Breaking the mold: North Korea is unlikely to be behind the WannaCry attack

After the WannaCry attack, we published a blog post that used sound logic, technical evidence and historical context to explain why the North Korean regime – despite tentative links by security companies – was not likely behind WannaCry. Months later, we still stand by this claim: The North Korean government probably did not carry out WannaCry.

The point we made in our May blog post, which we’ve re-published here, are still valid. Spreading FUD does little to keep anyone safe or de-escalate the threat posed by North Korea’s nuclear ambitions and cyber program.

On December 18, 2017, U.S. Homeland Security Advisor Thomas P. Bossert asked the entire world to trust the U.S. government’s assertion that North Korea was behind May’s WannaCry attack while offering absolutely no evidence to support this attribution. Instead, Bossert, in a Wall Street Journal opinion piece, implies that the U.S. government’s attribution was based on information used by the U.K. government and Microsoft.

The overall tone of the U.S. government’s messaging is more about rehashing the fear mongering strategies that lead to the 2003 invasion of Iraq rather than an actual attempt to educate and defend the U.S. and global population against what is rightly considered a large cyber threat.

Rehashing attribution from other governments and technology companies while providing zero new evidence only undermines the U.S. government’s technical credibility and devalues the real threat that North Korea poses. The use of hacking to undermine sanctions and enrich the regime clearly threatens financial institutions as well as any hope of containing the regime through something short of force.

The longer and more reliable conventional/nuclear deterrence holds, the less restrained North Korean hackers will become because they have cyber escalation dominance. We need to take the North Korean cyber threat seriously. However, rehashing old history as a way to increase FUD and reduce informed discussion on one of the most pressing security threats of 2018 only serves to increase the likelihood of miscalculation and mistake.


The short answer is: it’s unlikely.

Nothing in North Korea’s past cyber campaigns or in their conventional military and foreign policy fit this mold. Looking at national identity, foreign policy and strategic messaging will greatly reduce the likelihood that Pyongyang ordered this campaign.


The Democratic People’s Republic of Korea adheres to a national philosophy of self-reliance (Juche). This philosophy was started by the DPRK’s first leader Kim Il-sung in 1955 and has been enshrined as national doctrine ever since. (高麗大學校亞細亞問題硏究所 (1970). Journal of Asiatic Studies. 13 (3–4): 63)

This self-reliance extends to every facet of North Korean life, from politics and economics, to education and defense. In the late 1990’s Kim Jong-Il applied this philosophy to the Internet and building a cyber program. This incorporation of cyber capabilities into both Juche and the DPRK’s provocation cycle had profound effects on the shape of the operations.

Through the early 2000’s North Korean cyber actors built a custom program of cyber capabilities from the ground up. Unlike all other known state actors, the DPRK program makes no use of commodity malware or generic tools.

By custom building all their tools, the DPRK program presents a unique challenge to network defenders.

On the one hand, it means that the actors will use far more advanced tools than necessary to exploit networks; which makes catching active intrusions far more difficult. On the other, having a completely custom-built tool kit makes it easier to link intrusions together and gain a more complete insight into the actors’ overall capabilities and targets.

The indigenous malware production has created advanced uses of encryption for command and control of implants, the ability to fake TLS to blend in with network traffic and advanced functionality on almost all their implants to include self-destruct capabilities as well as file deletion. This feature set makes DPRK actors sophisticated network operators that are difficult for network defenders to identify and protect against. However, these same capabilities over the years have allowed several cyber security researchers to link DPRK attacks on ROK computers dating back to 2009 with the 4th of July DDoS and drive wiping attack on ROK and U.S. websites. 4 5 6 7 8

DPRK’s “cyber executive branch”, Lazarus Group, is somewhat characterized by and known for the same TTPs across different attacks. These tools are over engineered compared to the function they fill and have been used in conjunction with 0day vulnerabilities to compromise victim networks (i.e. several critical vulns in the South Korean Hangul program).

They further protect their malware through the insertion of junk code to make reversing more difficult and they were an early adopter of transmitting custom encrypted traffic over port 443 to blend in with normal TLS traffic.

While the DPRK has an active espionage program, the most notorious operations have all involved network attacks. The North Korean actors have been using a similar approach to destructive attacks since 2009.

They use a RAT to gain access to a network, enumerate the hosts, and then deploy a master boot record eraser to destroy the host machine. The malware used in this process has largely been unchanged since 2009 and yet it continues to be successful. Despite the notoriety of the DarkSeoul attack in 2013, the Sony Pictures Entertainment attack in 2014, the same actors laid down the same tool in the networks of several banks across Asia in association with the SWIFT intrusions in 2016, which netted the regime close to $80 million for a single operation.


North Korea is currently facing the most direct threat of armed conflict since the end of the Korean War. The tensions on the Korean Peninsula have been escalating at a rapid pace since the beginning of 2017 and North Korea’s traditional supporter China has been slowly distancing itself from the North. This leaves North Korea with one powerful neighbor and occasional supporter, Russia. At the end of April, Russia blocked a UN resolution condemning North Korean missile tests and also publicly renounced potential unilateral action by the U.S. Given that China and Russia were the most affected by the WannaCry attack and the infection pattern is easy to predict based on number of pirated operating systems in both countries, it would be a significant risk to disproportionately attack the two closest things North Korea has to allies. Especially given that excluding their networks from the randomization function would have been a trivial coding change.

Complicating matters further, most of the known North Korean cyber activity originates in China, and North Korea’s only Internet access transits China and Russia. China’s ability to identify and jail DPRK cyber actors operating from their territory has the potential to cripple the capabilities of the DPRK program. To launch an attack of this scale against those two countries would run a significant risk of wiping out North Korea’s own cyber capability both from a connectivity and from a trained personnel standpoint.

Finally, the relatively low compromise rate of South Korea, Japan, and the U.S. runs contrary to every attack ever authorized by Pyongyang. To spare North Korea's greatest enemies in an attack of this magnitude would be grounds for execution for whoever planned the campaign. Based on Pyongyang’s goal of striking top enemies in their campaigns, it is highly unlikely that they would design a piece of malware that did not have a high probability of success against the U.S., South Korea and Japan.

South Korea has highly advanced technological capabilities and is very aware to the threat from the North. DPRK is aware of this point and will not launch an attack that will have such a low success rate against such a big adversary. Perhaps the attackers underestimated patching policies that took place in these countries and thus the low infection rate is just a result of mission failure rather than by design. More likely, though, is that if North Korea was going to execute this style of attack it would have used more than one exploit to at least ensure success against South Korean networks.


North Korea excels at controlling the narrative and grabbing international headlines. Their ability to create escalation cycles and ramp up pressure to either gain concessions or demonstrate resolve to an internal audience is arguably unrivaled. This pattern of provocation, rhetoric and then eventual de-escalation is something that plays out across conventional military, nuclear and cyber space in the same pattern.

In the conventional and nuclear spaces, the North uses missile tests to demonstrate resolve, signal to the U.S. and expand its deterrent capability. On May 14, North Korea tested an Intermediate Range Ballistic Missile that has the capability to hit U.S. military installations on Guam. This test also provided a stress test for a reentry vehicle that could be used on a missile with the capability to reach the U.S. and carry a nuclear weapon.

In any other news week, this successful test would have been the major international headline around the world. [Editor’s note: Two days after the WannaCry infection North Korea carried out what intelligence analysts called the nation’s most successful test to date in its attempt to develop ballistic missiles capable of carrying nuclear warheads.] This event hits all the high notes for the North Korean media machine and should have been used for at least a week’s worth of propaganda. Instead, it was overshadowed by the worm. Given the national importance of the nuclear and missile program, Pyongyang would never have intentionally released a cyber attack that had the potential to undercut the largest achievement of its missile program.

In cyber space, North Korea has also created a standard operating procedure to ensure that the strategic messaging related to an attack is well heard. Assumed but unprovable attribution is their goal when conducting destructive attacks. In every instance of a destructive attack known to be conducted by the North Koreans there was a fake “hacktivist” group created with a very similar graphic and verbiage that took credit for the attack.

North Korea uses cyber attacks as strategic messaging and retaliation. It is impossible to conduct a clear messaging campaign if the recipient does not know who the sender is. This has led the North to thinly veil their attacks, ensuring that the “might” of the North Korean military is on display. The WannaCry attack has none of the hallmark messaging or claiming of responsibility. It lacks the messaging component that is fundamental to just about every action North Korea takes.

What if the outlier to this analysis is currency generation gone wrong? It is possible that as part of their mandate to gain hard currency for the government, an enterprising DPRK hacker cobbled together this malware and unleashed it without fully appreciating the consequences. While possible, it is highly unlikely for a few reasons:

  1. If this was a currency generation ploy, they wouldn’t have removed their own code from a working variant. North Korean actors generally do not worry about code artifacts, which is precisely why they were caught in the Bangladesh case.
  2. If the goal was currency generation, the financial support infrastructure would have been more robust and they would have worked harder to make the payment mechanism more user-friendly. They certainly wouldn’t have let the rumor spread that paying had no effect on the files.
  3. If they had concerns with controlling the spread of the worm once it was unleashed, they would have registered the “kill switch” domain. This oversight points to the amateur nature of the initial attack and would imply that if a DPRK actor did conduct this attack, they were not operating at the level normally associated with these groups.
Ross Rustici
About the Author

Ross Rustici

Ross Rustici is Cybereason's Senior Director of Intelligence Services.