WannaCry: who did the attack benefit?

On 12 May 2017, the cryptoworm WanaCrypt0r 2.0, also known as WannaCry, infected hundreds of thousands of computers around the world. Our investigation into this ransomware reveals some worrying trends.

(Re)read part 2: WannaCry seen from the perspective of an SMB server

(Re)read part 3: WannaCry, a chronological order

North Korea in the spotlight?

On 15 May 2017, the WannaCry worm was linked to the Lazarus hacker group, which is suspected of being backed by North Korea. A researcher at Google published a code sample from the worm that bore a striking resemblance to some of Lazarus’s tools (1). This information was quickly picked up on by the Russian cybersecurity firm Kaspersky, which specialises in the hacker group. On 22 May 2017, Symantec also reported on these similarities (2), theorising that WannaCry could be attributed to Lazarus.

Our knowledge of Lazarus is patchy at best:

  • The group is thought to be responsible for a series of attacks on South Korean government agencies, financial institutions and media organisations between 2007 and 2013.
  • It is also thought to be behind the 2014 hacking of Sony Pictures, a particularly invasive attack that resulted in the theft of unreleased films and confidential information on Sony’s 4,000 employees. The FBI stated that it had proof that North Korea was involved in the attack, which it could not disclose. President Obama indicated that the United States would retaliate (3).
  • The group was linked to the theft of USD$81 million during a series of attacks on banks in Poland and Bangladesh two years later in 2016.

The Lazarus group: politics or profit?

To understand the Lazarus group, we must first establish its motives. In the cybersecurity field, a distinction is often made between groups affiliated with nation-states and hackers looking to make money. Nation-state groups are often politically motivated: they target public facilities, major banks, large companies or government agencies in hostile countries in order to spy on or upset economies. As they are backed by states, they often have impressive technical resources. Profit-seeking hackers generally have fewer resources. Their code is more likely to include bugs or copy from existing tools. They are more opportunistic when selecting targets.

Lazarus’s tools are particularly sophisticated, according to Kaspersky Lab, and many of its targets are political. Unsurprisingly, some of its attacks have centred on South Korea, North Korea’s long-time enemy. Its attack on Sony Pictures has been seen as retaliation for the film The Interview, a parody of the North Korean dictatorship that attracted Pyongyang’s fury. These two clues would seem to indicate that the group is backed by a nation-state.

However, the group’s motives for attacking banks are less clear. They appear to be financial rather than political – and nation-states are not interested in profits, according to a Kaspersky Lab expert. In this case, if Lazarus is backed by North Korea, why would it wage a cybercrime campaign? Once again, Kaspersky Lab has the answer. It considers the group has a special financial operations unit, whose goal is to make money (4).

A modern whodunnit

Despite the analysis above, determining the origins of malicious software is a difficult process, which involves balancing technical, cultural and geopolitical considerations. Information can be voluntarily or involuntarily falsified, leading to erroneous conclusions.

For example, hackers often reuse the code of other well-known hacker groups, resulting in cybersecurity companies mistakenly attributing attacks based on these technical clues. Groups sometimes even publish the code for their own tools so they can be used by other hackers, covering their tracks. Care must therefore be taken when using these indications to draw conclusions.

This also applies to cultural and political clues. Hackers often use “false flags” – fabricated clues – to ensure malware is attributed to a specific group. Documents leaked by Edward Snowden, for example, showed that the NSA had tools that could be used to fabricate false clues. One of these techniques was inserting Cyrillic or Chinese words into code.

Hackers may also include cultural indications to mislead experts. When the French television channel TV5 Monde was hacked in 2015, the group behind the attack called itself the “Cybercaliphate” and published messages supporting ISIS – even though ISIS never claimed responsibility for the infiltration. Later investigations showed that APT28, a high-level hacker group associated with the Russian government, was probably behind the attack.

Chasing down alternatives

Determining responsibility for an attack is therefore no simple matter, and WannaCry is no exception. Not only did this worm use NSA exploits, it may also have borrowed code developed by Lazarus.

On 25 May 2017, several days after Symantec released its report, the cybersecurity expert Flashpoint published a blog article suggesting the worm could be of Chinese origin (5). Flashpoint reached this conclusion after analysing the malware’s architecture, as well as linguistic and cultural clues. In particular, it focused on the ransom message, which was translated into multiple languages. Many ransom messages contained syntax errors that were probably due to machine translation. The only messages that appeared to have been written by humans were those in English and Chinese. However, the English message contained grammatical errors indicating that the author was not a native speaker. The attackers’ native language was therefore most likely Chinese.

Does this mean Lazarus was not the culprit? By definition, ransomware is designed to make money and is therefore perfect for profit-seeking hackers. Seen from this perspective, the perpetrator was unlikely to be a state-backed political group like Lazarus. But Lazarus is a law unto itself – from time to time, it does run financial operations. However, WannaCry does not meet the group’s usual criteria. Lazarus uses sophisticated tools to target banks and financial institutions. It is extremely discreet, often hiding deep inside infected networks, sometimes spending several years there. It seeks to avoid publicity at all costs – most of its operations take place outside victims’ work hours, and tools are constantly adapted to take into account researchers’ revelations.

WannaCry was not at all discreet. Many experts even considered it a “draft”, for the following reasons:

  • The EternalBlue exploit seemed to have been copied and pasted into the worm;
  • The ransomware did not perform particularly well, only infecting machines running Windows 7 and 2008 R2;
  • The document decryption key had to be sent manually, unlike the automatic keys used in other recent ransomware, indicating that the hackers did not expect to infect many machines;
  • The kill switch was ineffective and amateurish. Generally, kill switches are more sophisticated: they include several domain names or domain names that change over time, reducing the likelihood that the kill switch will be discovered and the virus stopped. This was not the case with WannaCry, which used a single domain name.

This raises other questions. Why include a kill switch, which is visible to all, if the point of the worm is to spread as quickly as possible? This is especially true given the media coverage following the infection of hospitals and major companies – not ideal, if discretion is the goal.

Technical considerations aside, the Lazarus group does not often use ransomware. Generally, it targets banks and institutions, which are much more profitable. According to the Twitter Actual Ransom bot (6), which monitored WannaCry payments, only USD$120,000 was paid to the hackers behind the attack. Given the USD$81 million stolen from the Bank of Bangladesh, this sum is paltry to say the least.

WannaCry: a test that went wrong?

Another theory is currently gaining ground: WannaCry may have been a worm that escaped the control of its developers. This is the position adopted by the cybersecurity specialist the Grugq (7). The sloppy design of the worm, the amateurish kill switch and the lack of proof that machines were originally compromised by phishing attacks seem to indicate that this was incomplete software that simply exploded out of control.

Supporting this theory, Symantec and Kaspersky Lab published information on earlier, less virulent versions of the malware that hackers tested using Trojan horses or password theft tools. These earlier versions only infected a few computers. Hackers then stepped up their game, integrating NSA exploits into the code – with unexpected results. The malware escaped, infecting high-profile targets before going global.

Seen from this perspective, the WannaCry tool was still being developed, which explains its lack of sophistication, lacklustre performance, manually infected targets and amateurish kill switch. None of these elements make for a successful cybercrime campaign, but they do help slow the spread of a worm under development.

To sum up, WannaCry has all the hallmarks of malware developed by a group of profit-seeking cybercriminals. It may or may not have been developed by Lazarus, which some consider has a financial operations unit. However, the worm’s sloppy design and high-profile targets, which are uncharacteristic of the North Korean hacker group, could be explained by the fact that the malware was still under development. This idea is further reinforced by the low profitability of the worm compared to the group’s other tools: the hackers would most likely have increased the ransom amount once the malware was finished. From this point of view, WannaCry was a typical cybercriminal campaign seeking to make money. But can we disregard the Chinese connection so easily?

Who did the attack benefit?

Regardless of whether the malware was developed by hackers in China, North Korea or elsewhere, we must not forget the big winners. In an article published on 16 May, the Washington Post confirmed what many had been thinking: according to anonymous sources, the NSA informed Microsoft of the flaws exploited by WannaCry before they were leaked by the Shadow Brokers (8). The article went on to explain that the NSA had used EternalBlue and the other leaked tools for more than five years, despite in-house discussions on whether these flaws were so dangerous they should be revealed to Microsoft and other software designers. At least this problem has been solved.

The article also revealed that the NSA had an internal process to determine whether software flaws should be disclosed to vendors or kept secret to build surveillance tools. In 2014, the National Security Council launched a new vetting process for vulnerabilities collected by US security agencies. According to cybersecurity expert Mike McNerney, a former Pentagon cybersecurity official, the process worked for the tools stolen from the NSA. The problem was how this information was communicated: the NSA identified the risk and informed Microsoft, which released a patch. However, no one publicly stated how dangerous this flaw was, meaning that 98% of victims had simply failed to install security patches.

More importantly, the malware highlighted the issue of the stockpiling of vulnerabilities (9). In a press release dated 14 May, Microsoft put the blame squarely on the NSA, calling for a Digital Geneva Conference. According to Brad Smith, President and Chief Legal Officer of Microsoft, governments’ cybersecurity programmes should include good practices such as reporting vulnerabilities to software vendors rather than hoarding them.

Dangerous and unpredictable weapons

The vulnerabilities exploited here are 0days – flaws that have not yet been published or patched. Because no protection exists, malware using these vulnerabilities is very effective and has huge destructive potential, especially when flaws are critical. Consequently, both hackers and government agencies actively hunt 0days. Prices for these flaws can reach up to USD$1.5 million.

To be useful, these tools must be kept secret. After publication, vulnerabilities are practically useless to government agencies, because software vendors release corrective patches. In addition, government targets are generally much more tech savvy than individuals or companies. For this reason, the US government and army were not affected by WannaCry, because they switched to new operating systems in 2014. This partly explains why the NSA reported the flaw to Microsoft after its network was compromised. The stolen tools had become threats and, given their reduced usefulness, it would have been dangerous and counterproductive to keep them secret.

At the end of the day, not only did the US lose costly and effective weapons, it was also forced to reveal its stockpile of vulnerabilities to software vendors. This disarmament only affected the US – its cybersecurity enemies experienced no such humiliation. Furthermore, the media coverage of WannaCry focused on the NSA’s hoarding of flaws, which led to the US government being considered partly responsible for the worm, even though patches were released several months before the attack.

Once bitten, twice shy: the NSA is likely to be much more careful when deciding to keep such a powerful flaw secret in the future. The Russian and Chinese governments, however, will have no such scruples.

From Russia, with love?

Currently, no links have been established between WannaCry and Russia. President Putin put responsibility for the computer worm squarely on the US, stating in response to allegations of a Russian connection that the Americans were “always looking for someone to blame”. However, some cybersecurity experts have indicated that the Shadow Brokers, who originally leaked the NSA tools, are of Russian origin.

This theory is based on one of the leaks posted by the Shadow Brokers in response to the US strikes in Syria. The leak included a political message criticising America’s military action, among other things.If founded, this theory would fit well with the idea of unilateral cyber disarmament. As a political enemy of the US, Russia would gain from the NSA losing credibility with the public. Based on this theory, the hackers not only stole the Americans’ cyber weapons, they also leaked them to ensure a scandal would occur, making US agencies more reluctant to stockpile such tools in the future. Russia is well known for backing hacker groups – such as APT28 – that target enemy companies and governments. Stripping a rival of its arsenal would be a major victory for the Russians.

Nevertheless, no real proof exists to support this theory. Another possibility is that the data was leaked by someone inside the NSA: the political messages posted by the Shadow Brothers are eclectic at best (accusing Trump of “forgetting his [electoral] base”, criticising the departure of Steve Bannon, condemning the strikes in Syria and denouncing his attempts to replace ObamaCare) and could be false flags. The group’s erratic syntax could be the work of an English speaker seeking to hide his or her native language, according to one linguistics professor. Lastly, the documents posted by the group bear a striking resemblance to the content collected by Harold T. Martin III, a former NSA employee who was arrested in February 2017 for stealing agency data (10).

To conclude, three theories are currently under consideration:

  • The initial suspects, the North Korean-backed Lazarus group, have a financial operations unit which could have launched WannaCry given the similarities between the worm and their tools. However, the attack’s sloppiness and lack of discretion are uncharacteristic of the Lazarus group.
  • The malware could be a typical cybercrime campaign waged by a Chinese hacker, as indicated by an analysis of translated ransom messages, but the strategy adopted was flawed and unprofitable.
  • The worm could have “escaped” a laboratory, given the existence of a kill switch, the low ransom amount and the amateurism of the campaign. Its rapid spread would therefore have been accidental. This third possibility does not discount either of the two preceding theories but adds weight to both.

Regardless of whether the Shadow Brokers are a state-backed group or internal whistleblowers, and regardless of whether WannaCry was an attempt to upset the economy or make money from cybercrime, the NSA has been partially disarmed – a boon for its foreign counterparts. Is this just round one of a global cyberwar between the United States and its political and economic opponents?

(1) https://securelist.com/blog/research/78431/wannacry-and-lazarus-group-the-missing-link/
(2) https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group
(3) https://www.theguardian.com/technology/2015/jan/08/fbi-north-korea-accusation-sony-pictures-hack
(4) https://securelist.com/blog/sas/77908/lazarus-under-the-hood/
(5) https://www.flashpoint-intel.com/blog/linguistic-analysis-wannacry-ransomware/
(6) https://twitter.com/actual_ransom/
(7) https://medium.com/@thegrugq/internet-of-wilderness-of-mirrors-9eaa24bd99d8
(8) https://www.washingtonpost.com/business/technology/nsa-officials-worried-about-the-day-its-potent-hacking-tool-would-get-loose-then-it-did/2017/05/16/50670b16-3978-11e7-a058-ddbb23c75d82_story.html
(9) https://blogs.microsoft.com/on-the-issues/2017/05/14/need-urgent-collective-action-keep-people-safe-online-lessons-last-weeks-cyberattack/#sm.000x4l8ki1dvdfr9u2r19diw33vg8
(10) https://arstechnica.com/tech-policy/2017/02/former-nsa-contractor-may-have-stolen-75-of-taos-elite-hacking-tools/