back to article WannaCrypt 'may be the work of North Korea' theory floated

Security researchers are exploring the theory that the WannaCrypt ransomware might be the work of an infamous North Korean government-backed hacking crew. The crumb-trail-sniffing began on Monday after Neel Mehta, a security researcher from Google, posted an artefact on Twitter potentially pointing at a connection between the …

  1. Version 1.0 Silver badge

    Colour me unsurprised

    The NORKs have been doing this for years - it's their principle source of foreign currency. They are the most sanctioned country on Earth and has anyone noticed it affecting them?

    1. toxicdragon

      Re: Colour me unsurprised

      The Norks have around 1k computers, or at least externally accessible IP addresses. Considering the number of addresses world wide that is a very small attack area. And besides, even if it did affect them, how would word get out? I strongly doubt the Norks want their computer security questioned

    2. Captain Badmouth
      Holmes

      Re: Colour me unsurprised

      True, how else you gonna pay for all those nice icbm's, even if they do wobble a bit on the carrier.( and in the sky?)

  2. Anonymous Coward
    Anonymous Coward

    I lean to this being the work of private enterprise rather than the Commie State, all a bit too convenient given the current political climate. Perhaps one day we'll know the truth and then again we won't but it's out there somewhere.

    1. Yet Another Anonymous coward Silver badge

      If it was the work of private enterprise it would make you pay the ransom upfront, then fail to encrypt the files, then make you pay for an upgrade, then pay for a 'consultant' on site to encrypt them for you - then the whole project would be cancelled after running $Mn over budget and be repeated after everyone involved was given bonuses

      1. fandom

        "If it was the work of private enterprise it ...."

        You know Yet, there are teams that won't hire you.

    2. a_yank_lurker

      @AC - I am not sure who the culprit behind this attack; more accurately no idea. However, there almost always seems to be a knee jerk reaction to blame either the NORKS, Russians, or Chinese based on what appears to over-glorified navel gazing by so-called 'experts'. As you implied, there are a lot of people with the skills needed to make this attack; many are as you called them 'private enterprise'.

      1. Vector

        Yeah, two things occur to me. First, from reports I've heard this thing was so hideously bungled (from a payoff perspective) that I'm more inclined to believe it was script kiddie adaptation than some "notorious" hacking collective. Second, if this was some political actor, why bother with the ransom? Just encrypt the files and watch all the phish flop on the line.

  3. wolfetone Silver badge
    Holmes

    WannaCrypt software was developed by the NSA and leaked (amongst other things) in the Vault 7 leak. Included in that was also software to make attacks look like they originated from another country.

    So, with that information, could it still be the North Koreans? Or could it be someone who could/would benefit from some heightened tension in the Korean peninsular?

    1. Ken Hagan Gold badge

      I agree. If your reduced to using the timezone as "evidence" then you scraped your way through the bottom of the barrel a long time ago. A more plausible conspiracy theory is that the NSA have just noticed that most of the world's XP systems are in countries they don't like and later systems can be protected if MS can be persuaded to put out a patch two months before the attack. (If you want a soundbite, they've weaponised Microsoft's update policy.)

      But a vastly more plausible theory still is that some normal crook decided to strap a ransomware payload on the back of a new exploit they found on the interwebs. There are *far* more crooks than there are nation states, so the odds are *always* in favour of the mundane explanation.

      1. Jonathan Richards 1

        More nonsense

        > If you['re] reduced to using the timezone as "evidence"...

        In the same vein, I noticed that the killswitch domain name is significantly non-random, and probably chosen by keyboard mashing. Here's how a classic touch typist on a QWERTY keyboard would achieve those characters [1]:

        KILLSWITCH DN: IUQERFSODP9IFJAPOSDFJHGOSURIJFAEWRWERGWEA

        TYPING HAND: RRLLLLLRLRRRLRLRRLLLRRLRLRLRRLLLLLLLLLLLL

        QWERTY ROW: 11111221210122211222222121112221111112112

        Note that only the top two rows of letters are used, and only once does it stray into digits; the nine is probably a near-miss for the subsequent I. It seems to me that the mashing was almost certainly done on a QWERTY keyboard. However, APTs will probably be using such keyboards anyway; all the information I can find about N. Korean PCs indicates that their layout is QWERTY, too.

        Hey, I *like* it here at the bottom of the barrel!

        [1] transposed to uppercase for clarity; paste somewhere in a monospaced font to make it line up.

        1. John Brown (no body) Silver badge

          Re: More nonsense

          "paste somewhere in a monospaced font to make it line up."

          You mean like this? [code] ([] used for <>)

          KILLSWITCH DN:

          IUQERFSODP9IFJAPOSDFJHGOSURIJFAEWRWERGWEA

          TYPING HAND:

          RRLLLLLRLRRRLRLRRLLLRRLRLRLRRLLLLLLLLLLLL

          QWERTY ROW:

          11111221210122211222222121112221111112112

    2. Naselus

      "WannaCrypt software was developed by the NSA and leaked "

      Ish. Bits of Wannacry were taken straight out of the leaked NSA tools. Other bits look like they've been written by a 16 year old with a limited grasp of infosec. For example, the 'just check if this domain has been registered' killswitch which stopped it is the kind of thing that a state-backed group would not include, full stop - whether that's the Russians, the Chinese, the Norks or the NSA/GCHQ.

      This mostly seems to have been a cut-and-paste job tbh. Someone who didn't really know how to program but did know how to slam chunks of code they found on Stack Overflow together blundered onto the dark web and just cobbled together whatever they found to do what they wanted. The result was an odd combination of high-end and low-end features.

      1. Anonymous Coward
        Anonymous Coward

        Someone who didn't really know how to program

        Or someone who wanted it look as though this mess started with someone who didn't really know how to program... know what I mean?

  4. Anonymous Coward
    Anonymous Coward

    do you want to buy a bridge?

    it's cheap

  5. Anonymous Coward
    Anonymous Coward

    Oh my! I would never have guessed that in a million years.

    I'm sorry but there is actually zero way of knowing where software came from unless you catch the person who wrote it.

    What if I wrote a virus and named all the variables using decidedly British terms, like tea, chips, scones or brexit. Would people automatically assume the writer was British?

    1. Pen-y-gors

      Depends how you pronounce scones.

      1. Anonymous Coward
        Anonymous Coward

        "Depends how you pronounce scones."

        Reminds me of the Goodies, Bunfight At The OK Tearooms.

        Scône or scon.

        1. Eddy Ito

          Isn't scons the pronunciation for citizens of Silicone Valley?

          1. Yet Another Anonymous coward Silver badge

            Isn't Silicone Valley what people in LA call Décolletage ?

          2. TRT Silver badge

            Silicon Valley

            I'd hardly group the low-fat, gluten-free, soya-milk "biscuits" that they peddle out there with anything that could even possibly be called a scone.

  6. Jason Bloomberg Silver badge
    Coat

    The Norks definitely did it

    I know that's true because that's what newspaper headlines are saying, and I don't see any "Fake News" flags surrounding those, so it is true. Bastards.

    Mine's the one with newspaper clippings in the pocket.

  7. Anonymous Coward
    Anonymous Coward

    Skiddies

    This is bollocks.

    Odds are this is some script kiddies who had a play with doublepulsar and eternalblue mixed with some crappy darknet provided crypto malware. I doubt they had any idea it was going to be as successful as it was.

    This is supported by the lack of any form of sophistication to the attack and the complete lack of any suitable infrastructure to accept payments.

    This is not nation state actor stuff unless people really think the NORKS Cyber Ninja Army has the coding skills of a well fed hamster.

    1. Paul 76

      Re: Skiddies

      It's a nonsense. DPRK is not a rich country, but it's not so poor it's scrounging for bitcoin. If they did such a thing they would probably want information first (which you don't get if you announce ransomware) and chaos second (which could be done by changing data very very infrequently randomly, or just destroying it for example).

      It's a standard ransomware thing that got out of hand, some person(s) built it on the released exploit and it was too successful.

  8. Thought About IT

    Naive Question

    It's such a long time ago that I can't remember what, if anything, would break if an application developed for XP was run on Windows 7. Can anyone enlighten me?

    1. Anonymous Coward
      Anonymous Coward

      Re: Naive Question

      Depends on the App but then it's not just the App it's the driver support as well in the case of medical machinery. I've always found Windows 7 XP support to be hit and miss. I have to run Sim City in a VM.

    2. Paul Crawford Silver badge

      Re: Naive Question

      Programmers doing "stupid stuff" mostly:

      - Not following MS' guide lines (e.g. using undocumented APIs, assuming drive letters & folder locations)

      - Using the flavour-of-the month framework (e.g. ActiveX for IE6, recently silverlight...)

      - Assuming you are running with admin rights (lots of NT/W2K/XP era stuff)

      - Assuming the machine won't have firewalls enabled (bit even MS software with XP SP3)

      - If hardware is involved, then MS changes to the HAL layer, etc.

      All said, simple win32 program from NT era will generally still work perfectly!

      1. BongoJoe
        Facepalm

        Re: Naive Question

        - Not following MS' guide lines (e.g. using undocumented APIs, assuming drive letters & folder locations)

        I would think that I have got into more compatability issues by coding along to MS' guidelines.

        And having looked at some MSDN over the decades I have wondered if they, internally, were following another set of standards, i.e. guidelines, to those that they were giving us developers who were Outside The Asylum.

      2. Doctor Syntax Silver badge

        Re: Naive Question

        "All said, simple win32 program from NT era will generally still work perfectly!"

        And simple web sites run on any browser.

        It's always the same; folk who try to be clever end up being too clever by half.

      3. Paul 76

        Re: Naive Question

        So doing what MS do, then ? This is the organisation that recommended you used casts for the old GlobalLock()

    3. Jason Bloomberg Silver badge

      Re: Naive Question

      All the code I have been involved in producing runs on everything from XP up to Windows 10.

      There are things which can break; expecting registry keys to be in particular places, system folders to have certain names and the like, but Microsoft have done a pretty good job of making things backwards compatible when things are done in the approved manner for code targeted at XP.

      1. patrickstar

        Re: Naive Question

        MS goes to great pains to maintain backwards compatibility, even to the point of "emulating" bugs/mis-features of APIs and layout of internal data structures when old code has come to rely on it.

        With rare exceptions, stuff that runs on NT 4 or even 9x will run just fine on modern systems. The only caveat being the lack of support for DOS and 16 bit Windows applications on 64 bit systems.

        Unfortunately, with the amount of software actually having been written for Windows - including weird in-house stuff - those rare exceptions still add up to quite a lot.

        The bigger issue for things like medical equipment is probably the drivers. If you do it properly, drivers from Windows 2000 and onwards should work on modern systems (as long as they are the same bit-ness), but there's a lot of room for not doing things properly when developing drivers.

        And it's a lot harder to work around when it happens (read: often impossible without the source code to the driver or the ability to re-implement it from scratch) - no such things as application compatibility hacks for drivers.

        1. Ken Hagan Gold badge

          Re: Naive Question

          "The bigger issue for things like medical equipment is probably the drivers."

          Possibly. I don't recall seeing a "Medical" device type in Device Manager. There may be some medical devices that ship with a bespoke "interface card", particularly the really old ones that were built for DOS, but I would hope that the majority of devices written in the last couple of decades communicate with more sane options like RS232 (now carried over USB and supported by every OS on the planet) or an ethernet cable (similarly universal).

          It might take time to validate any new configuration, so that you can tick the box labelled "Doesn't kill the patient", but I doubt whether device support is the blocking issue for that XP->whatever roll-out.

          1. patrickstar

            Re: Naive Question

            RS232 is too slow for a lot of things, and Ethernet too complex (and then we would be worried about people hacking that as well, not just the workstation controlling it...). Even if the gear was an entirely new design and used USB, that still required a custom kernel mode driver in XP (UMDF wasn't introduced until Vista or so).

            If the gear itself is slightly older, it might very well pre-date standardized high speed low complexity interfaces altogether and then you're stuck with custom interface cards. In that case you can basically count yourself lucky if you're stuck with XP on a 10-15 year old PC, and not something like an early/mid 90s UNIX workstation, or worse (you can find spares for old SUN boxes easily, but some gear needs really specific hardware, like the rare SPARCs with VME buses).

          2. Anonymous Coward
            Anonymous Coward

            Re: USB replacing serial and parallel - may be trickier than it looks

            "sane options like RS232 (now carried over USB and supported by every OS on the planet)"

            Works for a lot of stuff, may not always be satisfactory. Stuff that expects to see things behave the way a 16550 UART has always behaved, especially wrt timing, may not work well when using serial over USB. For example, byte out<>byte in protocols (they do exist in a handful of cases) may go slow due to increased latencies because that's the way USB<>serial works; data sits in the receiver or the sender till its polled every few milliseconds.

            And then there's the fun that people have had with 'fake' FTDI USB-serial chips and associated drivers that brick the attached device [1].

            Some other relatively low-end devices have historically used a few bits of a parallel printer port as outputs and inputs, for their own non-printing purposes (e.g, cheap/nasty JTAG). Modern PCs with modern software may not have that capability - they can print to USB, but the parallel port may not exist or the bit-banging functionality may not be accessible through the OS.

            Just sayin.

            [1] https://www.theregister.co.uk/2016/02/10/ftdi_says_knockoff_chips_part_of_criminal_operation/

            https://www.theregister.co.uk/2014/10/24/ftdi_bricking_driver_response/

      2. Paul 76

        Re: Naive Question

        A lot of incompetent coders out there. Educational Software is notoriously bad.

    4. User McUser

      Re: Naive Question

      Usually it's because some program requires IE 6 to operate correctly; Windows 7 shipped with IE 8 and (AFAIK) it can't be back-leveled/downgraded.

      You could of course run those apps in XP Mode, but that merely contains the XP in a VM rather than eliminating it entirely.

    5. Naselus

      Re: Naive Question

      Drivers.

      For Vista onwards, Windows moved to a different driver framework that required things like 'keep kernel-mode drivers and user-mode drivers separate', 'don't just use the highest privileges possible by default', and 'why not try reading up on security standards before calling yourself a programmer'. All the things which had made earlier versions of Windows so unstable and fundamentally insecure, in other words, were now to be forbidden, so we could discover exciting new types of instability and insecurity rather than just bluescreening because your joystick decided to write into the kernel space for no reason.

      This was basically why Vista didn't seem to work with anything initially - it demanded properly written drivers, at a point when basically no-one had bothered writing them to any decent standard. The reason Windows seemed to work with literally all the hardware in the world (to a given value of 'work', at any rate) is because prior to Vista/7 it didn't stop you from doing stupid and insecure things with your driver code. You could let the work experience kid cobble your driver together based on his Art History degree and 20 minutes of training, and companies literally did. After Vista, it did, and the immediate result was 90% of existing device drivers were suddenly forbidden from working.

      Unfortunately, lots of the devices used by the NHS (think MRI scanners, X-ray machines, and other hugely expensive medical equipment designed with a 50-year lifespan) have horribly-written drivers created by companies that ceased to exist 20 years ago, and so new drivers were never created. So the NHS kept using Windows XP on the machines connected to those devices, but also hooked them into the network so they could transfer those scans around - via port 445, using SMB v1, which is precisely the protocol which this worm used to spread itself.

      Which basically explains the whole situation, tbh.

  9. Anonymous Coward
    Anonymous Coward

    I personally called theory this from day one.

    But if it is true, a lot of computers in China got hit...

    So fucking up their main allies technology network wasn't a smart move.

    ...again, if it's true.

    1. Anonymous Coward
      Anonymous Coward

      I personally made a joke about this and my Russian sounding shopkeeper, only took till Tuesday. Not bad going really but not unexpected.

      My next prophecy is that Trump will accidentally speak Russian in a press conference and blame the fake media for dubbing him.

      It's either that or sentient chickens.

  10. 0laf

    Double Bluff

    Ideal opportunity for the Norks to play havoc. Every one points the finger at them for every bad event that people will start to disbelieve they can be responsible for it all.

    Then they can launch a massive attack knowing that a board population will just roll their eyes and say "not the Norks again, tinfoil hat time".

  11. XSV1

    Dear Leader

    How does anyone seriously think that "Dear Leader" and his clan are capable any sort of cyber crime. Seriously?

    1. Anonymous Coward
      Anonymous Coward

      Re: Dear Leader

      Everything I know about North Korea comes from Western media - I've never been there myself.

      On the basis of what I am told they are both a threat that we should seriously consider going to war against and also a bunch of incompetents ruling a largely starving, downtrodden, pre-industrial society by fear and brainwashing.

      So I guess yes is the answer. Or no. Depends whether I'm required to fear or mock them today.

      Your post suggests it's mockery day but the article tells me it's fear.

      How confusing.

    2. Ken Hagan Gold badge

      Re: Dear Leader

      I think "Dear Leader" is now "Dead Leader". The current incumbent goes by the moniker "Fatty Kim", at least on Chinese social media.

    3. Anonymous Coward
      Anonymous Coward

      Re: Dear Leader

      Devil's Advocate:

      How does anyone seriously think that GCHQ and the NSA are capable of hacking any computer on the planet. Seriously?

  12. 's water music

    Excuseotron

    Responsibility lies squarely with [delete as appropriate]

    North Korea

    ISIS

    ISIL

    ITIL

    Brexit

    Remain fifth columnists

    The dog which ate it

    Some big boys who later ran away

    Paedos

    Crabs

    Cake

    Thatcher

    political correctness

    political correctness gone mad

    Devops

    Other (please specify)

    1. Steve Davies 3 Silver badge

      Re: Excuseotron

      I'd go with your list apart from one item.

      Sadly/Happily Thatcher is dead so replace her with Trump and I think you are good to go.

    2. Jason Bloomberg Silver badge
      Black Helicopters

      Re: Excuseotron

      Bitcoin seems to have escaped any mention even though ransom payment is demanded in that form.

      I do fear that a lot of the usual suspects will have been cheering in private as it will give them plenty of pretext to clamp down on all manner of things digital which they don't like because they can't control it, decode it, or prevent it.

      Someone with a professionally made tin-foil hat might suggest that's exactly what the NSA leak and this attack was intended to achieve.

      #PleaseSaveUsAmber

      1. Ken Hagan Gold badge
        Thumb Up

        Re: Excuseotron

        Up-voted for the splendid hashtag.

    3. BongoJoe

      Re: Excuseotron

      You missed 'Agile' and, also 'Oracle'

  13. StillGridlocked

    I remember after the Sony hack all the Government cyber think tanks who are paid to further the Government narratives said it was the N Koreans while independent security analysts said it was a disgruntled ex Sony employee.

    The North Korean narrative is still being spun - along with 'hands up, don't shoot' Just because something is repeated ad nauseam doesn't make it true.

  14. Anonymous Coward
    Anonymous Coward

    The Norks? Nahh.

    I don't see why this would be the Norks. For starters the US and the west would be the primary target of the attack and it wouldn't have targeted Russia or China as those countries are their closest supporters/allies. Unless of course it was a major screw up on their part a bit like their out-of-control rockets.

  15. Anonymous Coward
    Anonymous Coward

    It could be North Korea, but that is just one possibility

    I doubt it was a state-sponsored group in Russia or China, because one of those groups would have presumably been very hesitant to release a worm into the wild that would infect so many pirated/unpatched Windows systems in China/Russia.

    I also doubt that anyone affiliated with the 5 Eyes was behind this, since this has brought so much unfavorable attention on the 5 Eyes and the NSA in particular

    But other than that, it could have been just about any hacker collective or rogue state.

  16. JaitcH
    Unhappy

    Just More American B.S.

    The DPRK has minimal communications facilities with the outside world. The main communications links cross the Yalu River, which separates Pyongyang, DPRK, from China, carried by the tatty looking bridge which also provides road and rail communications.

    There is a new bridge between the countries called the New Yalu River bridge that spans the Yalu between China's DanDong New Zone, LiaoNing Province, and North Korea's Sinuiju Province. The DPRK's end is completely devoid of any infrastructure - not even a muddy track - let alone communications.

    All the DPRK's comms are routed through China which means that the lines could easily be high-jacked by the Chinese.

    Any accusations are based upon the flimsiest of data and are likely just the Americans creating more hassles for their current favourite enemy.

  17. a_yank_lurker

    Likely Actor

    To sum up, a semi-competent script kiddie could have pulled this off with possibly some outside support. The support most likely would come from one of the many hacker groups around. Thus, there is a very reasonable possibility this is a 'private enterprise' attack as AC called it above. Some internal indications point to someone of moderate coding ability behind this which tends to fit a script kiddie.

    The possibility of a government doing this is less likely because of the scattershot nature of the attacks, obvious attempt to get small amounts of money, and general lack of polish. Most government hacking are attempts to get information not money especially the small sums being asked for. The NORKS are no different in their desire for information even if they have a ramshackle economy. However, for the media and politicians a script kiddie can not be used to whip any enthusiasm for any particular policy. Blaming the NORKS might be useful for whipping up enthusiasm for trashing them.

    1. Mark 85
      Black Helicopters

      Re: Likely Actor

      Thus, there is a very reasonable possibility this is a 'private enterprise' attack as AC called it above.

      Hmm... you might just be on to something. Should we investigate to see if it was IBM which done it? They're strapped for cash but then there's some other companies also....

      I really wish we had a tinfoil hat icon.

  18. bon_the_one

    Unlatched

    "unlatched versions of Windows"

    Have I missed this term before?

    1. Ken Moorhouse Silver badge

      Re: Unlatched

      I suspect the word is "unpatched".

      And the next version of Windows is, of course, "unhatched".

      Many here will no doubt wish to discuss at great length the words "unmatched" and "Windows" in the same sentence, which is where I go get the popcorn...

      1. Alistair
        Coat

        Re: Unlatched

        Dunno. In certain parts unthatched windows could be an issue - but I doubt that skiddies would want to have anything to do with them.

        /the one with "One free Cuba Libre on our beach" coupon in the pocket.

        1. TRT Silver badge

          Re: Unlatched

          Unbatched refers to the standalone edition, unwatched refers to MS security team's scope of XP.

    2. Captain Badmouth
      Pint

      Re: Unlatched

      As in "the back door is unlatched" * or off the latch....

      Prefer "on the lash" myself.

      * i.e. all versions of windows.

  19. Christian Berger

    Hmm... North Korea is a good scape goat

    Because North Korea won't deny it, and even if they did, nobody will believe them.

    The bigger problem security in a box companies are facing is of course that they promised to protect people from such attacks (quote from an ad: "The NHS is totally protected with Sophos") when they in fact were just peddling snake oil. In the real world, something like that would have had serious consequences. (However they could also say that it was proven decades ago, that it's impossible to automatically analyse software for certain properties, at least in the general case)

    So it's convenient to have a space goat, and North Korea is the perfect one. Of course there is no evidence, but that's how attribution works. You look at some code, and speculate that it could have been X, then someone finds the same code somewhere else, and takes your first speculation as proof that it must have been X.

    1. An ominous cow heard
      IT Angle

      Re: it's convenient to have a space goat,

      I've always found that to be the case. Thank you :)

      1. Anonymous Coward
        Anonymous Coward

        Re: it's convenient to have a space goat,

        IT?

        Draenei

    2. mr_souter_Working

      Re: Hmm... North Korea is a good scape goat

      "So it's convenient to have a space goat"

      I like the idea of a space goat - it'd be useful on the ISS.

      :D

  20. Doctor Syntax Silver badge

    If it's right the Little Leader might find himself "invited" on a state visit to China where he will be taken suddenly, mysteriously and fatally ill.

  21. Anonymous Coward
    Anonymous Coward

    If it were skiddies

    Then watch out when the big boys have a crack...

  22. Arachnoid
    Facepalm

    Hmm... North Korea is a good scape goat

    President Trump says its definatly not the Russians

    And will members please leave the poor Goats alone......

    1. TRT Silver badge

      Re: Hmm... North Korea is a good scape goat

      I don't mind if Trump shares "facts" with the Russians. That's what they used to call a disinformation campaign.

  23. mwnci

    Attribution is a fools game.....

    On the subject of Space Goats..They are a thing...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like