Published On:Wednesday, May 17, 2017
Posted by CDS

Clues Suggest, North Korean Link To Attack With Ransomware

White House homeland security adviser Thomas Bossert said “the best and the brightest are working on” tracking who was behind the ransomware cyberattack.
WASHINGTON: Security researchers have found digital clues in the malware used in last weekend’s global ransomware attack that might indicate North Korea is involved, although they caution the evidence is not conclusive.
An early version of the ‘‘WannaCry’’ ransomware that affected more than 150 countries and major businesses and organizations shares a portion of its code with a tool from a hacker group known as Lazarus, which researchers think is linked to the North Korean government.
‘‘This implies there is a common source for that code, which could mean that North Korean actors wrote ‘WannaCry’ or they both used the same third-party code,’’ said John Bambenek, threat research manager at Fidelis Cybersecurity.
White House homeland security adviser Thomas Bossert said Monday that investigators were still working to determine who was behind the attack, which infects computers with a virus that encrypted data and is accompanied by a demand that victims pay a ransom to decrypt it.
‘‘That’s the attribution that we’re after right now,’’ he said at a White House briefing. ‘‘It will be very satisfying for me and for all of our viewers, I think, that if we find them that we bring them to justice. . . . The best and the brightest are working on that.’’
Several security researchers studying ‘‘WannaCry’’ on Monday found evidence of possible connections to the crippling hack on Sony Pictures Entertainment in 2014 attributed by the US government to North Korea. That hack occurred in the weeks before Sony released a satiric movie about a plot to kill North Korean leader Kim Jong Un.
A Google security researcher tweeted a small bit of computer code Monday afternoon that highlighted similarities between that attack and an earlier version of ‘‘WannaCry.’’ The attack was first reported Friday and has hobbled hundreds of thousands of computers by encrypting data on the machines. The hackers offer to unlock the data for bitcoin payments of $300.
Software company Symantec, maker of popular security software, published a blog post also pointing to the possible connections, writing, ‘‘While these findings do not indicate a definite link between Lazarus and WannaCry, we believe that there are sufficient connections to warrant further investigation.’’
Kaspersky Lab, a Russian cybersecurity firm, also pointed to similar links, writing, ‘‘We believe this might hold the key to solve some of the mysteries around this attack.’’
However, Bambenek cautioned that the links are circumstantial. ‘‘It could be a freak coincidence,’’ he said. ‘‘The code in question is not a large portion of the overall Wannacry malware so it’s plausible that the attackers got it from somewhere else.’’
The irony, he noted, is that the ransomware attack was enabled by a leak of National Security Agency hacking tools. ‘‘The similar could be true here — that this stuff leaked out from North Korea, but it just hasn’t been found yet,’’ he said.
The spread of the WannaCry virus has slowed as new cyberdefenses have been put in place, but the malware still found its way into hundreds of thousands more computers while businesses and governments assessed the damage and planned their next moves.
Some eight to 10 U.S. entities, including a few in the health-care sector, reported possible “WannaCry” infections to the Department of Homeland Security, a US official said. But none reported that they had data encrypted or that they suffered significant disruptions.
Bossert said Monday that the situation was ‘‘under control’’ at the moment in the United States.
‘‘We are continuing to monitor the situation around clock . . . bringing all the capabilities of the US government to bear,’’ he said, adding that as of Monday, no federal systems were affected.
While factories, hospitals, and schools were disrupted in China by the attack, the spread of the virus appeared to be slowing. State media said 29,000 institutions had been hit, along with hundreds of thousands of devices.
South Korea reported that just five companies were affected, including the country’s largest movie chain. In response, the Korea Internet and Security Agency in Seoul raised its warning level to 3, or ‘‘cautious,’’ on a scale of 1 to 5.
In the South Korean city of Asan, an electronic panel meant to show bus arrival times instead displayed a message demanding bitcoin payment. The CGV movie chain, South Korea’s largest, said that about 50 of its theater complexes were attacked by the ransomware but that films were still running as scheduled.
Researchers discovered a ‘‘kill switch’’ on the virus that stopped its spread from computer to computer, potentially saving tens of thousands of machines from further infection. There were fears, however, that new versions of the worm, without this vulnerability, could eventually be released.
The worm took advantage of a vulnerability in Microsoft’s Windows operating system. Although the flaw has been patched by the company, not all users had applied the update.
The vulnerability exploited by the ransomware is believed to have been first identified by the NSA and later leaked online.
The ransomware program, which is spread through e-mail, encrypts computer files and then demands the bitcoin equivalent $300 to unlock them.
The attack hobbled operations at Russia’s Interior Ministry, Spanish telecommunications giant Telefónica, and Britain’s National Health Service.
Speaking at a news conference after an economic conference in China, Russian President Vladimir Putin told journalists that Russia ‘‘had nothing to do’’ with the “WannaCry” virus.
‘‘With regard to the source of these threats, then I believe that Microsoft has spoken directly about this,’’ Putin said. ‘‘They said that the first sources of this virus were the United States intelligence agencies. Russia has absolutely nothing to do with this.’’
(By Ellen Nakashima, Craig Timberg and Brian Murph)

About the Author

Posted by CDS on May 17, 2017. Filed under . You can follow any responses to this entry through the RSS 2.0. Feel free to leave a response

By CDS on May 17, 2017. Filed under . Follow any responses to the RSS 2.0. Leave a response

0 comments for "Clues Suggest, North Korean Link To Attack With Ransomware"

Leave a reply

Popular Posts