The US government blames North Korea for WannaCry ransomware pandemic

[captain_to_fire]

This is one of those threads that could get very political so I wouldn't mind if mods locked this thread right after five to ten responses.

 

Source: Reuters

 

Quote

WASHINGTON (Reuters) - The Trump administration has publicly blamed North Korea for unleashing the so-called WannaCry cyber attack that crippled hospitals, banks and other companies across the globe earlier this year.

 

“The attack was widespread and cost billions, and North Korea is directly responsible,” Tom Bossert, homeland security adviser to President Donald Trump, wrote in a piece published on Monday night in the Wall Street Journal. “North Korea has acted especially badly, largely unchecked, for more than a decade, and its malicious behavior is growing more egregious,” Bossert wrote. “WannaCry was indiscriminately reckless.”

 

 

The White House was expected to follow up on Tuesday with a more formal statement blaming Pyongyang, according to a senior administration official. The U.S. government has assessed with a “very high level of confidence” that a hacking entity known as Lazarus Group, which works on behalf of the North Korean government, carried out the WannaCry attack, said the official, who spoke on condition of anonymity to discuss details of the government’s investigation. Lazarus Group is widely believed by security researchers and U.S. officials to have been responsible for the 2014 hack of Sony Pictures Entertainment that destroyed files, leaked corporate communications online and led to the departure of several top studio executives.

North Korean government representatives could not be immediately reached for comment. The country has repeatedly denied responsibility for WannaCry and called other allegations about cyber attacks a smear campaign.

 

Just so everyone knows, the Lazarus Group is responsible for Sony hack in 2014 where they said it was a thin-skinned response from North Korea as retaliation for releasing the movie "The Interview" starring James Franco and Seth Rogen as well as a heist in the Bangladesh Central Bank [more info about the Lazarus group here]

Anti-virus companies like Symantec, Kaspersky, and even Microsoft linked Lazarus to North Korea as they found IP addresses from North Korea. The same cybersecurity companies also found the same connections linking WannaCry and Lazarus group saying:

 

From Symantec: 

Quote

WannaCry links to Lazarus

Aside from commonalities in the tools used to spread WannaCry, there are also a number of links between WannaCry itself and Lazarus. The ransomware shares some code with Backdoor.Contopee, malware that has previously been linked to Lazarus. One variant of Contopee uses a custom SSL implementation, with an identical cipher suite, which is also used by WannaCry. The cipher suite in both samples has the same set of 75 different ciphers to choose from (as opposed to OpenSSL where there are over 300). In addition, WannaCry uses similar code obfuscation to Infostealer.Fakepude, malware that has previously been linked to Lazarus; and Trojan.Alphanc, malware that was used to spread WannaCry in the March and April attacks and which has been linked to Lazarus

Appendix A: WannaCry and Lazarus shared network infrastructure

There are a number of crossovers seen in the C&C servers used in the WannaCry campaigns and by other known Lazarus tools. For example, during the attacks against Sony, a malware family called Backdoor.Destover was deployed. Later variants of Backdoor.Destover were seen to use the IP address 87.101.243.252 for command and control. The Trojan.Bravonc sample discovered dropping WannaCry also connects to this IP address. Other shared network infrastructure is listed below:

C&C	Used by	Comments
87.101.243.252	Trojan.Bravonc, Backdoor.Duuzer Backdoor.Destover
84.92.36.96	Trojan.Alphanc	Also used by a backdoor program which shares an additional C&C with Lazarus-linked Backdoor.Cuprox
184.74.243.67	Trojan.Alphanc	Also seen used by entaskloader.exe which drops a network scanning tool used in March attacks
203.69.210.247	Trojan.Alphanc
196.45.177.52	Backdoor.Cuprox	Also seen used by a backdoor program dropped by a document called “discussion_QuadrigaCX.doc”

Kaspersky:

Quote

We believe it’s important that other researchers around the world investigate these similarities and attempt to discover more facts about the origin of Wannacry. Looking back to the Bangladesh attack, in the early days, there were very few facts linking them to the Lazarus group. In time, more evidence appeared and allowed us, and others, to link them together with high confidence. 

*It's a good thing that none of the banks I have money on got infected by WannaCry. I guess the lack of red color to the New Zealand map suggest that PC in New Zealand has installed Windows Updates.

 

Obviously North Korea will deny this but for a country with so many economic sanctions imposed, it all makes sense why they'll engage in state sponsored cyberattacks especially ransomware attacks where they can hold PCs hostage until people pay up via Bitcoin. Even though the payout for WannaCry ransomware wasn't that lucrative, there are reports especially from North Korean defectors saying that the regime are currently training and employing hackers in order to offset the effects of the UN economic sanctions and to show everyone that they're as powerful if not better than everyone when it comes to cyberespionage. 

 

But we can also put the blame on businesses and corporations for using out of date computers. Prior to the WannaCry pandemic, Microsoft has already released a patch for SMBv1 but so many won't even bothered to deploy security updates. As per this NYT article, "The big question is whether Mr. Kim, fearful that his nuclear program is becoming too large and obvious a target, is focusing instead on how to shut down the United States without ever lighting off a missile. “Everyone is focused on mushroom clouds,” Mr. Silvers said, “but there is far more potential for another kind of disastrous escalation.” The US and everyone else should put more focus on ensuring nationwide cybersecurity as massive cyberattacks can lead to global economic crisis. It's such a shame that the US response to the Sony hack is launching a DDOS attack on North Korea which means nothing. In my opinion, since North Korea has fewer computers connected to the real internet they are at an advantage over US as the likes of NSA and DHS will find it useless to create a cyberespionage malware against North Korea since only a few IP addresses from North Korea can be found.

 

2017 is indeed the year of cybersecurity woes and I think in 2018 it will get much worse. I'm just curious as to what took the DHS so long to declare that WannaCry came from North Korea when major anti-virus companies have been saying that there's a link between Lazarus Group (DPRK) and WannaCry for months. 

 

 I can't help but bring back these related threads 

Edited December 19, 2017 by hey_yo_

[Guest]

The map is not real. WannaCry has affected numerous places, including my local hospitial in NZ.

Needless to say services were not affected as they never work anyway.

[mr moose]

I'm going to have to call BS,  the US government is in my top ten list of groups who can't be trusted.  They probably just made up the whole existence of NK to justify something else they have been doing anyway.

[Trik'Stari]

7 minutes ago, mr moose said:

I'm going to have to call BS,  the US government is in my top ten list of groups who can't be trusted.  They probably just made up the whole existence of NK to justify something else they have been doing anyway.

There's plenty of books written by refugees of that particular hellhole.

 

Aquariums of Pyongyang springs to mind.

 

While I share your distrust of the US government, I absolutely hate the North Korean regime and honestly feel sorry for people who live there. That's one regime that needs to be toppled simply because they're evil as fucking hell. Even compared to our own egregious governments.

[mr moose]

3 minutes ago, Trik'Stari said:

There's plenty of books written by refugees of that particular hellhole.

 

Aquariums of Pyongyang springs to mind.

 

While I share your distrust of the US government, I absolutely hate the North Korean regime and honestly feel sorry for people who live there. That's one regime that needs to be toppled simply because they're evil as fucking hell. Even compared to our own egregious governments.

the existence of NK was a joke I made to illustrate the levels I believe the US government would go to to hide something.

[captain_to_fire]

21 minutes ago, mr moose said:

They probably just made up the whole existence of NK to justify something else they have been doing anyway.

Someone needs to read about the history of the Korean War. 

 

24 minutes ago, mr moose said:

I'm going to have to call BS,  the US government is in my top ten list of groups who can't be truste

A massive cyberattack corroborated by major cyber security companies who’ve identified links between DPRK and WannaCry should be doubted? I don’t think so. 

[captain_to_fire]

15 minutes ago, VegetableStu said:

wow this is hard to believe ._. even if legit

They were able to create an ICBM reaching the right altitude to reach anywhere in the US, I wouldn’t be so surprised if they were able to create an encryption virus infecting thousands of PCs around the world. 

[Damascus]

Hey guys, did you notice the angry baby in the corner has a gun?  And a hand grenade? He looks like he freakin hates us too.

 

We tried to stop feeding it but the dang thing just won't die.  

 

I'VE GOT IT!  

 

Seriously though there are so many of these propaganda pieces, its insane.

[captain_to_fire]

3 minutes ago, VegetableStu said:

although if they could smuggle back weapons tech in physical or theoretical form, I don't think it'd be hard to bring in... I dunno, a threadripper system or something)

They do smuggle stuff mostly from China. It’s good that Australia was able to catch a North Korean spy/smuggler recently. 

 

[Delicieuxz]

1 hour ago, mr moose said:

I'm going to have to call BS,  the US government is in my top ten list of groups who can't be trusted.  They probably just made up the whole existence of NK to justify something else they have been doing anyway.

Whether what is alleged concerning WannaCry is true or not, I don't know. But Trump is threatening North Korea with war, and convincing the public that North Korea was responsible for this cyber attack could be an effort to drum up public support for an attack on North Korea. US gov'ts always start making wild and unproven, often later disproven accusations against countries that they plan to attack, to get the public and cohorts on board with attacking that country. Gulf of Tonkin, Iraq WMDs, incubator babies, and claims of Assad using chemical weapons come to mind, as does the USA's cold-war false flag scheme to sink a boat full of innocent Cuban refugees trying to reach the US, in order to get the public to agree to war against the USSR.

 

When the US state speaks a lie, it speaks its native language. And it's completely by the script that the USA starts coming up with accusations against a nation it is plotting war against. Trump is a liar. Obama was a liar. Bush Jr was a liar. Clinton was a liar. The US government claiming something is not a basis to believe that what it says is actually true.

 

1 hour ago, hey_yo_ said:

They were able to create an ICBM reaching the right altitude to reach anywhere in the US, I wouldn’t be so surprised if they were able to create an encryption virus infecting thousands of PCs around the world. 

But the expectation that they're capable is not evidence that they're guilty.

[suicidalfranco]

b-b-b-but... Russia

[captain_to_fire]

22 minutes ago, Delicieuxz said:

But the expectation that they're capable is not evidence that they're guilty.

But findings from anti-virus companies are very hard to ignore though and as I’ve said in the OP, it wouldn’t be surprising that they’re capable of making an encryption virus based on the Shadow Brokers dump on GitHub (Eternal Blue exploit) thanks to NSA withholding information about vulnerabilities. 

[LAwLz]

Even if WannaCry was spread and acted on behalf of North Korea, the US government are still responsible for creating the exploit to begin with, and keeping the security hole hidden for their own personal use for so long.

[captain_to_fire]

6 minutes ago, suicidalfranco said:

b-b-b-but... Russia

Well Kaspersky Lab from Russia is suing the US government so there that. https://www.kaspersky.com/blog/kaspersky-lab-open-letter/20501/

[samcool55]

Well, to me this just looks like US propaganda, which is a bit weird because we always say "in X country people are being misinformed due to propaganda" but honestly the US is doing exactly the same. I'm not surprised the US is falling behind compared to the rest of the world. They just keep on digging aren't they...

[Matu20]

Does it matter who they blame?

[laminutederire]

2 hours ago, VegetableStu said:

it's... this having to reconcile the concept of a reclusive state that's socioeconomically a few years late and yet being able to do something this mordern...

(although if they could smuggle back weapons tech in physical or theoretical form, I don't think it'd be hard to bring in... I dunno, a threadripper system or something)

The US has been extremely late on a sociological standpoint for quite some time and yet they survive on technology anyway. 

[TidaLWaveZ]

LOL

 

U.S. Government says Russia "hacked" election to get Trump to win, people immediately buy in, full scale investigation issued still going on to this day entirely based on assumption.

 

U.S. Government says North Korea responsible for WannaCry, people immediately dismiss as fake and blame on Trump even before there's a chance for true details to be announced.

 

 

[TidaLWaveZ]

1 hour ago, Matu20 said:

Does it matter who they blame?

No, as long as people have something else to blame on someone they don't like.

[Delicieuxz]

2 hours ago, hey_yo_ said:

But findings from anti-virus companies are very hard to ignore though and as I’ve said in the OP, it wouldn’t be surprising that they’re capable of making an encryption virus based on the Shadow Brokers dump on GitHub (Eternal Blue exploit) thanks to NSA withholding information about vulnerabilities. 

 

According to Wikipedia, Kaspersky do not unconditionally associate Lazarus Group with North Korea: https://en.wikipedia.org/wiki/Lazarus_Group

 

Quote

 

It is not clear who is really behind the group, but media reports have suggested the group has links to North Korea.[5] [6][3] Kaspersky Lab reported in 2017 that Lazarus tended to concentrate on spying and infiltration cyber attacks whereas a sub-group within their organisation, which Kaspersky called Bluenoroff, specialised in financial cyber attacks. Kaspersky found multiple attacks worldwide and a direct link (IP address) between Bluenoroff and North Korea.[7]

 

However, Kaspersky also acknowledged that the repetition of the code could be a “false flag” meant to mislead investigators and pin the attack on North Korea, given that the worldwide WannaCry worm cyber attack copied techniques from the NSA as well. This ransomware leverages an NSA exploit known as EternalBlue that a hacker group known as Shadow Brokers made public in April 2017. [8] Symantec reported in 2017 that it was "highly likely" that Lazarus was behind the WannaCry attack.[9]

 

 

[System Error Message]

I blame the US for the lack of defence against such a malware.

[captain_to_fire]

17 minutes ago, Delicieuxz said:

According to Wikipedia, Kaspersky do not unconditionally associate Lazarus Group with North Korea: https://en.wikipedia.org/wiki/Lazarus_Group

Edited the OP. But I wouldn’t rule out DPRK as suspects to this one since the regime needs money and resources to fund their military programs and its made worse by the economic sanctions imposed on the regime, they need to find ways to get funded. One of the ways to obfuscate location is by a VPN but which VPN vendor currently has servers in North Korea? Since VPNs can be built easily, how can they build a VPN server in North Korea as entering the hermit kingdom requires too much restrictions? While geolocation using IP addresses aren’t bombshell evidence that they did it, it does raise some red flags. Here’s what Symantec has to say: 

Quote

The methods used in this attack, in particular the in-depth knowledge of the SWIFT systems and the steps taken to cover tracks, are indicative of highly proficient actors. This was an incredibly audacious hack, and was also the first time strong indications of nation-state involvement in financial cyber crime had been observed. The attack was linked to nation-state actors in North Korea.

Symantec’s analysis of the malware (Trojan.Banswift) used in the attack on the Bangladesh bank found evidence of code sharing between this malware and tools used by Lazarus—which the FBI claims has links to the North Korean government. The Lazarus group was associated with the infamous Sony hack in 2014, and has been linked to a string of attacks against the US and South Korea since 2009.

 

[captain_to_fire]

4 minutes ago, System Error Message said:

I blame the US for the lack of defence against such a malware.

Blame the businesses and institutions for not installing software updates and blame the US government especially the NSA for withholding CVE information from tech companies and now it backfired to their faces. 

[System Error Message]

Just now, hey_yo_ said:

Blame the businesses and institutions for not installing software updates and blame the US government especially the NSA for withholding CVE information from tech companies and now it backfired to their faces. 

i was making a joke, that so happens to be true too.

[Master Disaster]

5 hours ago, hey_yo_ said:

*snip*

Lol, I posted this story about a week after WC happened and everyone said it was nonsense. The thread even got moved in GD.

 

Not that I'm bitter or anything

Edited December 19, 2017 by wkdpaul
removed quote