The UK Foreign Office has joined the Trump administration in blaming North Korea for the WannaCry malware attack that infected around 300,000 computers across the world in May.
Foreign Office Minister Lord Ahmad said the UK would now publicly attribute the WannaCry cyber attack to a North Korean hackers known as the Lazarus Group. The group has also been blamed for the $81 million SWIFT theft from the Central Bank of Bangladesh and the destructive attack Sony Pictures Entertainment in 2014.
WannaCry spread on networks across the world on May 12, infecting around 300,000 computers in 150 countries, including computers at 48 UK’s National Health Service (NHS) trusts.
The attack would almost certainly have spread further had UK security researcher Marcus Hutchins not discovered a hardcoded domain that served as a kill-switch within hours of the outbreak. Regardless, some victims had paid the Bitcoin ransom equivalent to around $300, but were never able to retrieve their files.
Trump’s Homeland Security Advisor Tom Bossert detailed the US’ position at a media briefing on Tuesday as Microsoft revealed it had also thwarted a North Korean malware campaign just last week.
“After careful investigation the US is publicly attributing the massive WannaCry cyber attack to North Korea. We do not make this allegation lightly. We do so with evidence and we do so with partners,” said Bossert.
The US has shared its analysis with governments in the UK, Australia, Canada, New Zealand and Japan. Bossert said these countries have joined the US it in denouncing North Korea’s action.
The UK’s National Cyber Security Centre (NCSC) reportedly linked the Lazarus Group to WannaCry in June, but has not until now publicly blamed the group.
Ahmad, who is Britain's Cyber Minister, today said the NCSC considered it “highly likely” the North Korean hackers were behind WannaCry.
“We condemn these actions and commit ourselves to working with all responsible states to combat destructive criminal use of cyber space. The indiscriminate use of the WannaCry ransomware demonstrates North Korean actors using their cyber programme to circumvent sanctions,” said Ahmad.
“International law applies online as it does offline,” continued Ahmad. “The United Kingdom is determined to identify, pursue and respond to malicious cyber activity regardless of where it originates, imposing costs on those who wish to attack us in cyberspace. We are committed to strengthening coordinated international efforts to uphold a free, open, peaceful and secure cyberspace.”
Bossert noted that Microsoft had also traced the attack to sources in the North Korean government.
“The attribution is a step to holding them accountable but it’s not the last step,” said Bossert. However, he also said the US doesn’t have many options to apply more pressure to North Korea than it is already doing.
“It’s not about holding a country accountable but about simple culpability. We’ve determined who was behind the attack and we’re going to say it and we’re going to shame them for it,” said Bossert.
Bossert credited Microsoft and Facebook with disrupting North Korean cyber activities last week by shutting down accounts the country’s hackers used to launch attacks and patching systems.
In a brief post on Tuesday, Microsoft vice president and chief legal officer Brand Smith said it concluded Lazarus was behind WannaCry.
"Among other steps, last week we helped disrupt the malware this group relies on, cleaned customers’ infected computers, disabled accounts being used to pursue cyberattacks and strengthened Windows defenses to prevent reinfection. We took this action after consultation with several governments, but made the decision independently," wrote Smith.
Smith said Microsoft expected to release more details about last week's activity in the near future.
In the wake of WannaCry, the Microsoft exec wrote that some of the blame for the cyber attack lay with US government due to its practice of "stockpiling" vulnerabilities rather than reporting them to vendors so they can develop and distribute patches. Smith compared the loss of the NSA exploits to the military having Tomahawk missiles stolen.
WannaCry used two NSA-developed exploits, including one that targeted a vulnerability in the SMB protocol that was used to spread the malware on Windows machines within the same network. The exploits were leaked by mysterious hacking group Shadow Brokers in April, about a month after Microsoft released a patch for the SMB flaw and a month before WannaCry hit computers.
Bossert suggested Tuesday that Microsoft and the US government had buried the hatchet over its alleged stockpiling of bugs thanks to greater transparency around a program called the Vulnerabilities Equities Process (VEP) that is used to determine whether bugs it discovers are kept secret or disclosed.
"While the US government needs to do better to protect the tools and things that leak are very unfortunate ... I think Brad also now appreciates more and better what we hold on to, and i think he appreciates why we hold on to it because we've made it a transparent process," said Bossert.
"Microsoft and Brad Smith today are standing with me on this," he added, noting that when Smith made the comments the government's VEP was not transparent to Microsoft.
in November the Trump administration released a charter for the Vulnerabilities Equities Process that explained how the government weighs the benefits of withholding a vulnerability to US national security versus disclosing it. The document explained the agencies involved in the decision making and the processes followed to arrive at a decision.