Security Experts:

Australia, Canada, Others Blame North Korea for WannaCry Attack

The United States is not the only country to officially accuse North Korea this week of being behind the WannaCry ransomware campaign. Canada, Japan, Australia and New Zealand have also blamed Pyongyang for the attack.

The U.K. accused North Korea in late October, and the other Five Eyes countries and Japan have now done the same.

“We are aware of the statements made by our allies and partners concerning the role of actors in North Korea in the development of the malware known as WannaCry,” said Greta Bossenmaier, chief of Canada’s Communications Security Establishment (CSE). “This assessment is consistent with our analysis.”

Australia said its own intelligence agencies reached the same conclusion after consultations with allies. New Zealand attributed the WannaCry attack to North Korean threat actors based on “cyber threat analysis from a range of sources, including the United States and the United Kingdom.”

The WannaCry ransomware was unleashed in May and it infected roughly 300,000 computers across 150 countries. The malware spread using exploits developed by the Equation Group, an actor linked to the U.S. National Security Agency (NSA).

North Korea in October denied the accusations, claiming that they were a “wicked attempt" to further tighten international sanctions. Furthermore, not everyone believes North Korea is responsible. Endpoint security firm Cybereason said in May that the attack did not fit Pyongyang’s style and interests, and the company stands by its initial assessment.

Nevertheless, the United States is convinced that the WannaCry attack is the work of North Korea, which is believed to be responsible for several recent profit-driven campaigns. “We do not make this allegation lightly,” said White House homeland security advisor Tom Bossert. “We do so with evidence, and we do so with partners.”

One of those partners is Microsoft, which concluded that the North Korea-linked threat actor known as Lazarus – the company tracks it as ZINC – was responsible for the ransomware attack.

“Among other steps, last week we helped disrupt the malware this group relies on, cleaned customers’ infected computers, disabled accounts being used to pursue cyberattacks and strengthened Windows defenses to prevent reinfection. We took this action after consultation with several governments, but made the decision independently,” said Brad Smith, president and chief legal officer at Microsoft.

“We are pleased to see these governments making this strong statement of attribution. If the rising tide of nation-state attacks on civilians is to be stopped, governments must be prepared to call out the countries that launch them,” Smith said.

Facebook also had a role in disrupting the activities of the Lazarus group, but pointed out that its actions were not focused on the WannaCry malware itself.

“In this case, we deleted accounts operated by this group to make it harder for them to conduct their activities. Similar to other threat groups, they largely used personal profiles and pretended to be other people in order to do things like learning about others and building relationships with potential targets,” the social media giant stated.

“We also notified people who may have been in contact with these accounts and gave suggestions to enhance their account security, as we have done in the past about other threat groups,” it added.

Related: North Korea's New Front - Cyberheists

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.