for not being careful enough with the weapons they’ve created.

The government has a responsibility like with nuclear weapons to make sure they don’t fall into the hands of the wrong people,” he said. “If you are going to create something that can cause this much damage you have to protect it.”

Once these weaknesses were leaked by the Shadow Brokers, they became available for cybercriminals to hold the world hostage for financial gain by creating the ransomware that exploited them. If the NSA’s carelessness or malfeasance is found to be at the heart of this matter, the irony would be too precious, and the lessons learned too evident.

You can’t continue hoovering information with impunity without there being some blowback. Meanwhile, as usual, government “cops” are scurrying around, playing catch-up to nab the perpetrators.

Image credit: By LeoWolfert/
Exclusive Offer
Get NordVPN for only