Cyber-attack: US and UK blame North Korea for WannaCry

[DiDИ]

Attackers encrypted user's devices, and typically demanded a ransom of $300-600 in Bitcoin

 

The US and UK governments have said North Korea was responsible for the WannaCry malware attack affecting hospitals, businesses and banks across the world earlier this year.

The attack is said to have hit more than 300,000 computers in 150 nations, causing billions of dollars of damage.

It is the first time the US and UK have officially blamed them for the worm.

Thomas Bossert, an aide to US President Donald Trump, first made the accusation in the Wall Street Journal newspaper.

Mr Bossert, who advises the president on homeland security, said the allegation was "based on evidence".

He did not produce any evidence in the article, but said US findings concurred with judgments from other governments and private companies.

He added that Australia, Canada, and New Zealand also share the US conclusion that North Korea was behind the attack.

Following the interview, the UK Foreign Office also blamed "North Korean actors using their cyber programme to circumvent sanctions".

The National Cyber Security Centre assessed that is "highly likely" that the North Korean Lazarus hacking group had committed the attacks, Minister for Cyber Lord Ahmad said in a statement.

In May, Windows computers hit by the cyber-attack had their contents locked, with users asked to a pay a ransom to have their data restored. EU police body Europol called the scale of the attack "unprecedented".

Why blame N Korea now?

Analysis: Gordon Corera, BBC security correspondent

Britain's National Cyber Security Centre, part of the GCHQ signals intelligence agency, first attributed the May 2017 Wannacry attack to North Korea within weeks of the ransomware spreading.

The speed was because the UK led the international investigation after the National Health Service was hit hard.

The US intelligence community may have taken longer to concur with that assessment but there is still the question of why the White House is only going public now.

Governments used to be cautious about attribution in cyber attacks but it is becoming increasingly common - beginning with the claim North Korea was behind the attack on Sony in 2014 and more recently involving Russia's alleged hacking in the 2016 US election.

This latest claim is almost certainly an attempt to put more pressure on North Korea in the crisis over its nuclear programme with the attempt to rally international support behind the notion that the country is a real danger - whether from cyber weapons or nuclear weapons. And to make the case that further action, of some kind, needs to be contemplated.

Mr Bossert warned that "we will continue to hold accountable those who harm or threaten us"

In the Wall Street Journal piece, Mr Bossert said North Korea must be held "accountable" and that the US would continue to use a "maximum pressure strategy" to hinder the regime's ability to mount cyber-attacks.

He did not specify what action, if any, the US government planned to take in response to the findings.

North Korea is already facing major economic sanctions after being redesignated a state-sponsor of terrorism last month amid tension over its nuclear programme and missile tests.

"North Korea has acted especially badly, largely unchecked, for more than a decade, and its malicious behaviour is growing more egregious. WannaCry was indiscriminately reckless," Mr Bossert wrote.

"As we make the internet safer, we will continue to hold accountable those who harm or threaten us, whether they act alone or on behalf of criminal organisations or hostile nations," he went on.

"The tool kits of totalitarian regimes are too threatening to ignore."

He added that Microsoft and Facebook both acted to disable North Korean cyber-attacks "on their own initiative last week, without any direction or participation by the US".

Microsoft later issued a statement, saying that last week the company "working together with Facebook and others in the security community, took strong steps to protect our customers and the internet from ongoing attacks by an advanced persistent threat actor known to us as ZINC, also known as the Lazarus Group".

"Among other steps, last week we helped disrupt the malware this group relies on, cleaned customers' infected computers, disabled accounts being used to pursue cyber-attacks and strengthened Windows defences to prevent reinfection," the statement said.

However, some social media users said that - while crediting Microsoft and Facebook - Mr Bossert did not mention a UK security researcher who had "accidentally" halted the spread of the malicious software.

The 22-year-old man, known by the pseudonym MalwareTech, managed to bring the spread to a halt when he found what appeared to be a "kill switch" in the rogue software's code.