Doubts raised about N. Korean role in hack

Analyst asserts speculation about a state-sponsored ransomware attack distracts from real problem: weak cyber defenses.

The recent WannaCry ransomware attack that used hacked National Security Agency tools has touched off a round of speculation (fueled in part by vendors of cyber defense products) that seeks to blame the attack on North Korea.

Not so fast, counters a Washington-based think tank that cautions there is so far little evidence to support assertions of a state-sponsored attack. Moreover, the Institute for Critical Infrastructure Technology (ICIT) warns that unsubstantiated reports of North Korean sponsorship serves as a distraction from the overriding issue: The "underlying weaknesses in cyber security culture and critical infrastructure systems that enabled the May 12, 2017 WannaCry attack to succeed in the first place."

A growing consensus points to the Lazarus Group, considered a sophisticated, self-sufficient cyber-criminal collective or a splinter group, as a likely source of the WannaCry attack. The group has previously targeted military organizations, banks and manufacturers in China, India, Russia, South Korea, Turkey and the U.S.  

However, the ransomware exploit was a far cry from more sophisticated attacks launched by the Lazarus Group such as 2014 Sony Pictures hack and a cyber attack against the Bangladesh Central Bank. Despite reports to the contrary, the shadowy group has not been linked to a state actor, such as North Korea.

In a blog post this week, ICIT senior fellow James Scott noted that "recent speculation concerning WannaCry attributes the malware to the Lazarus Group, not to North Korea, and even those connections are premature and not wholly convincing."

Scott added in an email: "All we are trying to get out there is that this is not a nation state hack, Lazarus Group is NOT North Korean and attribution, even with profound forensics, still won't be enough" to link North Korea to the WannaCry attack.

According the digital forensic specialist Secdo, hackers leveraged NSA's "EternalBlue" exploit several weeks before the actual cyber attack. The New York-based incident response vendor posited that hackers installed backdoors and stole user credentials weeks before the actual attack that quickly spread from the U.K. to China and beyond.

Scott estimates that more than 230,000 systems were affected in some 150 countries.

The upshot, Sedco said, is that WannaCry is just one variant of the lingering attack, and organizations ranging from hospitals to manufacturers remain vulnerable to "thread-level attacks" in which backdoors continue to be installed while network credentials are stolen and user data encrypted.

The NSA framework was used to spawn threads inside legitimate Windows applications, essentially impersonating them, the company said. "While this is not a completely new idea, this technique has been mostly used by state-grade actors in the past to bypass security vendors."

According to forensic experts, the attackers have been exploiting this vulnerability since its release by Shadow Brokers, the group that leaked several NSA hacking tools beginning in April.

As the ransomware attack continues to unfold, Scott warned that speculation tying the Lazarus Group to North Korea "distracts us from focusing on the urgent need for increased security-by-design and greater responsibility and accountability on the part of device manufacturers and data stewards."