WannaCry Ransomware Shares Code With North Korean Malware, Says Researchers

New submitter unarmed8 quotes a report from CyberScoop: The ransomware known as WannaCry that spread rapidly to 300,000 machines in 150 countries over the past few days shares code with malware written by a group of North Korean hackers known as the Lazarus Group. While the shared code is important, experts warned that it's far from proof about who created and launched the ransomware attacks. Neel Mehta, a security researcher at Google, first pointed out the shared code on Monday on Twitter. The link was quickly echoed by numerous other experts. "From a technical point of view those two functions and their references are identical," said Matt Suiche, founder of United Arab Emirates-based cybersecurity firm Comaeio. "From an attribution point of view a ransomware would subscribe to the narrative of Lazarus Group, which is stealing money like we saw with multiple financial institutions with fraudulent SWIFT transactions -- having a nation-state powered ransomware leveraging crypto currency would be a first."

I thought this ransomware came from NSA

[mea2214]

Now it comes from North Korea? Who wrote this movie? It makes no sense.

Re:I thought this ransomware came from NSA

[AHuxley]

The CIA and NSA can ensure that the code the US uses can hide its origins around the world.
The code litter later found by experts, the staging server ip range, time zone, language will point to a list of nations.
"Latest WikiLeaks dump exposes CIA methods to mask malware" (Mar 31, 2017)
http://www.pcworld.com/article...
Marble Framework, "... anti-forensic tools support other languages such as Chinese, Russian, Korean, Arabic and Farsi. “This would permit a forensic attribution double game,”"
So a lot of code exists on file that is full of code litter that must be from different nations.

Re:I thought this ransomware came from NSA

[Excelcia]

The NSA wrote the attack vector code. That is, by all accounts, high quality code. The other code, the stuff that takes the attack vector and glues it into a worm and ransomeware encryptor, that was written by what is alleged now to be North Koreans.

It's akin to someone stealing a nuclear warhead from the United States and then gluing it to a 1970 volkswagen bug with a simple radio control steering mechanism.

the propaganda narrative needs work.

[nimbius]

Either North Korea is an impoverished dictatorship that could never, ever launch a successful ICBM and routinely runs out of energy and food, or its an underground powerhouse releasing some of the deadliest malware to date and rivals the US and Russia in technical prowess.

Theres also the unresolved dependency that this exploit came from the NSA. Nice try.

Re:the propaganda narrative needs work.

[ScentCone]

Yeah, that explains why they never patched this. Oh, I mean, other than when they did, a couple months ago. And why they still recommend that people use old stuff, like XP. I mean, other than telling them not to for years now.

Re:the propaganda narrative needs work.

[xlsior]

Theres also the unresolved dependency that this exploit came from the NSA. Nice try.

That's not mutually exclusive.

The exploit for the security hole that it uses to spread presumably came from the leaked NSA code, but that doesn't mean that the rest of the virus did. Theoretically anyone could have bolted the exploit code as an attack vector onto their existing program/virus framework, which means that the final product -could- have a lot in commmon with other malware that's been seen before.

Re:the propaganda narrative needs work.

[Rei]

It's weird how people generally give North Korea either too much or too little credit, often at the same time.

First off, North Korea is not at present starving its people. The North Korean economy has been growing at a rather good clip. They're trying to make Pyongyang into a model city with a lot of impressive architecture projects. While they're generally rushed and substandard construction, they're visually quite impressive (the DPRK actually has some good architects and artists - one of their biggest sources of foreign currency is giant statues built for African dictators - I kid you not). There's now nearly 3 million cell phones in the DPRK. They can't connect out of the country, but the country is modernizing (while still trying - and progressively getting worse at - keeping its people isolated). DVD and Blu-Ray players are not that rare, particularly in cities, and the government is increasingly giving up on trying to stop media smuggled in from China. They don't mind US and European movies / TV sneaking in that much anymore, but South Korean media still bugs them a lot (because their propaganda tries to portray the South as impoverished and oppressed by the US, a country that they need to "save").

DPRK military technology, including missile technology, is a piecemeal mix of foreign tech (either imported legitimately, or acquired illegally and smuggled) and legitimate homegrown engineering. Some of their solutions are rather "hacks", but they work. For example, one of their missiles that kept flying out of control... later pictures of it showed a ton of big grid fins on the back, making it like a shuttlecock. Then it worked. Sure, that's added drag and it's going to make it light up radar screens like a Christmas tree, but they want to advance their technology as fast as possible. They're following a natural rocketry progression. Their latest rockets, for example, appear to now use a common bulkhead approach to reduce mass rather than two separate tanks. They're working with better materials. Their Q&A and local manufacturing quality is low. But it'll get the job done. They expect failures. When they shelled Yeonpyeong, only half of the shells even hit the island, a quarter of those that hit it didn't explode, and most of their shots were aimed based on obsolete maps, or just aimed poorly. But they simply put out enough firepower to overcome that. And that's undoubtedly going to be the same strategy that they pursue with missiles - "so what if a lot of them explode on the pad, in the air, go way off course.... we'll just make enough that some of them will get through."

You know, in a way, the DPRK is sort playing a high-stakes game of Kerbal Space Program.

Re:the propaganda narrative needs work.

[Fire_Wraith]

It's entirely believable that the country is impoverished, starving, short on energy and food, and at the same time is developing nukes, icbms, and has a cyber hacking unit. This is the sort of thing that's possible when you have a totalitarian dictatorship that decides the latter things are more important than the former. What do you expect the average North Korean to do about it? Protest or complain, so they can get themselves and three generations of their family thrown into a permanent prison camp?
(Citation: http://www.cbsnews.com/news/no... )

The elites live well, mostly in the capital city of Pyongyang, but the rest of the country is in terrible shape, because the resources and money that might otherwise be used to help alleviate those terrible conditions instead goes to weapons, missiles, nukes, etc. This is why the only lights in North Korea at night are pretty much the ones in Pyongyang, as seen here: http://news.nationalgeographic...

Re:the propaganda narrative needs work.

[dj245]

Their Q&A and local manufacturing quality is low. But it'll get the job done. They expect failures. When they shelled Yeonpyeong, only half of the shells even hit the island, a quarter of those that hit it didn't explode, and most of their shots were aimed based on obsolete maps, or just aimed poorly. But they simply put out enough firepower to overcome that. And that's undoubtedly going to be the same strategy that they pursue with missiles - "so what if a lot of them explode on the pad, in the air, go way off course.... we'll just make enough that some of them will get through."

You know, in a way, the DPRK is sort playing a high-stakes game of Kerbal Space Program.

Rocket science isn't easy, and they are certainly handicapped by being embargoed both in information and physical goods. The assumption that their manufacturing quality is low may not be correct. I was surprised to find on my trip to the DPRK in 2014 that several of the factories that we visited, including a foundry, were ISO 9001 certified. Anybody will tell you that ISO 9001 certification is no guarantee of quality, but the tools of high quality manufacturing (CAD, computer design and simulation, CNC, management systems) are widely available and there is no reason to believe that the DPRK wouldn't use them. Casting and forging Inconel isn't particularly difficult, any material engineer with the right books can work it out. You can even get Inconel powder and make parts with additive machining [3d printing] without much fuss.

Except that the Lazarus group isn't North Koreans

[thisisauniqueid]

Except that the Lazarus group isn't North Koreans, it's a group of South Koreans who are amused by the media giving the credit to North Korea.

Re:Usually I'm a pacifist.....

[Rei]

you need to disable their military capability otherwise millions of innocent people will die.

In a worst case situation only, and overwhelmingly on the DPRK side.

Contrary to hype (which the media loves, and does before every major conflict), the DPRK does not have the ability to flatten Seoul. For example, you've apparently seen the meme that takes estimates of the total number of artillery pieces the DPRK has, multiplies by how fast an artillery piece can fire, multiplies by an hour or more, pretends that cities go down under artillery fire faster than they actually do, and then arrives at "Seoul leveled, millions dead".

In practice, the DPRK only has 400-500 artillery pieces that can actually hit Seoul - the "Koksan" family - and some long-range MLRS systems. The Koksans are lumbering, awkward, slow-firing systems. MLRS systems take even longer to reload. Even if you discount the terrible reliability of DPRK hardware, they can't just sit there and fire. Because unlike the DPRK, the ROK has counter-battery radar and a high level of accuracy. You have to move after firing, or you only get 1-2 shots off. And unless you're shooting at the enemy's forces, you're inviting them to overrun you. Furthermore, only a minority of long-range systems are near Seoul - they have a whole DMZ to defend/threaten. And beyond that, only a fraction of their artillery is at the DMZ.

With the Yeonpyeong attack they fired about 10 tonnes of artillery at the island, killing four and injuring 19. The DPRK might be able to get 20-30 times that launched at Seoul in a first wave. So multiply. Now, they do benefit from higher population densities in what they're firing at. On the other hand, working against that:

1) The target density isn't as extreme as you might picture. The vast majority the area of even the most populous districts are roads, greenery, water, and single family houses.
2) They're having to shoot from much further than when they shot at Yeonpyeong, with less accurate systems. That was pre-planned and with their best troops, not whatever arbitrary troops and hardware happen to be firing.
3) If this was in response to a US bombing, the ROK would know about it in advance, and you would expect people to be in the shelters (the ROK uses the Seoul subway system as a shelter).
4) Cities just don't go down that fast under artillery fire. Even sustained (aka, no need to move) fire. Look at Grozny, or Homs, or any other example in modern warfare, and the months to years it took to flatten districts of them.

The DPRK certainly could also use CBW, but in terms of scale of destruction vs. how much effort has to go into them, they're not very efficient. They mainly function as terror weapons. The exception is contageous biowarfare, but there's no evidence that the DPRK has been developing it (it's believed they've weaponized anthrax, however); contageous biowarfare would likely blowback and hit them harder than the ROK, as the ROK has a much better communications and medical system.

Now, talking about Seoul alone is unfair - there's also varying suburbs / border towns; Paju, the largest, is over 400k people and 10km from the nearest point on the DMZ. But the suburbs and border towns just don't have the population or population density or total population of Seoul, and you're talking "millions"; you need to literally do the media hyperbole of "flattening Seoul" to get those numbers. DPRK artillery is scattered across the whole DMZ, most of which is unpopulated. And most of it is ancient (even more obsolete than Saddam's hardware was in GW1), and it's questionable how well it all works. The DPRK prefers to build new hardware while not scrapping old hardware to boost their numbers game, rather than scrapping old systems and replacing them.

Now, that's the artillery threat. The ballistic threat is a different beast. But it has its own problems.

1) Their missiles have historically been highly unreliable. One model last I checked had an 88% f

Re: Mongers gonna monger...

[GLMDesigns]

Really? Don't you think that Hillary would have played just well with the Russians? All Putin would have to do is put a few dollars in the Clinton Foundation and bingo.

There is no evidence of a hack or of any collusion between Trump and Russia - especially collusion that would be counter to US interests.

Ooo. An international company (Exxon-Mobil) had business dealings with Russia. Wow. Proof of collusion. Yeah Right.
Ooo. An international real estate company had business negotiations with Russians. Wow. Lock them the f**k up.

Keep this stuff up guys and you'll see the end of the Democratic Party.