WannaCry Ransomware Shares Code With North Korean Malware, Says Researchers (cyberscoop.com) 106
New submitter unarmed8 quotes a report from CyberScoop: The ransomware known as WannaCry that spread rapidly to 300,000 machines in 150 countries over the past few days shares code with malware written by a group of North Korean hackers known as the Lazarus Group. While the shared code is important, experts warned that it's far from proof about who created and launched the ransomware attacks. Neel Mehta, a security researcher at Google, first pointed out the shared code on Monday on Twitter. The link was quickly echoed by numerous other experts. "From a technical point of view those two functions and their references are identical," said Matt Suiche, founder of United Arab Emirates-based cybersecurity firm Comaeio. "From an attribution point of view a ransomware would subscribe to the narrative of Lazarus Group, which is stealing money like we saw with multiple financial institutions with fraudulent SWIFT transactions -- having a nation-state powered ransomware leveraging crypto currency would be a first."
Usually I'm a pacifist..... (Score:1)
Usually I'm as pacifist.. though in this situation I've reconsidered.
No matter whether it's North Korea, Russia, or whomever.... Whoever is trying the "death by a million cuts" strategy against my country... be warned:
Yamamoto was right. We'll take it for a little while, settle our internal issues, and turn your countries into a mini mall.
You've been warned.
Re: (Score:1)
Wouldn't that be the simplest and default explanation? Anything more conspiratorial would be where the evidence would be required.
Re: (Score:2)
Look at the bright side. Ransomware is malware done right. In the olden days, malware led to botnets that afflicted everyone, and little of negative consequences were borne by those with the insecure systems causing the problems. But with ransomware, the full cost falls directly into the lap of those doing the least to keep their systems secure, giving them a direct financial incentive to change their ways.
Re: Usually I'm a pacifist..... (Score:2)
Re: (Score:2)
I doubt these spam emails (one of the attack vectors) are written by people, or on a machine owned by malware's author. This is usually done by botnets.
Re: (Score:2)
Aww you mad cause we wouldn't let you in? It's ok there's always Canada. They're like our little annoying brother. I'm sure they would have you.
Re: (Score:2)
Right now, while there was a lot of movement initially, I'm not seeing much to suggest imminent US action. The Carl Vinson is there, but no other carriers. The Reagan was just headed out for sea trials, but it's needing to go back for some additional repairs. The Nimitz is still on the west coast. Really for something as complicated as North Korea you'd want at least five carrier strike groups (think GW1), particularly if the ROK doesn't let you launch attacks from their territory (which Moon Jae-in almost
Re: (Score:2)
Also, if the US goal was to be "do a limited strike, but make it clear that if the DPRK attacks the ROK that the consequences for it will become much worse"
That's about the worst idea possible. If you're going to attack North Korea, you need to disable their military capability otherwise millions of innocent people will die.
Re:Usually I'm a pacifist..... (Score:4, Informative)
In a worst case situation only, and overwhelmingly on the DPRK side.
Contrary to hype (which the media loves, and does before every major conflict), the DPRK does not have the ability to flatten Seoul. For example, you've apparently seen the meme that takes estimates of the total number of artillery pieces the DPRK has, multiplies by how fast an artillery piece can fire, multiplies by an hour or more, pretends that cities go down under artillery fire faster than they actually do, and then arrives at "Seoul leveled, millions dead".
In practice, the DPRK only has 400-500 artillery pieces that can actually hit Seoul - the "Koksan" family - and some long-range MLRS systems. The Koksans are lumbering, awkward, slow-firing systems. MLRS systems take even longer to reload. Even if you discount the terrible reliability of DPRK hardware, they can't just sit there and fire. Because unlike the DPRK, the ROK has counter-battery radar and a high level of accuracy. You have to move after firing, or you only get 1-2 shots off. And unless you're shooting at the enemy's forces, you're inviting them to overrun you. Furthermore, only a minority of long-range systems are near Seoul - they have a whole DMZ to defend/threaten. And beyond that, only a fraction of their artillery is at the DMZ.
With the Yeonpyeong attack they fired about 10 tonnes of artillery at the island, killing four and injuring 19. The DPRK might be able to get 20-30 times that launched at Seoul in a first wave. So multiply. Now, they do benefit from higher population densities in what they're firing at. On the other hand, working against that:
1) The target density isn't as extreme as you might picture. The vast majority the area of even the most populous districts are roads, greenery, water, and single family houses.
2) They're having to shoot from much further than when they shot at Yeonpyeong, with less accurate systems. That was pre-planned and with their best troops, not whatever arbitrary troops and hardware happen to be firing.
3) If this was in response to a US bombing, the ROK would know about it in advance, and you would expect people to be in the shelters (the ROK uses the Seoul subway system as a shelter).
4) Cities just don't go down that fast under artillery fire. Even sustained (aka, no need to move) fire. Look at Grozny, or Homs, or any other example in modern warfare, and the months to years it took to flatten districts of them.
The DPRK certainly could also use CBW, but in terms of scale of destruction vs. how much effort has to go into them, they're not very efficient. They mainly function as terror weapons. The exception is contageous biowarfare, but there's no evidence that the DPRK has been developing it (it's believed they've weaponized anthrax, however); contageous biowarfare would likely blowback and hit them harder than the ROK, as the ROK has a much better communications and medical system.
Now, talking about Seoul alone is unfair - there's also varying suburbs / border towns; Paju, the largest, is over 400k people and 10km from the nearest point on the DMZ. But the suburbs and border towns just don't have the population or population density or total population of Seoul, and you're talking "millions"; you need to literally do the media hyperbole of "flattening Seoul" to get those numbers. DPRK artillery is scattered across the whole DMZ, most of which is unpopulated. And most of it is ancient (even more obsolete than Saddam's hardware was in GW1), and it's questionable how well it all works. The DPRK prefers to build new hardware while not scrapping old hardware to boost their numbers game, rather than scrapping old systems and replacing them.
Now, that's the artillery threat. The ballistic threat is a different beast. But it has its own problems.
1) Their missiles have historically been highly unreliable. One model last I checked had an 88% f
Re: (Score:2)
I thought this ransomware came from NSA (Score:5, Insightful)
Re:I thought this ransomware came from NSA (Score:4, Insightful)
The code litter later found by experts, the staging server ip range, time zone, language will point to a list of nations.
"Latest WikiLeaks dump exposes CIA methods to mask malware" (Mar 31, 2017)
http://www.pcworld.com/article... [pcworld.com]
Marble Framework, "... anti-forensic tools support other languages such as Chinese, Russian, Korean, Arabic and Farsi. “This would permit a forensic attribution double game,”"
So a lot of code exists on file that is full of code litter that must be from different nations.
Re: (Score:2)
This.
You and I can grab code -- any code -- and insert a benign, "Kilroy Was Here," at will.
Re: (Score:2)
The NSA wrote the attack vector code. That is, by all accounts, high quality code. The other code, the stuff that takes the attack vector and glues it into a worm and ransomeware encryptor, that was written by what is alleged now to be North Koreans.
It's akin to someone stealing a nuclear warhead from the United States and then gluing it to a 1970 volkswagen bug with a simple radio control steering mechanism.
Re: (Score:2)
And you don't need to look at who committed the changes in your repository to necessarily know who did it. Programming tends to have a characteristic style, much like handwritin
Re: (Score:2)
Re: (Score:2)
Who wrote this movie? It makes no sense.
Did someone see Adam Sandler work on a script recently?
Re: (Score:2)
Also Trump is really working for the North Koreans. His interest in normalization of ties with Russia is just a diversion.
Re: (Score:2)
Re: I thought this ransomware came from NSA (Score:2)
It's a great way to deflect and just shows you how stupid the media thinks the plebes are. The malware was written by the NSA most likely in cooperation with Microsoft and therefore their responsibility.
Re: (Score:2)
Now it comes from North Korea? Who wrote this movie? It makes no sense.
No, if you read the article, it contains code also found in known North Korean malware... which means both users just got the code off of whatever the black hat version of Stack Exchange is.
Entirely plausible. (Score:2)
One thing N. Korea lacks is resources/money to buy stuff (from China and Russia). They are the most prolific counterfeiter of $100 [wikipedia.org]... and then the $100 bill was changed. It seems entirely plausible that they are trying to replace their counterfeiting with cybercrime.
Comment removed (Score:5, Insightful)
Re:the propaganda narrative needs work. (Score:4, Insightful)
That's not mutually exclusive.
The exploit for the security hole that it uses to spread presumably came from the leaked NSA code, but that doesn't mean that the rest of the virus did. Theoretically anyone could have bolted the exploit code as an attack vector onto their existing program/virus framework, which means that the final product -could- have a lot in commmon with other malware that's been seen before.
Re:the propaganda narrative needs work. (Score:4, Informative)
It's weird how people generally give North Korea either too much or too little credit, often at the same time.
First off, North Korea is not at present starving its people. The North Korean economy has been growing at a rather good clip. They're trying to make Pyongyang into a model city with a lot of impressive architecture projects. While they're generally rushed and substandard construction, they're visually quite impressive (the DPRK actually has some good architects and artists - one of their biggest sources of foreign currency is giant statues built for African dictators [google.com] - I kid you not). There's now nearly 3 million cell phones in the DPRK. They can't connect out of the country, but the country is modernizing (while still trying - and progressively getting worse at - keeping its people isolated). DVD and Blu-Ray players are not that rare, particularly in cities, and the government is increasingly giving up on trying to stop media smuggled in from China. They don't mind US and European movies / TV sneaking in that much anymore, but South Korean media still bugs them a lot (because their propaganda tries to portray the South as impoverished and oppressed by the US, a country that they need to "save").
DPRK military technology, including missile technology, is a piecemeal mix of foreign tech (either imported legitimately, or acquired illegally and smuggled) and legitimate homegrown engineering. Some of their solutions are rather "hacks", but they work. For example, one of their missiles that kept flying out of control... later pictures of it showed a ton of big grid fins on the back, making it like a shuttlecock. Then it worked. Sure, that's added drag and it's going to make it light up radar screens like a Christmas tree, but they want to advance their technology as fast as possible. They're following a natural rocketry progression. Their latest rockets, for example, appear to now use a common bulkhead approach to reduce mass rather than two separate tanks. They're working with better materials. Their Q&A and local manufacturing quality is low. But it'll get the job done. They expect failures. When they shelled Yeonpyeong, only half of the shells even hit the island, a quarter of those that hit it didn't explode, and most of their shots were aimed based on obsolete maps, or just aimed poorly. But they simply put out enough firepower to overcome that. And that's undoubtedly going to be the same strategy that they pursue with missiles - "so what if a lot of them explode on the pad, in the air, go way off course.... we'll just make enough that some of them will get through."
You know, in a way, the DPRK is sort playing a high-stakes game of Kerbal Space Program.
Re: (Score:2)
South Korean media still bugs them a lot (because their propaganda tries to portray the South as impoverished and oppressed by the US, a country that they need to "save"
Well, they had their president puppeted by a mentalist, they might actually need some sort of saving.
Re: (Score:3)
Their Q&A and local manufacturing quality is low. But it'll get the job done. They expect failures. When they shelled Yeonpyeong, only half of the shells even hit the island, a quarter of those that hit it didn't explode, and most of their shots were aimed based on obsolete maps, or just aimed poorly. But they simply put out enough firepower to overcome that. And that's undoubtedly going to be the same strategy that they pursue with missiles - "so what if a lot of them explode on the pad, in the air, go way off course.... we'll just make enough that some of them will get through."
You know, in a way, the DPRK is sort playing a high-stakes game of Kerbal Space Program.
Rocket science isn't easy, and they are certainly handicapped by being embargoed both in information and physical goods. The assumption that their manufacturing quality is low may not be correct. I was surprised to find on my trip to the DPRK in 2014 that several of the factories that we visited, including a foundry, were ISO 9001 certified. Anybody will tell you that ISO 9001 certification is no guarantee of quality, but the tools of high quality manufacturing (CAD, computer design and simulation, CNC,
Re:the propaganda narrative needs work. (Score:4, Informative)
(Citation: http://www.cbsnews.com/news/no... [cbsnews.com] )
The elites live well, mostly in the capital city of Pyongyang, but the rest of the country is in terrible shape, because the resources and money that might otherwise be used to help alleviate those terrible conditions instead goes to weapons, missiles, nukes, etc. This is why the only lights in North Korea at night are pretty much the ones in Pyongyang, as seen here: http://news.nationalgeographic... [nationalgeographic.com]
Re: (Score:2)
The elites live well, mostly in the capital city of Pyongyang, but the rest of the country is in terrible shape, because the resources and money that might otherwise be used to help alleviate those terrible conditions instead goes to weapons, missiles, nukes, etc. This is why the only lights in North Korea at night are pretty much the ones in Pyongyang, as seen here: http://news.nationalgeographic... [nationalgeographic.com]
Is light pollution desirable? You could say the same thing about Philippines, Cambodia, Laos, Indonesia [lightpollutionmap.info] or any number of other poor asian countries. The big cities are lit up, and the countryside is mostly dark. All of these countries have significant inequality. Several of these countries are actively committing or allowing various forms of genocide. Singling out North Korea as "the bad one" seems a bit strange to me.
Re: (Score:2)
Re: (Score:2)
If the NSA can have their code stolen, why can't North Korea have its malware appropriated to form part of this ransomware too?
I suppose the whole ransom thing could be a false flag to divert attention from the real source, but it seems unlikely. Why use such a powerful weapon now? The timing doesn't seem to benefit anyone. If anything it is distracting people from NK's missile tests.
It reeks of people slightly above script kiddie level bolting together some stolen exploits to older ransomware code, releasi
Re: (Score:2)
Clearly, it is not possible that there are no self-taught rocket scientists yet many self-taught programmers.
Re: (Score:3)
Re: the propaganda narrative needs work. (Score:1)
Dosbox runs under Windows too doesn't it?
Not conclusive (Score:2)
Malware authors steal from each other all the time. Sometimes you see a patchwork of different styles and skill-levels and constructs that make not any sense, except if a later attacker did not really understand the code he was modifying. Still interesting though.
Could it be a North Korean peace feeler? (Score:2)
NK has earned itself megatons of bad publicity by keeping South Korea at the edge of war for two generations, by kidnapping people at random off Asian beaches, and most recently by taking American hostages.
But now, with war threatening and their starvation problem not getting any better, NK may think it is doing us a favor by destroying Windows. It would be as if the last remnants of ISIS were to come up with a cure for Ebola.
Except that the Lazarus group isn't North Koreans (Score:3)
Re: (Score:2)
North Korea doesn't even have Internet access. How can they even have hackers?
They have. We are currently investigated among all the twelve PC owners in NK.
"state actors" (Score:2)
Who says that everyone based in North Korea is working for the government? We don't assume every US hacker works for the CIA, do we? Especially in countries such as NK, China, Russia, I would first assume that they are simple criminals, or maybe people trying to make a fortune and then get the hell out of there (which takes a lot of money. I just moved to another country, just within Europe, and it cost me a fortune).
Judging from the country I know a little about - Russia - I'm sure you can find ties to the
Not really! (Score:1)
Let me guess, if this ransomware spread happened 15 years ago should we have blamed it on Iraq? So that we can bomb it later ... Common guys! Stop spreading ugly propaganda news.
WMDs (Score:1)
Gosh, how convenient. The US government has been looking for an excuse to have a go at North Korea, and now some ransonware appears to have a tenuous link to the country.
Kind of like the same way Iraq was harbouring Weapons of Mass Destruction. We'd best nip this in the bud as soon as possible.
Re: (Score:1)
Open to ideas here....how do you propose the world deal with North Korea?
Re: (Score:2)
I think it was a joint effort by NK and Russia! Kim Jung Putin! Stinky bastard from what I hear.
Re: Mongers gonna monger... (Score:1)
Well, Un is probably less likely to give away highly classified intelligence to the Russians than Trump, that is one thing in his favour.
Re: (Score:2)
So you think a communist won't share with another communist to help their common cause?
Re: (Score:2)
Trump's leak was not out of malice, it was out of stupidity.
Re: Mongers gonna monger... (Score:1)
The president is the highest classification authority. If he declares something unclassified, it is. It's entity within that authority to share what he wants. As much as I do t like Trump, this is normal.
Re: (Score:2)
I was just stating that were the common enemy for Russia and NK, therefor I would almost garuntee they would trade secrets if it could in any way hurt us.
Re: Mongers gonna monger... (Score:4, Insightful)
There is no evidence of a hack or of any collusion between Trump and Russia - especially collusion that would be counter to US interests.
Ooo. An international company (Exxon-Mobil) had business dealings with Russia. Wow. Proof of collusion. Yeah Right.
Ooo. An international real estate company had business negotiations with Russians. Wow. Lock them the f**k up.
Keep this stuff up guys and you'll see the end of the Democratic Party.