N. Korea ways seen in cyberattack
Ransomware similarity opens possibility of link, experts say
SEOUL, South Korea — Cybersecurity experts suggest North Korea had a role in last week’s global “ransomware” attack because the way that the hackers took hostage computers and servers across the world was similar to previous cyberattacks attributed to North Korea.
Simon Choi, a director at South Korean anti-virus software company Hauri Inc. who has analyzed North Korean malware since 2008 and advises the government, said Tuesday that the North is no newcomer to the world of bitcoin. It has been mining the digital currency using malicious computer programs since as early as 2013, he said.
In the attack, hackers demand payment from victims in bitcoins to regain access to their encrypted computers. The malware has scrambled data at hospitals, factories, government agencies, banks and other businesses since Friday, but an expected second-wave outbreak largely failed to materialize after the weekend, in part because security researchers had already defanged it.
Choi is one of a number of researchers around the world who have suggested a possible link between the ransomware known as WannaCry and hackers linked to North Korea. Researchers at Symantec and Kaspersky Lab have found similarities between WannaCry and previous attacks blamed on North Korea.
The evidence is still far from conclusive, however. Authorities are working to catch the extortionists behind the global cyberattack, searching for digital clues and following the money.
“We are talking about a possibility, not that this was done by North Korea,” Choi said.
Meanwhile, the group that helped enable the ransomware attack is threatening to make public even more computer vulnerabilities in the coming weeks — including “compromised network data” pertaining to the nuclear missile programs of China, Iran, Russia and North Korea, as well as secret exploitable features affecting Windows 10, which is run by millions of computers around the world.
A spokesman for the group, which calls itself the Shadow Brokers, claimed in a blog post Tuesday that some of those computer bugs may be released on a monthly basis as part of a new subscription-based business model that attempts to mimic what has proved successful for companies such as Spotify, Netflix, Blue Apron and many more.
“Is being like wine of month club,” said the blog post, which is written in broken English. “Each month peoples can be paying membership fee, then getting members only data dump each month.”
Security experts have been analyzing the blog post for clues about the Shadow Brokers’ intentions and capabilities.
Microsoft didn’t immediately respond to a request for comment. In a blog post Sunday, the company criticized the National Security Agency for stockpiling digital weapons. The tech industry writ large opposes efforts by the government to weaken the security of its products, while national security advocates say it could help combat terrorism.
Although experts say the Shadow Brokers do not appear to have been directly involved in the WannaCry crisis, leaking the vulnerability in the first place was a major step toward facilitating the attack.
WannaCry paralyzed computers running mostly older versions of Microsoft Windows in some 150 countries. It encrypted users’ computer files and displayed a message demanding $300 to $600 worth of bitcoins to release them; failure to pay would leave the data scrambled and likely beyond repair.
The hackers appeared to have taken control of computers and servers around the world by sending a type of malicious code known as a worm. The worms quickly scanned computers with vulnerability, in this case the older versions of Microsoft Windows, and used those computers as hackers’ command and control centers.
Experts say the rapid spread of the worm globally suggests it did not rely on phishing, a method whereby an email is sent to people with the aim of having them click on infected documents or links.
Rather, analysts at the European Union cybersecurity agency say, the hackers likely scanned the Internet for systems that were vulnerable to infection and exploited those computers remotely.
The worm then is likely to have spread through a channel that links computers running Microsoft Windows in a network. The channel is typically used to share files within a network or to link to a printer, for example.
This method has been found in previously known North Korean cyberattacks, including the hack of Sony in 2014 blamed on North Korea.
“Since a July 2009 cyberattack by North Korea, they used the same method,” Choi said. “It’s not unique in North Korea but it’s also not a very common method.”
Choi also cited an accidental communication he had last year with a hacker traced to a North Korean Internet address who admitted development of ransomware.
“We have underestimated North Korea so far that since North Korea is poor, it wouldn’t have any technologies. But North Korea has been preparing cyber skills for more than 10 years and its skill is significant. We should never underestimate it,” Choi said.
James Lewis, a cybersecurity expert at the Center for Strategic and International Studies in Washington, said U.S. investigators are collecting forensic information — such as Internet addresses, samples of malware or information the culprits might have inadvertently left on computers — that could be matched with the handiwork of known hackers.