MOD Cyber Security by Owen Cooban (Crown Copyright, 2015)

Was North Korea Responsible for WannaCry?

Cyber Trail Leads to North Korea

Cyber security analysts believe that North Korea may have been responsible for the worldwide WannaCry ransomware attack.

Experts at Symantec and Kaspersky Lab cited code that had been previously used by a hacker collective, the Lazarus Group, which was behind the high-profile 2014 hack of Sony that was also blamed on North Korea.

Lazarus Group

The Lazarus Group is a cybercrime syndicate composed of an unknown number of unidentified individuals. While little is known about the group, a number of cyber attacks have been traced to them over the last decade. The first identifiable cyber attack was a cyber-espionage campaign dubbed “Operation Troy” running from 2009–2012. Operation Troy used simple Denial of Service distributed attack techniques to target the South Korean government in Seoul.

The most notable cyber attack attributed to the Lazarus Group was the 2014 attack on Sony Pictures. The Sony attack used more sophisticated techniques and highlighted how advanced the group had become over time.

The Lazarus Group is also believed to be behind the 2016 bank heist. Targeting the Bangladesh Central Bank, hackers stole $101 million. Only about $38 million of this has since been recovered.

It is not clear who is really behind the group, but media reports have suggested the group has links to North Korea.[3] [4]

Kaspersky Lab reported in 2017 that the Lazarus Group showed a tendency to concentrate on cyber spying and infiltration attacks, while a sub-group, which Kaspersky called Bluenoroff, specialised in financial cyber attacks. Kaspersky traced multiple attacks worldwide and discovered a direct IP address link between Bluenoroff and North Korea.[5]

The 2014 Hacking of Sony Pictures

In 2014, Columbia Pictures announced the release of a new film, Seth Rogan and Evan Goldberg’s The Interview, a satirical comedy about a plot to assassinate the north Korean leader Kim Jon-un (aka the Crazy Fat Kid). When it learned of this, the North Korean government threatened the United States with legal action should the release go ahead. Columbia Pictures postponed the release from October to december that year and re-edited the film, apparently in an attempt to appease the North Koreans.

On November 24, 2014, a hacker group which identified itself by the name “Guardians of Peace” (GOP) leaked a release of confidential data from the film studio Sony Pictures. The data included personal information about Sony Pictures employees and their families, e-mails between employees, information about executive salaries at the company, copies of then-unreleased Sony films, and other information. Columbia Pictures was and is owned by Sony Pictures Entertainment.

The GOP group demanded that Sony pull The Interview and threatened terrorist attacks at cinemas screening the film. Major U.S. cinema chains opted not to screen the film in response, forcing Sony to cancel the film’s formal premiere and mainstream release, and go directly to a digital release and limited theatrical release. The Interview went on to become Sony’s most successful digital release.

After evaluating the software, techniques, and network sources used in the hack, United States intelligence officials claimed that the attack was sponsored by North Korea. North Korea has denied all responsibility.

North Korea’s Cyber Warfare Capability

In 2013, a U.S. Department of Defense report to Congress – Military and Security Developments Involving the Democratic People’s Republic of Korea (PDF) – indicated the probability of a dedicated North Korean cyber warfare capability that had engaged in Offensive Cyber Operations (OCO) against South Korea since at least 2009.

No. 91 Office and Unit 121

A report by Hewlett Packard Security Research in August 2014 named this capability as No. 91 Office and Unit 121. Drawing on South Korean sources, they estimated a force size of 5,900 personnel.

These cyber warfare sections are within the Reconnaissance General Bureau (RGB), North Korea’s agency for clandestine operations. In the past, the RGB has been involved in training overseas insurgents and has a known special operations contingent. In all, the RGB has six bureaus, two of which – identified as No. 91 Office and Unit 121 – are dedicated to cyber operations.

The No. 91 Office operates out of the Mangkyungdaen district of Pyongyang. Unit 121 is headquartered in the Moonshin-dong area of Pyongyang, but is also known to operate out of China. One of its bases is the Chilbosan Hotel in Shenyang, the capital of China’s Liaoning Province on the border of North Korea. With a Chinese location we should not be surprised to find links with the Chinese military hackers Peope’s Liberation Army (PLA) Unit 61398. China has refused to blame North Korea for the WannaCry attack.

Or Bureau 121?

A 2014 article by press agency Reuters identified North Korea’s cyber warfare centre as Bureau 121, not Unit 121 – and the Bureau 121 monicker has stuck, whether it is more accurate or not. North Korean defector, Jang Se-yul, studied with the hacker elite at the University of Automation, North Korea’s military college of computer science:
For them, the strongest weapon is cyber. In North Korea, it’s called the Secret War.

Lab 110 and Unit 204

Another cyber outfit within the RGB has been identified as Lab 110 and there exists a Unit 204 within the Worker’s Party Unification Bureau, which engages in what the HP report called “cyber-psychological warfare operations”. The North Korean Defense Commission also has a Psychological Operations Department that engages in cyber-psychological warfare.

North Korean Cyber: Capable and Willing

Both Symantec and Kaspersky Lab cautioned that it is too early to draw any definitive conclusions, partly because the code could have been simply copied by someone else for use in the WannaCry attack. The experts might ask us to wait before drawing conclusions, but this is probably as good as it is going to get. What is undeniable is that North Korea has the cyber capability and the political will to launch an attack like WannaCry, and has been implicated in cyber attacks in the past. Whether North Korea launched this attack or not, being perceived to be technically capable of doing so can only bolster North Korea’s military posturing.

Image: MOD Cyber Security by Owen Cooban (Crown Copyright, 2015).