WannaCry? North Korea's Cyber Arsenal

In mid-May 2017, thousands of businesspeople and government officials from 150 countries switched on their computers and saw the following ominous message: “Oops, your files have been encrypted!” This was followed by a ransom note, translated into 28 different languages, demanding a payment in the cryptocurrency, bitcoin. An estimated 300,000 computers were infected in the attack, known as ‘WannaCry’, and the speed with which the ransomware travelled between networks raised significant security concerns. The attack affected hospitals in the UK, civil servants in Russia, speed cameras in Australia and the Chinese public security bureau. Investigations by multiple cybersecurity firms and Western intelligence agencies have linked WannaCry to a group of cyber-criminals, allegedly affiliated to North Korea, called the Lazarus Group. 

Ransomware is a type of malicious software which is designed to block its victim’s access to their data until a ransom is paid. Advanced forms of ransomware, such as WannaCry, lock up files stored on computer systems and encrypt them in a way that makes them inaccessible unless a payment is made – in this case USD 300, rising to USD 600 if not paid within three days. While the majority of attacks involve malicious software disguised as legitimate downloads and email attachments – known in the industry as Trojans – WannaCry travelled automatically between computers in the same local network, taking advantage of users who had not upgraded their security software. 

Digital forensics investigations by two leading cybersecurity firms linked the WannaCry attacks to the Lazarus Group, pointing to similarities between the coding used in WannaCry and in several other cyber-attacks previously linked to the Lazarus Group. They also highlighted the fact that several of the IP addresses linked to WannaCry came from North Korea. This assessment was seemingly confirmed by leaked reports from Western intelligence agencies. 

The Lazarus Group is a cyber-criminal gang thought to have been founded in 2009 and is primarily based in China and Southeast Asia, with alleged ties to the North Korean government. The group has been linked to numerous cyber-attacks, including the use of distributed denial-of-service (DDoS) techniques on South Korean and US government infrastructure, as well as malware attacks on financial institutions worldwide. In 2014, attackers thought to be associated with Lazarus Group hacked into the network of Sony Pictures and leaked a variety of confidential and sensitive information, seemingly in retaliation to the studio’s release of a satirical film about North Korean leader Kim Jong Un. In February 2016, an attack attributed to Lazarus Group resulted in the theft of USD 81 million from the Bangladesh Central Bank. 

The famous satellite image of North Korea at night, almost entirely devoid of electricity, makes the country’s formidable cyber capabilities all the more surprising. However, since the end of the Cold War, the country’s use of cyberattacks is consistent with its strategy of asymmetrical warfare, a term which describes a conflict between opponents whose military powers differ significantly. North Korea adopted asymmetrical strategies as a response to the changing security environment on the Korean Peninsula following the end of the Cold War in the late 1980s. With its major allies, the former Union of Soviet Socialist Republics and China, moving closer towards the West, North Korean leaders realised they would not be able to rely on the protection of larger communist countries. Without that support, they could not hope to defeat South Korea or the US in the event of a conventional conflict, due to the latter’s overwhelming military and economic superiority. In response to these changing dynamics, the North Korean authorities initiated a series of military strategies aimed at ensuring the continued rule of the Kim family. The first was the expansion of its controversial nuclear weapons programme, which has resulted in widespread condemnation and economic sanctions. Another was the development of its cyber arsenal. Cyber-warfare allowed Pyongyang to carry out attacks on South Korea and US infrastructure whilst maintaining a degree of plausible deniability and thereby minimising the risk of retaliation. 

The genesis of North Korea’s cyber arsenal dates back to 1986 when the government reportedly hired 25 Russian computer scientists to teach students at the Mirim Command Automation College, a military institution in Pyongyang. Building on the work of these experts, Pyongyang opened the Korea Computer Centre in 1990 to train the next generation of hackers. Potential recruits were allegedly identified while still in elementary school and put through rigorous training in coding languages and hacking techniques from then until graduation from university. As a result of these programmes, there are estimated to be around 5,900 individuals working in North Korean hacking units spread across the Reconnaissance General Bureau (RGB) and Korean People’s Army (KPA). These programmes are likely to be the origins of the Lazarus Group. 

Cyber-warfare also offers the government the opportunity to raise funds. North Korea is largely cut off from the global economy, with China accounting for the bulk of its external trade relations. This isolation has been consistently exacerbated by US-led sanctions targeting the regime’s nuclear weapons programme, and relations between Pyongyang and Washington have been worsened by North Korea’s multiple ballistic missile tests during the first half of 2017. The US has called for harsher economic sanctions and is threatening to implement secondary sanctions against countries that continue to trade with North Korea. Furthermore, China is growing disenchanted with Pyongyang, banning the import of coal from the country in April 2017 following the alleged assassination of Kim Jong Un’s older half-brother Kim Jong Nam in Malaysia earlier that month. Increased economic isolation will make North Korea desperate. 

In order to support its expensive nuclear weapons programme and to maintain a somewhat functioning economy, North Korea has increasingly turned to criminal activity. This takes a variety of forms – for example, since the 1970s, the country has allegedly been an active player in the international drug trade, and is now considered to be a leading producer and exporter of methamphetamine, commonly known as crystal meth. Cyber-attacks also play a part, although the profitability of the WannaCry ransomware attack was limited by several weaknesses in the malware, including the fact that a countermeasure was quickly identified. WannaCry is estimated to have earned the hackers only around USD 50,000-80,000, a paltry profit for an attack of this scale. 

As further ransomware and other cyberattacks are expected, most cybersecurity firms recommend that potential victims take the following steps to minimise the threat: install up-to-date antivirus software and firewalls, keep abreast of software updates, avoid clicking on links or opening email attachments from unknown people or companies, keep a pop-up blocker running on web browsers, regularly back up important files, and make use of smart screen when using Internet Explorer, which helps identify suspicious websites and downloads. Most importantly, cyber-security firms advise victims of ransomware attacks to never pay the ransom, as there is no guarantee those responsible will decrypt the files and payment only encourages further attacks. One of the main flaws in WannaCry’s coding was the fact that there appeared to be no unique identifier to allow attribution of ransom payments. Since the malware did not provide a unique bitcoin address for each victim’s payment, there was no scope for automating the decryption process. This meant that the perpetrators would have to work out where each ransom payment came from before manually sending an encryption key – an almost impossible task for an outbreak of this size.