[The Library] Wanna Cry? It's Probably Because of the Lazarus Group

Source

Not many hacking groups can say they made nation states across the globe WannaCry.

That's just what the Lazarus Group did, a group of hackers that operate with increasing skill in cyberspace. The first attacks attributed to Lazarus were relatively amateur: weak DDoS attacks and poorly written software, targeted at low-hanging fruit in South Korean media and businesses. Now, though, they're thought to be responsible for the biggest ransomware outbreak and the biggest corporate breach, in terms of financial impact, in history.

Lazarus Group, under the name Guardians of Peace (GOP) was responsible for the 2014-2015 breach of Sony Pictures. 

The breach wiped an entire corporate network of all of its data, lead to the release of incredibly embarrassing internal email chains, and fanned already rising flames between the United States and North Korea. The North Koreans claim that the attack was carried out because of the release of the James Franco/Seth Rogan comedy flick The Interview, but the attack likely had as much to do with the movie as Benghazi had to do with the viral anti-Islamic YouTube video that sparked violence and protests in Lebanon. 

Leading up to and after the cyber attacks on Sony, Supreme Leader Fatty Kim Kim was regularly quoted in the media throwing temper tantrums of his portrayal in the movie, which, spoiler alert, ended in his face-melting assassinations at the hands of media duo turned CIA agents Seth Rogan and James Franco. The US responded in typical US fashion, essentially saying that the government would stand for freedom of speech and expression... until NK made ballistic threats of violence for the day of release. After a short period of backpedaling, the film was still released in theaters, and, remarkably, the boisterous regime didn't carry out a single ballistic attack in the days after the release.

If Only the Lazarus Group Took the Breach and Mediocre Ratings of The Interview as a Victory...

Lazarus Group continued their attacks long after the Sony breach, continuing their hacking campaign against South Korean government and media systems. They shifted gears, pulling off one of the biggest bank heists since the Old West after siphoning tens of millions of dollars from Bangladeshi SWIFT banking systems. I'm going to discuss the importance of this attack in particular later on, but the sophistication of the SWIFT attack was a stark contrast to the mundane and ineffective DDoS attacks seen in Lazarus Group's earlier years. 

This kind of attack, as well as their relative freedom in South Korea's networks, clearly offered a significant amount of training for the (probably) North Korean threat actors. If Sony was a major step up in terms of complexity for the group, SWIFT was a leap, and their next big move was a launch to the stars.

WannaCry? Blame Fatty Kim Kim.

WannaCry is RUMORED to be a Lazarus Group operation. Judging by their past SWIFT bank hold-up, it would make sense for NK to be robbing the world blind once again, one small ransom at a time. I'll talk below about the possibilities of WannaCry being a false flag operation, but for now let's continue with the assumption that the widely agreed upon attribution is genuine. 

WannaCry seemed at least partially rushed. The ransom payment mechanism was routed to one centralized bitcoin address, a big no-no for anyone looking to make buku bucks off of an international ransomware outbreak. There was a built-in killswitch, found by internet's savior MalwareTech, that lead some researchers to believe that it was an in-production copy that was rushed out to the wild. 

The aforementioned theory that the production-copy was rushed into the wild would make sense. @shadowbrokers had just released the NSA EternalBlue exploit, and it was a race between malware authors and system administrators to patch systems or see them burn. Lazarus likely saw the race going on, and, not wanting to be shown up by another ransomware and not wanting to lose that precious target surface, rushed the code out and shut the world down.

WCry hit Europe hard, shutting down healthcare facilities and critical infrastructure both in Europe and across the largely-unpatched globe. The world was abuzz with talks of this being the big one like it was going to propel us back to the stone age. To some, the fears rang true. Surgeries were cancelled, patients were turned away, and ambulances were re-routed as health care facilities were shut down and forced to switch to paper records. Critical infrastructure and big time businesses were equally affected as well, costing the world unknown millions in losses and recovery prices.

International False Flag? Maybe.

The international community, specifically the US, hasn't had the best relationship with the world's best groomed dictator. The reason I don't put too much stock in the false flag accusations are that, really, the world doesn't need to demonize a dictatorship that was robbing the world blind to build nuclear missiles while starving their citizens. It's a possibility, as it's relatively trivial to imitate a known-actor's code, but not unbelievably probable.

Nation State Bank Robbers, and Why That's Important

A lot has changed since the Wild West. Physical bank robberies are relatively unsuccessful, as most cash is digital, but criminals are following the green. Cyber bank dashes are becoming more and more common, and make prior hold-ups and train hijackings of the good ole days pale in comparison. Criminal bank crews have been extremely successful in robbing banks and their end users for years now, but Lazarus is different.

A state-actor robbing banks blind is unheard of (barring taxation, the ultimate form of theft), which means that if Lazarus is an agent of the North Korean government, their actions against the SWIFT bank and victims of the WannaCry outbreak are a big deal. This would mean a sovereign government is holding up banks and robbing people blind, all from their living rooms, moving the smokey rooms of the underground cyber mafia bar a little closer to state capitols. 

Robbery is even scarier, in the case of North Korea, when you consider that the $81 million stolen from Bangladesh and the comparatively paltry sum made from WannaCry is likely going, for the most part, straight towards a rogue nuclear program. 

A sovereign nation is robbing banks to build nuclear missiles, which they are using to threaten global peace... this sounds like a Bond film.

Like the post? I run this threat intelligence blog on Steemit and offer the content free of charge. If you're a Steemit user, you know that upvoting, which you do for free, magically puts a couple cents in my pocket. Maybe I'll buy a pack of gum with last week's earnings, but it all depends on your help. Not a Steemit user? My biggest metric of success is my viewership. If I don't make a cent but my content reaches a wide audience, that means my product is valuable and my efforts are worthwhile. 

Therefore, give me a share on your social media of choice, follow me on Steemit for more threat intel posts, and follow me on Twitter to see stupid memes and get updates when I post.