North Korea carried out the WannaCry ransomware attack, say security services

The cybersecurity arm of British intelligence services has reportedly suggested the global ransomware outbreak was launched from North Korea.
Written by Danny Palmer, Senior Writer

WannaCry infected over 300,000 computers around the world.

Image: Cisco Talos

British security services believe that last month's global WannaCry ransomware attack was launched by hackers in North Korea, sources familiar with the matter have said.

The WannaCry ransomware outbreak - powered by a leaked-NSA exploit - took down Windows computers around the world, infecting over 300,000 PCs and crippling systems across the Americas, Europe, Russia and China.

The UK's National Health Service was particularly badly hit by the attack, with hospitals and doctor's surgeries knocked offline, and some services not restored until days after the initial outbreak.

Now an investigation led by the National Cyber Security Centre (NCSC) - GCHQ's cybersecurity arm - has pointed to North Korean hacking operation the Lazarus Group as the source of the attack, according to the BBC. Cybersecurity firms have previously suggested the WannaCry attack could have been mounted from North Korea.

An NCSC spokesperson told ZDNet that the organisation could neither confirm nor deny the reports.

The Lazarus Group is linked to a number of high-profile cyberattacks in recent years, including including the $80m Bangladeshi cyber bank heist and 2014's Sony Pictures hack, which supposedly a response to a comedy film about North Korean leader Kim Jong-un.

The role of the North Korean leadership in the WannaCry outbreak isn't known, but security services have suggested that those behind the attack may not have expected the ransomware to spread so quickly. Mistakes in the code point to the possibility that the authors didn't know what they were getting themselves in to.

See also: How to defend yourself against the WannaCrypt global ransomware attack| Ransomware: An executive guide to one of the biggest menaces on the web

If the attack were an attempt to generate income for Pyongyang it hasn't been particularly successful, the ransomware hasn't been lucrative for its creators. Almost one month on from the outbreak, only $126,000 has been paid by victims, and the ransom money is yet to be withdrawn.

The suggestion by British security services that WannaCry was launched by North Korea comes shortly after reports that US intelligence officials at the NSA have also linked the cyberattack to the country. The assessment was based on an analysis of tactics, techniques and targets, which has led to "moderate confidence" that North Korean intelligence was behind the attack.

The NSA also says the attack was launched using Chinese IP addresses historically harnessed by North Korea's spy agency, the Reconnaissance General Bureau.

China - which saw its government bodies for transport, industry, social security and immigration - hit by the attack, has denied any involvement in WannaCry.

Linguistic analysis of the ransomware note says the author speaks fluent Chinese - although it isn't necessarily their first language and it's possible those behind the attack used Chinese in an effort to throw any investigating authorities off the scent.


Editorial standards