Advertisement
White House Homeland Security Adviser Tom Bossert speaks during a briefing blaming North Korea for a ransomware attack that infected hundreds of thousands of computers worldwide in May and crippled parts of Britain's National Health Service, at the White House, Tuesday, Dec. 19, 2017, in Washington. (Photo: AP/Evan Vucci)

The North Korean government was behind the massive ransomware cyberattack that affected hundreds of thousands across the globe earlier this year, U.S. officials announced this week, stating that the Trump administration, international allies and corporate partners will work to defend against ongoing threats and hold perpetrators of cybercrime accountable.

Homeland Security Advisor Thomas P. Bossert announced the attribution during a press briefing at the White House Tuesday, after publishing an op-ed in The Wall Street Journal on Monday revealing that Microsoft had traced the attack, which occurred in May, to the North Korean government. (A vulnerability in Microsoft systems known as EternalBlue enabled the malware to spread quickly in unpatched machines.)

“We do not make this allegation lightly. We do so with evidence, and we do so with partners,” Bossert said during the press briefing.

Bossert added that five other nations—the United Kingdom, Australia, Canada, New Zealand and Japan—agreed that the North Korean government was behind these attacks. In total, the ransomware affected over 150 countries, having an enormous impact on businesses as well as schools and hospitals, including the U.K.’s National Health Service.

Although he said he could not share some details about how experts traced the attack, Bossert told reporters that the investigation relied on “technical links to previously identified North Korean cyber tools, tradecraft (and) operation infrastructure.”

“It’s hard to find the smoking gun, but what we’ve done here is combined a series of behaviors,” he explained. “We’ve got analysts all over the world, but also deep and experienced analysts within our intelligence community that looked at not only the operational infrastructure, but also the tradecraft and the routine and the behaviors that we’ve seen demonstrated in past attacks. And so you have to apply some gumshoe work here, not just some code analysis.”

Bossert also said that major technology companies, including Microsoft and Facebook, have been working as recently as last week to disrupt known North Korean cyber operations targeting the U.S. and other countries. This included shutting down the accounts of hackers and patching additional targeted exploits.

In his op-ed, he stated that President Donald Trump’s administration has already taken action to increase cyber defenses and vowed that North Korea, and anyone who aids them, will be held accountable. He touted the current administration’s sanctions on Russian hackers, removal of Russian Kaspersky software from all government computers and transparency in sharing known software vulnerabilities with developers as examples of the administration’s dedication to cybersecurity. He also urged cooperation.

“Stopping malicious behavior like this starts with accountability. It also requires governments and businesses to cooperate to mitigate cyber risk and increase the cost to hackers,” he wrote. “The U.S. must lead this effort, rallying allies and responsible tech companies throughout the free world to increase the security and resilience of the internet.”

North Korea’s role in the attack was questioned early on, with speculation in the weeks after the attack leading North Korean deputy U.N. ambassador Kim In Ryong to publically the deny the allegations in a mid-May news conference, according to the Associated Press. Cybersecurity experts told the AP at the time that a ransomware attack was unusual for North Korea, with Johns Hopkins School of Advanced International Studies and founder of North Korea Leadership Watch Michael Madden saying, “This type of ransomware/jailbreak attack is not at all part of the M.O. of the DPRK’s cyberwar units.”

Malware researcher at cybersecurity company Endgame Amanda Rousseau studied the code of the ransomware earlier this year and described it in an interview with Forensic Magazine: “You could tell the ransomware itself is really basic code (…) When you look at the (EternalBlue) exploit, it looks like a completely different author—like they just shoved that in there. So it’s kind of like two packages merged together to create this highly, highly mobile ransomware.”

Advertisement
Advertisement