30 May 2017

Don’t Cry For Me Pyongyang:’ Cyber Security Firm, Symantec Increasingly Confident WannaCry Ransomware Attack/Cyber Pandemic, Linked to North Korea

Joe Uchill has an article on yesterday’s (May 22, 2017) TheHill.com, noting that “researchers at [the cyber security firm], Symantec, are increasingly confident that a recent, massive ransomware outbreak — is linked to a [known] North Korean state hacking group.”

“Analysis of these early WannaCry attacks by Symantec’s Security Response Team, revealed commonalities in the tools, techniques, and infrastructure used by the attackers and those seen in the previous Lazarus attacks — making it highly likely that Lazarus was behind the spread of WannaCry,”according to a blog post on Symantec’s website posted Monday evening.

“The earliest versions of the WannaCry ransomware — ones deployed before the leak of the stolen [NSA] hacking tools — appear to have been deployed to networks by hand,” Mr. Uchill noted, as opposed to later versions that spread rapidly — a cyber pandemic if you will — and infected hundreds of thousands of computers, devices and networks across the globe within a matter of days. “Symantec was able to determine that hacking tools used by the Lazarus Group, the same group who hacked Sony Pictures, were likely used to install early versions of WannaCry,” Mr. Uchill noted. Prior to this revelation, Symantec had already posted a note to their blog that they had found a suite of hacking tools used by the Lazarus group on computers infected by the first known version of WannaCry in February of this year. Mr. Uchill referred to Symantec’s February blog post, noting that “the attack used two different variants of the malware known as, Destover, which was used in the Sony hacks, and one of Volgmer, used in attacks against South Korean targets.”

“A second version of the ransomware [WannaCry], released in March, and April, used two other types of malware to do the installation — Alphanc and Bravonc,” Mr. Uchill wrote. “Symantec found these tools in five separate WannaCry attacks; and, were able to determine that WannaCry began installation [infecting] , within minutes of Alphanc being installed. Both Alphanc and Bravonc used command-and-control infrastructure that the Lazarus Group has used in the past, including servers at Internet addresses distinct to the [North Korean hacking] group.”

“The core similarity leaves very little doubt. The only thing that we don’t know, is whether this was a [North Korean government] sanctioned campaign; or, Lazarus Group trying to make some money on the side,” Vikram Thakur, Technical Director at Symantec told Mr. Uchill and The Hill.

Mr. Uchill notes that “another link between Lazarus and WannaCry had been discovered earlier. A [cyber] security researcher at Google, and [cyber security] researchers at Kaspersky Lab — found that identical computer code had been used to design Lazarus tools and WannaCry. There are, however, other reasons the same code might appear in more than one program, including hackers taking a shortcut in designing their own wares. Symantec found other coding overlaps, including a unique, quirky, implementation of the SSL encryption suite; and a similar style method of making the computer code hard to analyze, a process known as obfuscation.” We have plenty of that here in Washington D.C.

“The overlapping code,” Mr. Thakur said, “has not been seen outside the Lazarus Group attacks, meaning it was likely not available in a coding repository used by malware coders to cut and paste resuable code. Alphanc overlapped so significantly with the Durzur tool used by Lazarus that the Symantec blog said it might be the latest “evolution” of the tool.” “Unfortunately,” Mr. Thakur lamented, “with [the current] attacks coming to an end, we won’t be able to get more data from them — to be even more sure about who was behind it, and why.” 

While false flags abound in the cyber domain, it is highly likely that the data analyzed as a result of the WannaCry outbreak, and the judgments that have been drawn as a result of analysis by Symantec and others — that North Korea was the culprit and responsible for this brief cyber pandemic. I defer to David Maxwell; but, I doubt that this was some rouge operation by North Korean hackers attempting to make money on the side, or off the books. Possible, absolutely. But, with Kim Jong-Un, or “Dr. Evil” as I call him, being so paranoid right now, and global tensions very high over Pyongyang’s nuclear and ballistic missile program — if I had to bet, I’d have to come down on the side that this hack was ordered, directed by Mr. Un and his coterie of sycophants.” V/R, RCP

No comments: