There’s Proof That North Korea Launched the WannaCry Attack? Not So Fast! – A Warning Against Premature, Inconclusive, and Distracting Attribution

By James Scott, Sr. Fellow, ICIT

Last week, ICIT urged responsible news outlets to focus on meaningful aspects of the May 12, 2017 WannaCry attack on over 230,000 systems in over 150 countries, such as the desperate need for security-by-design in software and technology, the perpetual failure of organizations across the globe to secure their systems against publically disclosed vulnerabilities and threats, and the hazards of the collection and concealment of exploitable vulnerabilities by governments, agencies, and private organizations. Nevertheless, firms motivated by private agendas are dangerously attempting to shift public dialogue back to speculation of attribution despite a clear and present necessity for pervasive, transparent, and inclusive dialogue addressing the underlying weaknesses in cybersecurity culture and critical infrastructure systems that enabled the May 12, 2017 WannaCry attack to succeed in the first place. To be abundantly clear, the recent speculation concerning WannaCry attributes the malware to the Lazarus Group, not to North Korea, and even those connections are premature and not wholly convincing. Lazarus itself has never been definitively proven to be a North Korean state-sponsored advanced persistent threat (APT); in fact, an abundance of evidence suggests that the Lazarus Group may be a sophisticated, well-resourced, and expansive cyber-criminal and occasional cyber-mercenary collective. Circumstantial similarities between malware variants and C2 infrastructure led to the recent attribution of WannaCry to Lazarus despite a sharp difference in the level of sophistication of the malware and threat actors, glaring differences in the target demographics, and severe variations in the operational procedures of the actors. At best, WannaCry either borrowed heavily from outdated Lazarus code and failed to change elements, such as calls to C2 servers, or WannaCry was a side campaign of a minuscule subcontractor or group within the massive cybercriminal Lazarus APT.

Since 2009, the Lazarus group’s cyberespionage and cybersabotage campaigns have targeted military organizations, financial institutions, media stations, manufacturing companies, and others, in countries such as South Korea, U.S., India, China, Brazil, Russia, and Turkey.  The Lazarus group is allegedly responsible for cyberattacks against Sony Pictures and the Bangladesh Central Bank [1]. The group has been rapidly expanding and evolving since 2010. The Lazarus Group is believed to be based out of China, with some members possibly operating from other regions [2]. Some allege that Lazarus is a North Korean state-sponsored APT; however, Lazarus does not exhibit any definitive signs of state-sponsorship, and the evidence relied upon to attribute the group to North Korea, such as an IP hop or some language indicators, are circumstantial and could even be intentional false flags [3]. Symantec even admits that “the WannaCry attacks do not bear the hallmarks of a nation-state campaign but are more typical of a cybercrime campaign” [1]. Lazarus appears to be a cybercriminal operation that may occasionally act, in part or whole, as cyber-mercenaries for various nation states. Lazarus’s infrequent targeting of strategic geopolitical entities and its occasional targeting of North Korean allies China and Russia supports the argument that the collective is not state-sponsored (by North Korea, China, or any other). Members operate in GMT +8 or GMT +9 and work for 15-16 hours per day, starting at midnight and breaking for lunch around 3 am, local time [3]. Only two-thirds of the Lazarus samples had one or more PE resources with Korean locale or language.

Symantec monitored a small number of targeted WannaCry attacks in February, March, and April 2017 and they claim that the malware used in the attacks is nearly identical to that used in the May 12 attack [1].The main difference was the addition of the EternalBlue exploit and a removal of code borrowed from a 2015 Lazarus Group sample. The team identified shared tools, techniques, and infrastructure between the earlier WannaCry attacks and malware attributed to the Lazarus group [1]. These claims should not be seen as overly definitive despite their presentation because Lazarus was known for borrowing code from other malware and because it remains possible that outdated Lazarus malware was captured by the WannaCry threat actors and occasionally used as a template for their less sophisticated malware development.

The primary rationale for attributing WannaCry to Lazarus appears to be similarities and pairings with malware used in isolated WannaCry attacks in February, March, and April 2017. Symantec monitored a WannaCry attack against a single organization on February 10, 2017, and discovered three pieces of malware, linked to Lazarus, on the system: Trojan.Volgmer and two variants of Backdoor.Destover [1].  Volgmer was used by Lazarus in attacks against South Korea [1]. Destover is the disk wiper tool deployed in the Sony Pictures attacks [1]. The attackers also left behind a variant of the widely used password dumping tool Mimikatz and a file, hptasks.exe, which was used to copy and execute WannaCry on network systems [1]. The attackers also allegedly left behind five other pieces of malware [1]. Two of the tools, Symantec did not disclose because they were not linked to Lazarus and did not support their argument [1]. Of the remainder, there were two variants of Destover and one variant of Volgmer [1]. It is important to note that while malware used in past Lazarus campaigns was discovered on systems infected with the WannaCry malware, it is uncharacteristic of the Lazarus Group to leave identifying tools on victim systems or more recently, to not deploy a destructive wiper component when finished exfiltrating valuable data [3].

On March 27, 2017, at least five organizations were infected with an updated version of WannaCry [1]. There was no apparent connection or pattern of those targeted [1]. In the past, Lazarus targets have aligned with specific sectors, even if the motivation behind the attack remained unknown. In two of the attacks, Backdoor.Alphanc was used to drop WannaCry onto victim systems [1]. In the past, Lazarus has used Backdoor.Duuzer [1]. In the March and April WannaCry attacks, the ransomware was spread using Trojan.Alphanc [1]. Alphanc may be an evolution of Duuzer, since it shares a significant portion of code [1]. Duuzer has previously been linked to Backdoor.Joanap and Trojan.Volgmer and is a sub-family of Destover [1], which has been used by Lazarus in past attacks.  Backdoor.Bravonc was used to drop WannaCry onto at least two other victim systems in the late March campaign [1]. Bravonc connects to the C2 IP 87[.]101[.]243[.]252 that was used by a sample of Destover. Bravonc uses hardcoded credentials to spread over SMB, which is the same technique used by Joanap [1]. In fact, five of the C2 servers used by WannaCry variants were also used by one or more malware deployed in past Lazarus campaigns (Trojan.Bravonc, Backdoor.Buuzer, Backdoor.Destover, Trojan.Alphac, and Backdoor.Cuprox). While this could demonstrate a link, it could just as easily be the result of the unsophisticated WannaCry authors not altering borrowed malware or code. The attribution of WannaCry to Lazarus appears dependent on similar malware usage and tangential adaptations of malware variations. The further attribution of Lazarus to North Korean depends on heavy speculation. Consequently, the attribution of WannaCry to North Korea should be considered with healthy skepticism until the publication of more definitive evidence.

Even if the earlier WannaCry samples were developed or deployed by Lazarus, there is no evidence that they launched the May 12, 2017, attack. According to Symantec’s May 22, 2017, blogpost that reignited the attribution discussion, none of the coincidentally linked malware was involved in the global attack on May 12, 2017 [1]. The May variant of WannaCry featured the EternalBlue exploit and other minor changes; however, Symantec argues that since the passwords used to encrypt embedded Zip files in the WannaCry dropper are similar ((“wcry@123″, “wcry@2016″, and “WNcry@2ol7″), the threat actor must be the same for all variants [1]. This detail only proves that the threat actor(s), who never demonstrate the sophistication that Lazarus displayed in the past, did not feel the need to significantly alter the password.

On May 15, 2017, Google researcher Neel Mehta tweeted a hash of an outdated variant of the WannaCry ransomware (9c7c7149387a1c79679a87dd1ba755bc) along with the hash of a variant of the Contopee backdoor (ac21c8ad899727137c4b94458d7aa8d8)[1]. He had found that the samples contained minor sections of shared code [1]. The shared lines were removed from later variants of WannaCry, which were used in larger attacks [1]. The shared code is a partial custom “fake SSL handshake” and an identical cipher suite of 75 ciphers that are used for key exchange, authentication, bulk encryption, and MAC [1]. The Contopee backdoor was employed in several attacks against banks, which are attributed to the Lazarus group [1]. This shared code was later removed from WannaCry. Another key difference in variants is that the earlier versions of WannaCry leveraged stolen credentials to laterally compromise the network while the May 12, 2017, version relied on the EternalBlue exploit [1]. While the similarities to Contopee are compelling, it should be noted that many malware laterally compromise networks via stolen administrative credentials.

Kaspersky has stated that in previous attacks, “Lazarus works in a silent and sophisticated way” and that “they migrate to other hosts and deploy persistent backdoors. Once persistence is achieved, they have enough time to learn the network around them, identifying backup servers and servers responsible for financial transactions. During the final stage, they deploy special malware capable of issuing rogue transactions on behalf of the bank…” The WannaCry authors exhibit none of this sophistication and forethought. Kaspersky noted that for several months, to obfuscate their operations, Lazarus created traps, mimicked legitimate software, and altered phases of the malware. On the other hand, WannaCry has been slow to adapt and has not been able to avoid detection. The attempted attack on May 13, 2017, was thwarted just as easily as the first, by sink-holing the kill-switch domain.

Prior to the cyberattacks on the SWIFT banking system, Lazarus was known to conduct cyberespionage and cybersabotage campaigns. The expansion in modus operandi led Kaspersky and others to conclude that the group’s sudden interest in financially motivated attacks, such as that against the Bangladesh Bank, is characteristic of a smaller internal division, dubbed Bluenoroff, which focuses on financial profit while the much larger Lazarus group conducts infiltration and espionage operations. Bluenoroff has notably targeted financial institutions, casinos, crypto-currency organizations, and financial trade software developers [4]. The WannaCry attacks could have been launched by Bluenoroff; however, each and every WannaCry attack has lacked the stealth, sophistication, and resources characteristic of Bluenoroff itself or Lazarus as a whole. If either were behind WannaCry, the attacks likely would have been more targeted, had more of an impact, would have been persistent, would have been more sophisticated, and would have garnered significantly greater profits.

These realities result in a few possibilities. WannaCry could have been an early-stage trial run incorporating the EternalBlue exploit into the malware, which exceeded the expectations and assumptions of a component of the Lazarus group. The primary fallacy of this theory is that the EternalBlue exploit was valuable prior to the WannaCry attack. Lazarus appears to know the value of the exploits and malware that they employ. For instance, the group launches multi-stage attacks and relies on rudimentary first stage backdoors so that more valuable or identifiable malware is not jeopardized by early or accidental detection [4]. A sophisticated actor like Lazarus would have been more likely to ensure the utility of EternalBlue and to establish persistent compromise of victim systems rather than waste the exploit on a prolific and unprofitable campaign (relative to scale and law enforcement attention) like the May 12 WannaCry attack. Lazarus is known to incorporate wipers into its malware. If the WannaCry threat actors were North Korea, it could have inflicted a devastating hybrid warfare attack on global targets by pairing EternalBlue with a wiper malware that destroyed data and self-propagated. Instead, the WannaCry actors “burned” the vulnerability in a global attack that resulted in paltry impact (relative to scale), meager profits, massive visibility, significant law enforcement attention, etc. Essentially, the WannaCry actor’s use of EternalBlue is the exact opposite of how evidence suggests North Korea or the Lazarus Group would leverage the exploit.

Lazarus allegedly operates a factory of malware that has generated hundreds of malware samples from multiple conveyors [4]. Were the Lazarus group behind the WannaCry attacks, all evidence suggests that the ransomware would have been more sophisticated, impactful, and effective. Further, the WannaCry attacks after May 12 would have featured altered and updated code rather than just a different kill-switch address. “Keep Morphing” appears to be the internal Lazarus mantra, as the group avoids using the same tools, code, algorithms, etc. in multiple attacks without variation or mutation [4]. In contrast, prior to May, Symantec detected, compared, and analyzed multiple WannaCry samples that barely differed based on target or version.

Lazarus exhibits strict organization at all stages of operation. On a few rare occasions, Lazarus has reused tools due to the size and scale of the group hindering immediate communication and constant awareness of all active initiatives.  It remains possible that one of the sub-contractors or a rogue faction of Lazarus, who had access to malware or who initially developed some of the code, was behind the WannaCry attacks. Bluenoroff prefers to silently integrate into processes, extort them, and invisibly disappear after stealing massive fiscal gains; so, it is unlikely that WannaCry was one of its operations. For ease of comparison, consider that Bluenoroff was able to move around and steal millions of USD from banking networks designed to detect suspicious activity [4]. Meanwhile, WannaCry very publically announced its presence on victim machines and despite infecting over hundreds of thousands of systems, it barely generated $70,000 in profits.

WannaCry’s shoddy configuration and meager profiteering does not align with the sophistication and targeting profile of the Lazarus group [4]. Based on the threat actor profile of the Lazarus group and Bluenoroff, from multiple reputable vendors, the WannaCry attack lacked the target parameters, malware sophistication, impact, obfuscation mechanisms, persistence modules, and overall complexity characteristic of a Lazarus group campaign. WannaCry appears to have been developed with Chinese keyboard settings and used an automatic English translation for ransom demands. Further, the attribution of the May 12, 2017, WannaCry attack to North Korea does not consider that North Korean allies China and Russia were the most impacted by the WannaCry attack. However, if Lazarus and North Korea are not co-dependent, as evidence suggests, then one could attribute WannaCry to an inexperienced and under-resourced rogue faction of Lazarus. Overall, the release of attribution evidence is premature, inconclusive, and distracting. The May 12, 2017 WannaCry attack demonstrated that software manufacturers are still using the public as “crash test dummies” for vulnerable code that fails to incorporate security throughout the development process to preclude exploitable defects, that organizations in over 150 nations are continuously operating antiquated and insecure systems that jeopardize the data of millions of consumers, and that governments, agencies, and private organizations are still not convinced that hoarding exploits or intentionally implanting vulnerabilities within software are dangerous practices that empower adversarial efforts. The WannaCry threat actors, whomever they may be, wherever they are, barely profited from the attack. Subsequent attacks have been foiled with ease, and additional patches have been released for systems vulnerable to the EternalBlue exploit. Based on the exhibited (lack of) sophistication of the WannaCry actors, who could not even develop fully functional ransomware, law enforcement will eventually apprehend the WannaCry attackers. In the meantime, while the potential of a global attack remains fresh, public dialogue should focus on the aforementioned discussions and on demanding responsible information security and cyber-hygiene practices from the organizations that develop, maintain, and regulate systems and software that store, process, and transmit valuable and sensitive data. Malicious adversaries also witnessed the global attack on May 12, 2017. The impact of a more sophisticated adversary, like Lazarus, who utilized EternalBlue could inflict magnitudes of greater harm on the global population if cyber-negligence continues.





[1] “Wannacry: Ransomware Attacks Show Strong Links To Lazarus Group”. Symantec Security Response. N.p., 2017. Web. 23 May 2017.

[2] “Ransomware: Is North Korea Behind The Global Cyber-Attack?”. Zee News. N.p., 2017. Web. 23 May 2017.

[3] Guerrero-Saade, Juan Andrés, and Costin Raiu. “Operation Blockbuster Revealed – Securelist”. N.p., 2017. Web. 23 May 2017.

[4] Greenberg, Andy. “The Ransomware Outbreak Has A Possible Link To North Korea”. WIRED. N.p., 2017. Web. 23 May 2017.



Leave a Reply