The WannaCry worm was one of the more notable attacks of 2017, and since it emerged in May there has been constant speculation about who was responsible for it. The White House this week sought to end that speculation by publicly attributing the attack to North Korea, saying that country’s government was directly responsible for the ransomware campaign and that it was part of a pattern of bad behavior from North Korea.
“Cybersecurity isn’t easy, but simple principles still apply. Accountability is one, cooperation another. They are the cornerstones of security and resilience in any society. In furtherance of both, and after careful investigation, the U.S. today publicly attributes the massive ‘WannaCry’ cyberattack to North Korea,” Tom Bossert, President Trump’s national security adviser, wrote in an op-ed in the Wall Street Journal Tuesday.
The statements from the White House on this are unusual, even if the content of them was already common knowledge in the security industry. Many researchers began pointing the finger at North Korea within days of WannaCry’s emergence. There were technical as well as circumstantial indicators that pointed to North Korea’s involvement, and some of the code involved in the attack was also found in attack tools used by the so-called Lazarus Group, an attack team linked to the North Korean government. Researchers also said that WannaCry wasn’t really meant to make any money as a piece of ransomware, but was designed mainly to disrupt operations and in some cases to erase data from infected machines.
The unusual part is hearing senior administration officials come right out and put the blame on a foreign government for this kind of attack. This is the type of information that’s usually shared with reporters on background, not delivered in a press conference call. The motivation is almost certainly political. Given the tensions between the United States and North Korea, this attribution is another way for the White House to apply pressure and say, We know what you did last summer.
There’s an important piece of information missing in the White House’s statements, however, and that’s the fact that the WannaCry worm used an exploit originally developed by, and later stolen from, the NSA. That’s kind of a big deal. The NSA is good at lots of things, one of which is finding vulnerabilities and developing exploits for them. That’s a big part of the signals intelligence program for most countries these days, and the NSA is at the top of that particular food chain.
What the agency has been less good at recently is keeping its bugs and exploits inside the fence at Fort Meade. The group known as the Shadow Brokers somehow got access to a huge cache of NSA attack tools, exploits, and other information sometime in the not-too-distant past and has been releasing it in artisanal small batches for the last year or so. One of the tools released in April 2017 was the EternalBlue exploit, which targets a vulnerability in Microsoft’s SMB protocol implementation. Since then, a number of different attack campaigns and malware strains have used EternalBlue, including WannaCry.
Having the North Korean government (allegedly) use an (allegedly) NSA-developed exploit in a piece of ransomware is a bad look for the agency and the U.S. government in general. Really bad. Which is probably why the White House kind of avoided that part of the story during its victory lap this week. But you could argue that the use of EternalBlue is kind of beside the point, anyway. Given how successful much more basic ransomware variants have been with nothing more than phishing emails, using an NSA exploit is kind of overkill. Using that exploit may well have been the point of WannaCry, though: one big flex from North Korea. A show of force.
If that’s the case, the point was made. WannaCry got the world’s attention and caused enough of a stir in Washington to bring the president’s national security adviser in front of a bunch of microphones to talk about it publicly. After the finger-pointing was over, Bossert said that the U.S. government is continuing to monitor North Korea’s activities.
"We hope that they decide to stop behaving badly online," Bossert said, according to Ars Technica.
Hope is not a plan, though. It’s what you count on when you don’t have a plan. Rebellions may be built on hope, but security strategies shouldn’t be.