by GREGORY ELICH
PHOTO/Blogtrepreneur/CC bY 2.0
On December 19, in a Wall Street Journal editorial that drew much attention, Homeland Security Advisor Tom Bossert asserted that North Korea was “directly responsible” for the WannaCry cyberattack that struck more than 300,000 computers worldwide. The virus encrypted files on infected computers and demanded payment in return for supposedly providing a decryption key to allow users to regain access to locked files. Bossert charged that North Korea was “using cyberattacks to fund its reckless behavior and cause disruption across the world.” [1]
At a press conference on the same day, Bossert announced that the attribution was made “with evidence,” and that WannaCry “was directed by the government of North Korea,” and carried out by “actors on their behalf, intermediaries.” [2] The evidence that led the U.S. to that conclusion? Bossert was not saying, perhaps recalling the ridicule that greeted the FBI and Department of Homeland Security’s misbegotten report on the hacking of the Democratic National Committee.
The centerpiece of the claim of North Korean culpability is the similarity in code between the Contopee malware, which opens backdoor access to an infected computer, and code in an early variant of WannaCry. [3]
Contopee has been linked to the Lazarus group, a cybercrime organization that some believe launched the Sony hack, based on the software tools used in that attack. Since North Korea is widely considered to be behind the cyberattack on Sony, at first glance that would appear to seal the argument.
It is a logical argument, but is it founded on valid premises? Little is known about Lazarus, aside from the operations that are attributed to it. The link between Lazarus and North Korea is a hypothesis based on limited evidence. It may or may not be true, but the apparent linkage is far weaker than mainstream media’s conviction would have one believe. Lazarus appears to be an independent organization possibly based in China, which North Korea may or may not have contracted to perform certain operations. That does not necessarily mean that every action – or even any action at all – Lazarus performs is at North Korea’s behest.
In Bossert’s mind as well as that of media reporters, Lazarus – the intermediaries Bossert refers to – and North Korea are synonymous when it comes to cyber operations. North Korea gives the orders and Lazarus carries them out. James Scott, a senior fellow at the Institute for Critical Infrastructure Technology, notes that “speculation concerning WannaCry attributes the malware to the Lazarus Group, not to North Korea, and even those connections are premature and not wholly convincing. Lazarus itself has never been definitively proven to be a North Korean state-sponsored advanced persistent threat (APT); in fact, an abundance of evidence suggests that the Lazarus group may be a sophisticated, well-resourced, and expansive cyber-criminal and occasional cyber-mercenary collective.” Furthermore, Scott adds, the evidence used to tie Lazarus to North Korea, “such as an IP hop or some language indicators, are circumstantial and could even be intentional false flags” to misdirect investigators. [4]
Whether an association exists or not between Lazarus and North Korea has little meaning regarding a specific attack. Joseph Carson of Thycotic emphasizes “that it is important to be clear that [Lazarus] is a group and motives can change depending on who is paying. I have found when researching hacking groups they can one day be working for one government under one alias and another using a different alias. This means that association in cyberspace means nothing.” [5]
Counterpunch for more