TRENDING
TRENDING
weighted by the assessed reliability
and relevance of each data point – to
represent how consistent the available
evidence is with a given hypothesis.
While the aim here was not to provide
a conclusive attribution for the
WannaCry campaign, this structured
analytical technique allows us to
assess the reliability and relevance of
the data presented thus far, as well as
make some tentative assessments over
the type of actor most likely to have
been behind last week’s attacks. As
such, we compared four hypotheses for
the purposes of this exercise. That the
campaign was the work of:
WannaCry: an analysis of
competing hypotheses
by Digital Shadows
•
A sophisticated financially-
motivated cybercriminal actor – H1
• An unsophisticated financially-
motivated cybercriminal actor – H2
• A nation state or state-affiliated
actor conducting a disruptive
operation – H3
• A nation state or state-affiliated
actor aiming to discredit the
National Security Agency (NSA) – H4
Using a mixture of primary and
secondary reporting, as well as
assessments from Digital Shadows
analysts, we have included a collection
of the most salient data points to
have emerged at the time of writing.
As well as the widely-discussed use of
the DOUBLEPULSAR backdoor dropper,
ETERNALBLUE exploit and SMB
vulnerability, the latter for propagation,
we included several other pieces of
evidence to drive our assessment. Some
of the more significant points included:
O
n 12 May 2017, as the
WannaCry ransomware spread
across computer networks
across the world, a variety of
explanations also began to worm their
way through the information security
community. Who was responsible for
the WannaCry campaign? And what
was the objective?
Ransomware suggested it was the
work of cybercriminals, although,
given the sheer scale of infections
and disruption, some commentators
suspected the hand of a nation state.
16
INTELLIGENTCIO
Despite relentless analysis from the
security research community that has
brought fragments of new information
to the fore, no consensus has yet been
reached on an attribution for the
campaign.
One of the most recent theories put
forward rests on a possible connection
between WannaCry and the Lazarus
Group, an actor that has previously
been linked with several high-profile
network intrusions and assessed as
highly likely to have some association
with the Democratic People’s Republic
of Korea (DPRK). Analysis has indicated
that WannaCry samples from February
2017 contained a small section
of code identical to those used in
previous Lazarus campaigns.
At the time of writing, however, we
assessed there to be insufficient
evidence to corroborate this claim
of attribution to this group and
alternative hypotheses should be
considered. While malware may
initially be developed and used by a
single actor, this does not mean that
it will permanently remain unique to
www.intelligentcio.com
that actor. Malware samples might be
accidentally or intentionally leaked,
stolen, sold, or used in independent
operations by individual members
of a group. It is therefore important
to consider other factors, such as
the consistency of an operation with
previous activity attributed to an actor.
•
•
Digital Shadows has therefore applied
the Analysis of Competing Hypothesis
(ACH) technique to the information
currently available through sources.
ACH uses a weighted inconsistency
algorithm to assign numeric values –
www.intelligentcio.com
So-called ‘kill-switch’ probably
an anti-sandboxing feature –
MalwareTech, who discovered
the unregistered domain, now
believes this was most likely
included as a badly-thought out
anti-analysis measure.
Low number of Bitcoin wallets,
a result of an unintentional bug
– Symantec have reported that
the creation of only three Bitcoin
wallets for victims to transfer
payment into was the result of
a bug in the malware’s code,
•
•
referred to as a race condition.
No evidence that the malware was
delivered via phishing emails – IBM
X-Force, for example, scanned
over one billion emails passing
through its honeypots and found no
evidence suggesting spam/phishing
was the initial infection vector.
Unconfirmed links to Lazarus
Group and North Korean
campaigns – Some researchers
have now claimed that WannaCry
contained pieces of code previously
associated with the Lazarus Group,
as well as two malware variants
(called Joanap and Brambul) used
in attacks against South Korean
organisations. This connection,
however, was assessed to be
primarily based on the ordering of
ciphers and public libraries used by
the Lazarus Group and inconclusive
at the time of writing.
Though by no means definitive, we
assessed that a WannaCry campaign
launched by an unsophisticated
cybercriminal actor was the most
plausible scenario based on the
information that is currently available.
While there were numerous data
points that were consistent with this
assessment, a few stand out:
Coordination and implementation
of the campaign was relatively poor:
victims who paid reportedly did not
receive decryption keys
• No discernible pattern to the
organisations that were targeted
• Only three Bitcoin wallets were
created for the receipt of payment
• An inability to monetise effectively
• Failed anti-sandboxing measure
and race condition bug
These inconsistencies are not
errors we normally associate with a
sophisticated cybercriminal operation.
The Carbanak (AKA Anunak) organised
criminal group, in comparison, are
known for conducting highly-targeted,
lucrative and efficient operations
relying on the strategic use of social
INTELLIGENTCIO
17