The U.S. government on Dec. 19 officially pointed the finger at the North Korean government as being responsible for the WannaCry ransomware attacks that first appeared in May.
In a press conference at the White House, Homeland Security adviser Tom Bossert (pictured) laid out the government’s case against North Korea regarding the WannaCry attacks. Bossert also answered questions about the role and responsibility the U.S. government had in enabling WannaCry, as the root vulnerability known as EternalBlue was originally found by the U.S. National Security Agency (NSA).
“We took a lot of time to look through classified, sensitive information,” he said during the press conference.
The U.S. government looked at operational tradecraft, tools and infrastructure, and put all the information together to provide concrete evidence that North Korea was responsible for WannaCry, according to Bossert.
“As we move forward and attribution becomes part of our accountability pillar, we can’t do it wrong and we can’t rush it,” he said.
The WannaCry attack first impacted organizations around the world on May 12, exploiting a vulnerability in Microsoft’s Server Message Block (SMB) protocol. The attack could have been more damaging if it wasn’t for security researcher Marcus Hutchins, who discovered a “kill switch” within the malware. Hutchins has since been arrested on unrelated charges for alleged involvement in the development of the Kronos malware botnet.
“We had a programmer that was sophisticated that noticed a glitch in the malware, a kill switch, then acted to kill it,” Bossert said in a response to a media question about Hutchins. “He took a risk, it worked, and it caused a lot of benefit.”
With ransomware, data is encrypted by the malware and then held for a ransom, which the victim needs to pay to gain access to the data again. With WannaCry, North Korea wasn’t really interested in making money, according to Bossert.
“We don’t know how much money they raised, but they didn’t architect it [WannaCry] in the way that a smart ransomware architect would do so,” he said. “This was a reckless attack, and it was meant to cause havoc and destruction—the money was an ancillary side benefit.”
As to why it was important to the U.S. government to publicly identify North Korea as the source of WannaCry, Bossert said it’s all about simple culpability.
“We have determined who is behind the attack, and we’re saying it,” he said. “All I’ve learned about cyber-security I learned in kindergarten: We’re going to hold them accountable, we’re going to say it, and we’re going to shame them for it.”
Vulnerabilities
During the press conference, Bossert was asked about the United States’ role with the core exploit, known as EternalBlue, that was used as part of WannaCry. The EternalBlue exploit was allegedly created by the NSA-linked Equation Group and then stolen by the Shadow Brokers hacking group.
Bossert said when the U.S. government finds a software vulnerability, it generally tells the software vendor so it can patch the vulnerability. However, the government does not disclose all vulnerabilities, he said, with approximately 10 percent withheld for national security purposes.
“Those vulnerabilities that we do keep, we keep for very specific purposes so we can increase our national security,” Bossert said. “I think they are used carefully, and we need to protect them in such a way that we do not leak them out.”
Working to Prevent the Next WannaCry
Aside from attributing the WannaCry attack to North Korea, the U.S. government used the press conference to praise the cyber-security industry in the United States for helping to limit attacks. To help prevent the next such attack, the government is hoping to further expand partnership and collaboration efforts with private industries.
“Attackers have to only be right once; defenders have to be right all the time,” Jeanette Manfra, assistant Homeland Security secretary for Cyber-Security and Communications, said.
Manfra said she disagrees with the notion that attackers have the advantage, noting that steps can be taken to make the cyber-ecosystem safer. It’s imperative to give the advantage to defenders, rather than attackers, she said.
“Our adversaries are not distinguishing between public and private, so neither should we,” Manfra said. “Government and industry must work together now more than ever if we are serious about improving our collective defense.”
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.