TRENDING
Kasperksy Lab’s map shows the geographical target distribution according to their telemetry for the first few
hours of the attack. The map indicates South Africa suffered the largest hit of the continent.
engineering attacks and network
intrusions that more resemble the
tactics used by Advanced Persistent
Threat (APT) groups.
H3 and H4, which posit that
the campaign was the work of a
state-affiliated actor, also contain
inconsistencies, as follows:
• If the attacks were aimed to discredit
the NSA (H4), then why the lack of a
supporting media narrative driving this
message home? In the 2016 attacks
on the US Presidential election, for
example, network intrusions against
the Democratic Party and subsequent
data leaks were accompanied by blog
posts and media commentary critical
of Hillary Clinton. Were this to be a
nation state campaign intended to
cause disruption (H3), we would
also expect to see some level of
target specification alongside clear
campaign objectives.
• During their previous destructive
campaigns, the Lazarus Group, for
example, have generally displayed
a consistent level of geographic
targeting – primarily against
organisations in South Korea and the
US. Specific industries such as media
companies, financial institutions and
18
INTELLIGENTCIO
critical national infrastructure have
been the main targets of attack, but
in the case of WannaCry, infections
were widely distributed across the
world and the malware appeared to
spread virtually indiscriminately with
no control by its operators. Had the
attackers used a phishing vector,
they would have been able to limit
the malware’s capability to spread
outside a network and instead used
spear phishing emails to target
selected organisations. Security Engineering Team, which
outlines five fundamental and widely
used security principles that are
reusable across different types of
attackers, be it nation-state or
petty cybercriminal).
Such tactics would have been more
consistent with the activities of a
sophisticated criminal outfit or
a technically-competent
nation-state actor. South Africa is leading among
the countries affected in
Africa, with approximately
83 websites infected
followed by Ivory Coast and
Nigeria. Egypt, Algeria and
Morocco complete the top
six countries, while only a
small number of attacks
have been located in the rest
of the continent. The most
attacked sector in the region
was healthcare, similar to
what was seen in the UK, and
large companies were also
the most targeted, according
to data compiled by security
company, Fortinet.
It is entirely possible that new
information will come to light in
future that further supports, or even
discredits, some of the hypotheses
proposed in this exercise. While
attribution may be exciting and fulfil
our insatiable desire to put a face
to the crime, perhaps what is more
important in this instance is reviewing
what lessons we can learn from the
WannaCry campaign.
WannaCry
in Africa
For this we advise checking out the
recent blog from the Digital Shadows
www.intelligentcio.com
www.intelligentcio.com
INTELLIGENTCIO
19