Security experts at Symantec, which in the past has accurately identified attacks mounted by the United States, Israel and North Korea, found early versions of the ransomware, called WannaCry, that used tools that were also deployed against Sony Pictures Entertainment, a Bangladesh Central Bank last year and a Polish bank in February. American officials said on Monday they have seen the same similarities.All of those were attacks were ultimately linked to North Korea; President Barack Obama formally charged the North in late 2014 with destroying computers at Sony in retaliation for a comedy, “The Interview,’’ that envisioned a C.I.A. plot to kill Kim Jung-un, the country’s president.The computer code used in the ransomware bore some striking similarities to the code used in those three attacks. That code has not been widely used, and has been seen only in attacks by North Korean-linked hackers. Researchers at Google and Kaspersky, a Moscow-based cybersecurity firm, confirmed the coding similarities.
In Computer Attacks, Clues Point To Frequent Culprit: North Korea
- View Original
- May 15th, 2017
SAN FRANCISCO — Intelligence officials and private security experts say that new digital clues point to North Korean-linked hackers as likely suspects in the sweeping ransomware attacks that have crippled computer systems around the world.
The indicators are far from conclusive, the researchers warned, and it could be weeks, if not months, before investigators are confident enough in their findings to officially point the finger at Pyongyang’s increasingly bold corps of digital hackers. The attackers based their weapon on vulnerabilities that were stolen from the National Security Agency and published last month.
Security experts at Symantec, which in the past has accurately identified attacks mounted by the United States, Israel and North Korea, found early versions of the ransomware, called WannaCry, that used tools that were also deployed against Sony Pictures Entertainment, a Bangladesh Central Bank last year and a Polish bank in February. American officials said on Monday they have seen the same similarities.
All of those were attacks were ultimately linked to North Korea; President Barack Obama formally charged the North in late 2014 with destroying computers at Sony in retaliation for a comedy, “The Interview,’’ that envisioned a C.I.A. plot to kill Kim Jung-un, the country’s president.
“At this time, all we have is a temporal link,” said Eric Chien, an investigator at Symantec who was among the first to identify the Stuxnet worm, the American- and Israeli-led attacks on Iran’s nuclear program, and North Korea’s effort to steal millions from the Bangladeshi bank. “We want to see more coding similarities,’’ he said, “to give us more confidence.’’
The new leads about the source of the attacks came as technology executives d raised an alarm about another feature of the attacks: They were based on vulnerabilities in Microsoft systems that were found by the N.S.A. and apparently stolen from it.
In a blog post on Microsoft’s website over the weekend, Brad Smith, the company’s president, asked what would happen if the United States military lost control of “some of its Tomahawk missiles” and discovered that a criminal group was using them to threaten a damaging strike. It was a potent analogy, and an unusually public airing of the newest split in the Silicon Valley-Washington divide.
The N.S.A.’s tools were published last month by a hacking group calling itself The Shadow Brokers, which enabled hackers to bake them into their ransomware, which then spread rapidly through unpatched Microsoft computers, locking up everything in its wake.
There is no evidence that the North Koreans were involved in the actual theft of the N.S.A. hacking tools. There are many theories, but the favorite hypothesis among intelligence officials is that an insider, probably a contractor, stole the information, much as Edward J. Snowden lifted a different trove of information from the N.S.A. four years ago.
“The provenance of the underlying vulnerability is not of as much concern to me,” Mr. Bossert said, stepping around the delicate question of the N.S.A.’s role.
Another round of attacks using the N.S.A. tools could well affect another big issue that the Obama administration debated and never resolved when it left office: whether the government can demand that all companies assure that investigators can “unlock” encrypted communications. Before he was fired last week, James B. Comey, the F.B.I. director, often complained that the government was “going dark,” and that intelligence agencies and local police needed a way to crack the encrypted mobile conversations of terrorists or kidnappers.
That process was refined by Mr. Obama and in 2015, Adm. Michael Rogers, the director of the NSA, said the agency had shared 91 percent of the zero-days it had discovered that year. A zero-day is a previously undisclosed flaw that leaves computer users with zero days to fix the vulnerability.
But, Michael Daniel, the White House cybercoordinator in the Obama administration, noted, “We still don’t have a good rating system for vulnerabilities in terms of their severity. Not all zero-days are created equal,” he said.
“What happened with the Shadow Brokers in this case is equivalent to a nuclear bomb in cyberspace,” said Zohar Pinhasi, a former cybersecurity intelligence officer for the Israeli military, now the chief executive of MonsterCloud, which helps mitigate ransomware attacks. “This is what happens when you give a tiny little criminal a weapon of mass destruction. This will only go bigger. It’s only the tip of the iceberg.”