Post by: Ross Rustici
Recent claims by several cyber security companies are tentatively linking North Korean cyber actors to the WannaCry ransomware attack. The crux of this assessment is based on code similarities in a randomization function call in a very early variant of the malware. A researcher at Google first discovered this similarity, which was quickly picked up by several other security firms. There is no disputing the code similarity. However, code reuse, especially from tools that are as old as the Democratic People's Republic of Korea sample, is common.
Additionally, the code being reused in the initial sample is a generic function call and has no specific indicators linking it to the DPRK's coding practices. The deletion of the code (in samples of WannaCry from March 2017 onwards) may have to do with functionality rather than an attempt to obfuscate attribution. Further analysis will reveal how the code was created and perhaps more insight into who created it.
So, did North Korea do this?
The short answer is: it’s unlikely.
Nothing in North Korea’s past cyber campaigns or in their conventional military and foreign policy fit this mold. Looking at national identity, foreign policy and strategic messaging will greatly reduce the likelihood that Pyongyang ordered this campaign.
The Democratic People’s Republic of Korea adheres to a national philosophy of self-reliance (Juche). This philosophy was started by the DPRK’s first leader Kim Il-sung in 1955 and has been enshrined as national doctrine ever since. (高麗大學校亞細亞問題硏究所 (1970). Journal of Asiatic Studies. 13 (3–4): 63)
This self-reliance extends to every facet of North Korean life, from politics and economics, to education and defense. In the late 1990’s Kim Jong-Il applied this philosophy to the Internet and building a cyber program. This incorporation of cyber capabilities into both Juche and the DPRK’s provocation cycle had profound effects on the shape of the operations.
Through the early 2000’s North Korean cyber actors built a custom program of cyber capabilities from the ground up. Unlike all other known state actors, the DPRK program makes no use of commodity malware or generic tools.
By custom building all their tools, the DPRK program presents a unique challenge to network defenders.
On the one hand, it means that the actors will use far more advanced tools than necessary to exploit networks; which makes catching active intrusions far more difficult. On the other, having a completely custom-built tool kit makes it easier to link intrusions together and gain a more complete insight into the actors’ overall capabilities and targets.
The indigenous malware production has created advanced uses of encryption for command and control of implants, the ability to fake TLS to blend in with network traffic and advanced functionality on almost all their implants to include self-destruct capabilities as well as file deletion. This feature set makes DPRK actors sophisticated network operators that are difficult for network defenders to identify and protect against. However, these same capabilities over the years have allowed several cyber security researchers to link DPRK attacks on ROK computers dating back to 2009 with the 4th of July DDoS and drive wiping attack on ROK and U.S. websites. 4 5 6 7 8
DPRK’s “cyber executive branch”, Lazarus Group, is somewhat characterized by and known for the same TTPs across different attacks. These tools are over engineered compared to the function they fill and have been used in conjunction with 0day vulnerabilities to compromise victim networks (i.e. several critical vulns in the South Korean Hangul program).
They further protect their malware through the insertion of junk code to make reversing more difficult and they were an early adopter of transmitting custom encrypted traffic over port 443 to blend in with normal TLS traffic.
While the DPRK has an active espionage program, the most notorious operations have all involved network attacks. The North Korean actors have been using a similar approach to destructive attacks since 2009.
They use a RAT to gain access to a network, enumerate the hosts, and then deploy a master boot record eraser to destroy the host machine. The malware used in this process has largely been unchanged since 2009 and yet it continues to be successful. Despite the notoriety of the DarkSeoul attack in 2013, the Sony Pictures Entertainment attack in 2014, the same actors laid down the same tool in the networks of several banks across Asia in association with the SWIFT intrusions in 2016, which netted the regime close to $80 million for a single operation.
North Korea is currently facing the most direct threat of armed conflict since the end of the Korean War. The tensions on the Korean Peninsula have been escalating at a rapid pace since the beginning of 2017 and North Korea’s traditional supporter China has been slowly distancing itself from the North. This leaves North Korea with one powerful neighbor and occasional supporter, Russia. At the end of April, Russia blocked a UN resolution condemning North Korean missile tests and also publicly renounced potential unilateral action by the U.S. Given that China and Russia were the most affected by the WannaCry attack and the infection pattern is easy to predict based on number of pirated operating systems in both countries, it would be a significant risk to disproportionately attack the two closest things North Korea has to allies. Especially given that excluding their networks from the randomization function would have been a trivial coding change.
Complicating matters further, most of the known North Korean cyber activity originates in China, and North Korea’s only Internet access transits China and Russia. China’s ability to identify and jail DPRK cyber actors operating from their territory has the potential to cripple the capabilities of the DPRK program. To launch an attack of this scale against those two countries would run a significant risk of wiping out North Korea’s own cyber capability both from a connectivity and from a trained personnel standpoint.
Finally, the relatively low compromise rate of South Korea, Japan, and the U.S. runs contrary to every attack ever authorized by Pyongyang. To spare North Korea's greatest enemies in an attack of this magnitude would be grounds for execution for whoever planned the campaign. Based on Pyongyang’s goal of striking top enemies in their campaigns, it is highly unlikely that they would design a piece of malware that did not have a high probability of success against the U.S., South Korea and Japan.
South Korea has highly advanced technological capabilities and is very aware to the threat from the North. DPRK is aware of this point and will not launch an attack that will have such a low success rate against such a big adversary. Perhaps the attackers underestimated patching policies that took place in these countries and thus the low infection rate is just a result of mission failure rather than by design. More likely, though, is that if North Korea was going to execute this style of attack it would have used more than one exploit to at least ensure success against South Korean networks.
North Korea excels at controlling the narrative and grabbing international headlines. Their ability to create escalation cycles and ramp up pressure to either gain concessions or demonstrate resolve to an internal audience is arguably unrivaled. This pattern of provocation, rhetoric and then eventual de-escalation is something that plays out across conventional military, nuclear and cyber space in the same pattern.
In the conventional and nuclear spaces, the North uses missile tests to demonstrate resolve, signal to the U.S. and expand its deterrent capability. On May 14, North Korea tested an Intermediate Range Ballistic Missile that has the capability to hit U.S. military installations on Guam. This test also provided a stress test for a reentry vehicle that could be used on a missile with the capability to reach the U.S. and carry a nuclear weapon.
In any other news week, this successful test would have been the major international headline around the world. This event hits all the high notes for the North Korean media machine and should have been used for at least a week’s worth of propaganda. Instead, it was overshadowed by the worm. Given the national importance of the nuclear and missile program, Pyongyang would never have intentionally released a cyber attack that had the potential to undercut the largest achievement of its missile program.
In cyber space, North Korea has also created a standard operating procedure to ensure that the strategic messaging related to an attack is well heard. Assumed but unprovable attribution is their goal when conducting destructive attacks. In every instance of a destructive attack known to be conducted by the North Koreans there was a fake “hacktivist” group created with a very similar graphic and verbiage that took credit for the attack.
North Korea uses cyber attacks as strategic messaging and retaliation. It is impossible to conduct a clear messaging campaign if the recipient does not know who the sender is. This has led the North to thinly veil their attacks, ensuring that the “might” of the North Korean military is on display. The WannaCry attack has none of the hallmark messaging or claiming of responsibility. It lacks the messaging component that is fundamental to just about every action North Korea takes.
What if the outlier to this analysis is currency generation gone wrong? It is possible that as part of their mandate to gain hard currency for the government, an enterprising DPRK hacker cobbled together this malware and unleashed it without fully appreciating the consequences. While possible, it is highly unlikely for a couple of reasons:
- If this was a currency generation ploy, they wouldn’t have removed their own code from a working variant. North Korean actors generally do not worry about code artifacts, which is precisely why they were caught in the Bangladesh case.
- If the goal was currency generation, the financial support infrastructure would have been more robust and they would have worked harder to make the payment mechanism more user-friendly. They certainly wouldn’t have let the rumor spread that paying had no effect on the files.
- If they had concerns with controlling the spread of the worm once it was unleashed, they would have registered the “kill switch” domain. This oversight points to the amateur nature of the initial attack and would imply that if a DPRK actor did conduct this attack, they were not operating at the level normally associated with these groups.