Global cyberattack disrupts net

Discussion in 'General scam news' started by Sapphire's Strike, May 12, 2017.

  1. Sapphire's Strike

    Sapphire's Strike Administrator Staff Member

    A major incident has been declared after NHS services across England and Scotland were hit by a large-scale cyber-attack.

    Staff cannot access patient data, which has been scrambled by ransomware. There is no evidence patient data has been compromised, NHS Digital has said.

    The BBC understands up to 25 NHS organisations and some GP practices have been affected.

    It comes amid reports of cyber-attacks affecting organisations worldwide. (Clicky goes to http://www.bbc.co.uk/news/technology-39901382 )

    Ambulances have been diverted and there has been disruption at some GP surgeries as a result of the attack.

    NHS England said patients in an emergency should go to A&E or access emergency services as they normally would.

    Dr Anne Rainsberry, NHS incident director, added: "More widely, we ask people to use the NHS wisely while we deal with this major incident, which is still ongoing."

    Prime Minister Theresa May is being kept informed of the situation, while Health Secretary Jeremy Hunt is being briefed by the National Cyber Security Centre.

    Patient safety
    NHS Digital said the ransomware attack was not "specifically targeted at the NHS" and was affecting other organisations.

    A massive ransomware campaign appears to have attacked a number of organisations around the world.

    Screenshots of a well known program that locks computers and demands a payment in Bitcoin have been shared online by those claiming to be affected.

    The NHS in Wales and Northern Ireland has not been affected.

    NHS Digital said the attack was believed to be carried out by the malware variant Wanna Decryptor.

    "NHS Digital is working closely with the National Cyber Security Centre, the Department of Health and NHS England to support affected organisations and ensure patient safety is protected.

    "Our focus is on supporting organisations to manage the incident swiftly and decisively, but we will continue to communicate with NHS colleagues and will share more information as it becomes available."

    See more & watch video's : http://www.bbc.co.uk/news/health-39899646
     
  2. De Master Yoda

    De Master Yoda Administrator Staff Member

    Massive ransomware infection hits computers in 99 countries.
    http://www.bbc.com/news/technology-39901382

    By Chris Baraniuk Technology reporter

    A massive cyber-attack using tools believed to have been developed by the US National Security Agency has struck organisations around the world.

    Computers in thousands of locations have been locked by a programme that demands $300 (£230) in Bitcoin.

    In April hackers known as The Shadow Brokers claimed to have stolen the tools and released them online.

    Microsoft released a patch for the vulnerability in March, but many systems may not have been updated.

    How big is the attack?
    There have been reports of infections in 99 countries, including the UK, US, China, Russia, Spain, Italy and Taiwan.

    Cyber-security firm Avast said it had seen 75,000 cases of the ransomware - known as WannaCry and variants of that name - around the world.

    "This is huge," said Jakub Kroustek at Avast.

    Many researchers say the incidents appear to be linked, but say it may not be a coordinated attack on specific targets.

    Meanwhile wallets for the digital cryptocurrency Bitcoin that were seemingly associated with the ransomware were reported to have started filling up with cash.

    Who has been affected?
    The UK's National Health Service (NHS) has been hit and screenshots of the WannaCry program were shared by NHS staff.

    Hospitals and doctors' surgeries were forced to turn away patients and cancel appointments One NHS worker told the BBC that patients would "almost certainly suffer and die" as a result.

    Some reports said Russia had seen more infections than any other single country. Russia's interior ministry said it had "localised the virus" following an "attack on personal computers using Windows operating system".

    People tweeted photos of affected computers including a local railway ticket machine in Germany and a university computer lab in Italy.

    A number of Spanish firms - including telecoms giant Telefonica, power firm Iberdrola and utility provider Gas Natural - suffered from the outbreak. There were reports that staff at the firms were told to turn off their computers.

    Portugal Telecom, delivery company FedEx, a Swedish local authority and Megafon, the second largest mobile phone network in Russia, also said they had been affected.

    Who is behind the attack?
    Some experts say the attack may be have been built to exploit a weakness in Microsoft systems that was identified by the NSA and given the name EternalBlue.

    The NSA tools were then stolen by a group of hackers known as The Shadow Brokers, who then attempted to sell the encrypted cache in an online auction.

    However they subsequently made the tools freely available, releasing a password for the encryption on 8 April.

    The hackers said they had published the password as a "protest" about US President Donald Trump.

    At the time, some cyber-security experts said some of the malware was real, but old.

    A patch for the vulnerability was released by Microsoft in March, but many systems may not have had the update installed.

    Microsoft said on Friday its engineers had added detection and protection against WannaCrypt. The company was providing assistance to customers, it added.

    How does the malware work?
    Some security researchers have pointed out that the infections seem to be deployed via a worm - a program that spreads by itself between computers.

    Unlike many other malicious programs, this one has the ability to move around a network by itself. Most others rely on humans to spread by tricking them into clicking on an attachment harbouring the attack code.

    By contrast, once WannaCry is inside an organisation it will hunt down vulnerable machines and infect them too. This perhaps explains why its impact is so public - because large numbers of machines at each victim organisation are being compromised.
     
  3. Central Scrutinizer

    Central Scrutinizer Administrator Staff Member

    Yeah, this is way bigger than just the UK.
     
  4. Hua Mulan

    Hua Mulan Administrator Staff Member

    http://www.straitstimes.com/world/europe/hospitals-across-britain-hit-by-large-scale-cyber-attack

    Global cyberattack disrupts shipper FedEx, British health system

    LONDON/MADRID (REUTERS) – A global cyberattack leveraging hacking tools widely believed by researchers to have been developed by the US National Security Agency hit international shipper FedEx, disrupted Britain’s health system and infected computers in dozens of other countries on Friday (May 12).

    Russian cyber security software maker Kaspersky Lab said its researchers had observed more than 45,000 attacks in 74 countries as of early on Friday, although it expected the numbers to increase.

    British hospitals and clinics were forced to turn away patients because their computers were infected by a pernicious new form of “ransomware” that rapidly spread across the globe, demanding payments of as much as US$600 (S$840) to restore access and scrambling data.

    Leading international shipper FedEx said it was one of the companies whose Microsoft Windows system was infected with the malware that security firms said was delivered via spam emails.

    Only a small number of US-headquartered organisations were infected because the hackers appear to have begun the campaign by targeting organisations in Europe, said Vikram Thakur, research manager with security software maker Symantec.

    By the time they turned their attention to US organisations, spam filters had identified the new threat and flagged the ransomware-laden e-mails as malicious, Thakur said.

    “Like many other companies, FedEx is experiencing interference with some of our Windows-based systems caused by malware,” a spokeswoman said in a statement. “We are implementing remediation steps as quickly as possible.”

    Telecommunications company Telefonica was among many targets in Spain, though it said the attack was limited to some computers on an internal network and had not affected clients or services. Portugal Telecom and Telefonica Argentina both said they were also targeted in the attacks.

    Private security firms identified the ransomware as a new variant of WannaCry that had the ability to automatically spread across large networks by exploiting a known bug in Microsoft’s Windows operating system. “Once it gets in and starts moving across the infrastructure, there is no way to stop it,” said Adam Meyers, a researcher with cyber security firm CrowdStrike.

    The hackers, who have not come forward to claim responsibility or otherwise been identified, likely made it a “worm,” or self spreading malware, by exploiting a piece of NSA code known as Eternal Blue that was released last month by a group known as the Shadow Brokers, researchers with several private cyber security firms said.

    “This is one of the largest global ransomware attacks the cyber community has ever seen,” said Rich Barger, director of threat research with Splunk, one of the firms that linked WannaCry to the NSA.

    The Shadow Brokers released Eternal Blue as part of a trove of hacking tools that they said belonged to the US spy agency.

    Microsoft on Friday said it was pushing out automatic Windows updates to defend clients from WannaCry. It issued a patch on March 14 to protect them from Eternal Blue.

    “Today, our engineers added detection and protection against new malicious software known as Ransom:Win32.WannaCrypt,” a Microsoft spokesman said in a statement. It said the company was working with its customers to provide additional assistance.

    SENSITIVE TIMING
    The spread of the ransomware capped a week of cyber turmoil in Europe that kicked off a week earlier when hackers posted a huge trove of campaign documents tied to French candidate Emmanuel Macron just 36 hours before a run-off vote in which he was elected as the new president of France.

    On Wednesday, hackers disputed the websites of several French media companies and aerospace giant Airbus.

    Also, the hack happened four weeks before a British parliamentary election in which national security and the management of the state-run National Health Service (NHS) are important campaign themes.

    Authorities in Britain have been braced for possible cyberattacks in the run-up to the vote, as happened during last year’s US election and on the eve of this month’s presidential vote in France.

    But those attacks – blamed on Russia, which has repeatedly denied them – followed an entirely different modus operandi involving penetrating the accounts of individuals and political organisations and then releasing hacked material online.

    On Friday, around 1,000 computers at the Russian Interior Ministry were affected by the cyberattack, a spokeswoman for the ministry told Interfax.

    NEW BREED OF RANSOMWARE
    Although cyber extortion cases have been rising for several years, they have to date affected small-to-mid sized organisations, disrupting services provided by hospitals, police departments, public transportation systems and utilities in the United States and Europe.

    “Seeing a large telco like Telefonica get hit is going to get everybody worried. Now ransomware is affecting larger companies with more sophisticated security operations,” Chris Wysopal, chief technology officer with cyber security firm Veracode, said.

    The news is also likely to embolden cyber extortionists when selecting targets, Chris Camacho, chief strategy officer with cyber intelligence firm Flashpoint, said. “Now that the cyber criminals know they can hit the big guys, they will start to target big corporations. And some of them may not be well prepared for such attacks,” Camacho said.

    In Spain, some big firms took pre-emptive steps to thwart ransomware attacks following a warning from Spain’s National Cryptology Centre of “a massive ransomware attack.”

    Iberdrola and Gas Natural, along with Vodafone’s unit in Spain, asked staff to turn off computers or cut off internet access in case they had been compromised, representatives from the firms said.

    In Spain, the attacks did not disrupt the provision of services or networks operations of the victims, the government said in a statement.
     
  5. toper01

    toper01 Moderator Staff Member

    The WannaCry ransomware (also known as WCry or WCrypt or Wana Decryptor) burst onto the scene spectacularly today after NHS hospitals across the UK ground to a standstill, as the ransomware encrypted files and caused staff to cancel operations.

    I can only imagine the chaos.

    As you can imagine it's "been a bit busy" here too. Every time I try to write something the media grab me for an interview, and I spent an hour or so in a BBC studio in Oxford while they tried to work out why they couldn't beam me live down the wire to their studios in London.

    (They never did find out what the gremlins were, but thought it "probably" wasn't the WannaCry ransomware.)

    The NHS wasn't targeted. They're just a huge organisation which has had insufficient investment in computer security over the years. In short, it has a lot of computers and at least some of them weren't able to withstand an attack like this.

    The state of the NHS's cybersecurity becomes obvious when you consider that it still relies heavily on computers running Windows XP, which Microsoft started to tell people to dump way back in 2007, and finally stopped patching in April 2014.

    If you were still running Windows XP after that date - well, you had something bad coming to you.

    The UK Government did end up paying Microsoft over £5.5 million of taxpayers' money to receive support and security updates for a further 12 months after April 2014 (did they not pay any attention to Microsoft's warnings since 2007?) but that really was the last chance saloon.

    But it would be wrong to think that the NHS was targeted. They weren't. This is extortion - 21st century style. The bad guys release ransomware (in this carried by a worm which exploits a vulnerability), and their intention is to infect as many PCs as possible to make as much cash as possible.

    Hitting the NHS wasn't necessarily their intention, but it is a soft target due to its poor defences. And, of course, the implications of a widespread NHS infection is felt by many people.

    Meanwhile, other organisations in other countries were also impacted. For instance, Telefonica in Spain, and FedEx.

    [​IMG]

    WannaCry appears to have spread at an astonishing pace because it has been spread by a worm exploiting a Microsoft vulnerability - MS17-010. Once one computer in your organisation is hit, the worm hunts for other vulnerable computers to attack.

    Before you know it, you've got a big problem.

    You probably don't care about this if you've had your computers hit by WannaCry, but the story behind the MS17-010 vulnerability is an interesting one.

    The vulnerability was first found by the NSA. However, they chose not to tell Microsoft about it. (Which is a shame, because that would have meant computers would have been patched earlier).

    Instead, the intelligence agencies kept the details of the exploitable vulnerability to themselves, so they could use it to infiltrate computers and spy upon them. They dubbed the exploit "ETERNALBLUE".

    However, a group of hackers called the Shadow Brokers stole details of this and other exploits used by US intelligence agencies, put them up for sale, openingthe door for other criminals to exploit the vulnerabilities.

    Microsoft responded with a patch, but wouldn't it have been better if the NSA had done the decent thing for all of us on the internet and told Microsoft about the flaw as soon as they discovered it?

    Sometimes you protect your country best not by spying on others, but by ensuring that everyone in the world (including the people you may want to snoop on) is better defended.
    https://www.grahamcluley.com/wannacry-ransomware-hits-systems-worldwide/
     
  6. toper01

    toper01 Moderator Staff Member

    An “accidental hero” has halted the global spread of the WannaCry ransomware that has wreaked havoc on organizations including the UK’s National Health Service (NHS), FedEx and Telefonica.

    Massive ransomware cyber-attack hits 74 countries around the world
    Read more
    A cybersecurity researcher tweeting as @malwaretechblog, with the help of Darien Huss from security firm Proofpoint, found and implemented a “kill switch” in the malicious software that was based on a cyber-weapon stolen from the NSA.

    The kill switch was hardcoded into the malware in case the creator wanted to stop it from spreading. This involved a very long nonsensical domain name that the malware makes a request to – just as if it was looking up any website – and if the request comes back and shows that the domain is live, the kill switch takes effect and the malware stops spreading.

    Of course, this relies on the creator of the malware registering the specific domain. In this case, the creator failed to do this. And @malwaretechblog did early this morning (Pacific Time), stopping the rapid proliferation of the ransomware.

    “They get the accidental hero award of the day,” said Proofpoint’s Ryan Kalember. “They didn’t realize how much it probably slowed down the spread of this ransomware.”

    The time that @malwaretechblog registered the domain was too late to help Europe and Asia, where many organizations were affected. But it gave people in the US more time to develop immunity to the attack by patching their systems before they were infected, said Kalember.

    Cyber-attack hits 74 countries with UK hospitals among targets – live updates
    Read more
    The kill switch won’t help anyone whose computer is already infected with the ransomware, and and it’s possible that there are other variances of the malware with different kill switches that will continue to spread.

    The malware was made available online on 14 April through a dump by a group called Shadow Brokers, which claimed last year to have stolen a cache of “cyber weapons” from the National Security Agency (NSA).

    Ransomware is a type of malware that encrypts a user’s data, then demands payment in exchange for unlocking the data. This attack was caused by a bug called “WanaCrypt0r 2.0” or WannaCry, that exploits a vulnerability in Windows. Microsoft released a patch (a software update that fixes the problem) for the flaw in March, but computers that have not installed the security update remain vulnerable.
    https://www.theguardian.com/technol...spread-of-ransomware-cyber-attack?CMP=soc_567
     
  7. Central Scrutinizer

    Central Scrutinizer Administrator Staff Member

    http://www.huffingtonpost.com/entry...4b00f308cf5a517?ja6&ncid=inblnkushpmg00000009

    Global Cyber Attack Eases Due To One Researcher’s Quick Thinking

    Schools and hospitals were among those targeted, and attacks ramped up this week.

    A global cyber attack forced a European carmaker to halt some production lines, hit Russian computers with more than half of suspected infections, struck schools in China and hospitals in Indonesia, though it appeared to be dying down on Saturday.

    Capitalizing on spying tools believed to have been developed by the U.S. National Security Agency, the cyber assault launched on Friday has infected tens of thousands of computers in 104 countries, with Britain’s health system suffering the worst known disruptions.

    Researchers with Czech Republic-based security software maker Avast said they had observed more than 126,000 ransomware infections, with 60 percent of infected computers located in Russia, followed by Ukraine and Taiwan.

    Cyber extortionists tricked victims into opening malicious malware attachments to spam emails that seemed to contain invoices, job offers, security warnings and other legitimate files.

    Once inside the targeted network, so-called ransomware made use of recently revealed spy tools to silently infect other out-of-date machines without any human intervention. This, security experts said, marked an unprecedented escalation in the risk of fresh attacks spreading in the coming days and weeks.

    The ransomware encrypted data on the computers, demanding payments of $300 to $600 to restore access. Researchers observed some victims paying via the digital currency bitcoin, though no one knows how much may have been transferred to extortionists because of the largely anonymous nature of such transactions.

    The hackers, who have not come forward to claim responsibility or otherwise been identified, took advantage of a worm, or self-spreading malware, by exploiting a piece of NSA spy code known as “Eternal Blue” that was released last month by a hackers group known as the Shadow Brokers, according to researchers with several private cyber security firms.

    Renault said it had halted auto production at several sites including Sandouville in northwestern France and plants of Renault-owned Dacia of Romania on Saturday to prevent the spread of ransomware in its systems.

    Nissan’s manufacturing plant in Sunderland, northeast England, was also affected by the cyber assault though “there has been no major impact on our business”, a spokesman for the Japanese carmaker said.German rail operator Deutsche Bahn [DBN.UL] said some electronic signs at stations announcing arrivals and departures were infected, with travelers posting pictures showing some bearing a message demanding a cash payment to restore access.

    “UNPRECEDENTED” ATTACK EASES

    Europol’s European Cybercrime Centre said it was working closely with country investigators and private security firms to combat the threat and help victims.

    “The recent attack is at an unprecedented level and will require a complex international investigation to identify the culprits,” it said in a statement.

    Some experts said the threat had receded for now, in part because a British-based researcher, who declined to give his name, registered a domain that he noticed the malware was trying to connect to, and so limited the worm’s spread.

    “We are on a downward slope, the infections are extremely few, because the malware is not able to connect to the registered domain,” Vikram Thakur, principal research manager at Symantec, said as the threat subsided.

    Researchers are racing against the clock to try to decrypt infected computers and recover access to victims’ files before the malicious code’s ransom deadline expires in two days. But so far several said they have found no way to break the encryption.

    The attackers may yet tweak the code and restart the cycle. The researcher in Britain widely credited with foiling the ransomware’s proliferation told Reuters he had not seen any such tweaks yet, “but they will (happen).”

    Finance ministers and central bank governors of seven leading world economies meeting for a G7 conference in Italy on Saturday will pledge stronger cooperation against cyber crime, a draft communique showed.

    HOSPITALS IN FIRING LINE
    In Asia, some hospitals, schools, universities and other institutions were affected, though the full extent of the damage is not yet known.

    “I believe many companies have not yet noticed,” said William Saito, a cyber security adviser to Japan’s government. “Things could likely emerge on Monday” as staff return to work.

    China’s information security watchdog said “a portion” of Windows systems users in the country were infected, according to a notice posted on the official Weibo page of the Beijing branch of the Public Security Bureau on Saturday. Xinhua state news agency said some secondary schools and universities were hit.

    The most disruptive attacks were reported in Britain, where hospitals and clinics were forced to turn away patients after losing access to computers on Friday.

    The health system has largely recovered from the disruption, interior minister Amber Rudd said on Saturday after a meeting of the government crisis response committee.

    International shipper FedEx Corp said some of its Windows computers were also breached. “We are implementing remediation steps as quickly as possible,” a statement said.

    Telecommunications company Telefonica was among many targets in Spain. Portugal Telecom and Telefonica Argentina both said they were also targeted.

    The hackers appear to have begun the campaign on targets in Europe, said Thakur, so by the time they turned their attention to the United States, spam filters had identified the new threat, diminishing the impact.

    MICROSOFT BOLSTERS WINDOWS DEFENSES
    Private security firms identified the ransomware as a new variant of “WannaCry” that could spread across large networks by exploiting a known bug in Microsoft’s Windows operating system.

    “This is one of the largest global ransomware attacks the cyber community has ever seen,” said Rich Barger, director of threat research with Splunk, one of the firms that linked WannaCry to the NSA.

    The Shadow Brokers released Eternal Blue as part of a trove of hacking tools that they said belonged to the U.S. spy agency.

    The attack targeted Windows computers that had not installed patches released by Microsoft in March, or older machines running software that Microsoft no longer supports, including the 16-year-old Windows XP system, researchers said.

    Microsoft said it had pushed out automatic Windows updates to defend existing clients from WannaCry. It had issued a patch on March 14 to protect them from Eternal Blue. Late on Friday, Microsoft also released patches for a range of long discontinued software, including Windows XP and Windows Server 2003.

    POLITICALLY SENSITIVE TIMING
    The spread of the ransomware capped a week of cyber turmoil in Europe that began when hackers posted a trove of campaign documents tied to French candidate Emmanuel Macron just before a run-off vote in which he was elected president of France.

    The hack happened four weeks before a British general election in which national security and the management of the state-run National Health Service are important issues.

    Authorities in Britain have been braced for cyber attacks in the run-up to the election, as happened during last year’s U.S. election and on the eve of the French run-off vote on May 7.

    But those attacks - blamed on Russia, which has repeatedly denied them - followed a different modus operandi involving penetrating the accounts of individuals and political organizations and then releasing hacked material online.

    On Friday, Russia’s interior and emergencies ministries, as well as its biggest bank, Sberbank, said they were targeted by ransomware. The interior ministry said about 1,000 computers had been infected but it had localized the virus.

    (Additional reporting by Kiyoshi Takenaka, Jim Finkle, Eric Auchard, Jose Rodriguez, Alistair Smout, Andrea Shalal, Jack Stubbs, Antonella Cinelli, Dustin Volz, Kate Holton, Andy Bruce, Michael Holden, David Milliken, Rosalba O’Brien, Julien Toyer, Tim Hepher, Luiza Ilie, Patricia Rua, Axel Bugge, Sabine Siebold and Eric Walsh, Engen Tham, Fransiska Nangoy, Soyoung Kim, Mai Nguyen; editing by Mark Heinrich and Ros Russell)
     
  8. De Master Yoda

    De Master Yoda Administrator Staff Member

    Another major cyber-attack could be imminent after Friday's global hit that infected more than 120,000 computer systems, security experts have warned.

    Folks please do Antivirus updates ASAP. Especially if you are running any Windows programs and do not click on anything you are not sure of. Thank you.

    UPDATE!!! Microsoft has released patches to stop further attacks from this malware. They have even released a patch for Windows XP.
    Details here: https://support.microsoft.com/en-us...onfigure-and-use-automatic-updates-in-windows
     
  9. Kat

    Kat Administrator Staff Member

    http://www.bbc.com/news/technology-39931635

    WannaCry ransomware cyber-attack 'may have N Korea link'

    Dave Lee North America technology reporter
    16 May 2017

    Who was behind the huge global cyber-attack? One prominent theory right now is North Korea - but what we know is far from conclusive.

    You may not have heard of the Lazarus Group, but you may be aware of its work. The devastating hack on Sony Pictures in 2014, and another on a Bangladeshi bank in 2016, have both been attributed to the highly sophisticated group.

    It is widely believed that the Lazarus Group worked out of China, but on behalf of the North Koreans.

    Security experts are now cautiously linking the Lazarus Group to this latest attack after a discovery by Google security researcher Neel Mehta. He found similarities between code found within WannaCry - the software used in the hack - and other tools believed to have been created by the Lazarus Group in the past.

    It's a mere sliver of evidence, but there are other clues to consider too.

    Picking apart the code
    Prof Alan Woodward, a security expert, pointed out to me that the text demanding the ransom uses what reads like machine-translated English, with a Chinese segment apparently written by a native speaker.

    "As you can see it's pretty thin and all circumstantial," Prof Woodward said.

    "However, it's worth further investigation."

    "Neel Mehta’s discovery is the most significant clue to date regarding the origins of WannaCry,” said Russian security firm Kaspersky, but noted a lot more information is needed about earlier versions of WannaCry before any firm conclusion can be reached.

    "We believe it’s important that other researchers around the world investigate these similarities and attempt to discover more facts about the origin of WannaCry,” the company added.

    "Looking back to the Bangladesh attack, in the early days, there were very few facts linking them to the Lazarus Group.

    "In time, more evidence appeared and allowed us, and others, to link them together with high confidence. Further research can be crucial to connecting the dots."

    Attributing cyber-attacks can be notoriously difficult - often relying on consensus rather than confirmation.

    For example, North Korea has never admitted any involvement in the Sony Pictures hack - and while security researchers, and the US government, have confidence in the theory, neither can rule out the possibility of a false flag.

    Skilled hackers may have simply made it look like it had origins in North Korea by using similar techniques.

    'Wouldn’t stand up in court'
    In the case of WannaCry, it is possible that hackers simply copied code from earlier attacks by the Lazarus Group.

    But Kaspersky said false flags within WannaCry were "possible" but "improbable", as the shared code was removed from later versions.

    "There's a lot of ifs in there," added Prof Woodward.

    "It wouldn't stand up in court as it is. But it's worth looking deeper, being conscious of confirmation bias now that North Korea has been identified as a possibility."

    It’s the strongest theory yet as to the origin of WannaCry, but there are also details that arguably point away from it being the work of North Korea.

    First, China was among the countries worst hit, and not accidentally - the hackers made sure there was a version of the ransom note written in Chinese. It seems unlikely North Korea would want to antagonise its strongest ally. Russia too was badly affected.

    Second, North Korean cyber-attacks have typically been far more targeted, often with a political goal in mind.

    In the case of Sony Pictures, hackers sought to prevent the release of The Interview, a film that mocked North Korean leader Kim Jong-un. WannaCry, in contrast, was wildly indiscriminate - it would infect anything and everything it could.

    Finally, if the plan was simply to make money, it’s been pretty unsuccessful on that front too - only around $60,000 (£46,500) has been paid in ransoms, according to analysis of Bitcoin accounts being used by the criminals.

    With more than 200,000 machines infected, it's a terrible return. But then of course, maybe the ransom was a distraction for some other political goal not yet clear.

    Another possibility is that the Lazarus Group worked alone, without instruction from North Korea. Indeed, it could be that the Lazarus Group isn’t even linked to North Korea.

    "Neel Mehta’s discovery is the most significant clue to date regarding the origins of WannaCry,” said Russian security firm Kaspersky, but noted a lot more information is needed about earlier versions of WannaCry before any firm conclusion can be reached.

    "We believe it’s important that other researchers around the world investigate these similarities and attempt to discover more facts about the origin of WannaCry,” the company added.

    "Looking back to the Bangladesh attack, in the early days, there were very few facts linking them to the Lazarus Group.

    "In time, more evidence appeared and allowed us, and others, to link them together with high confidence. Further research can be crucial to connecting the dots."

    Attributing cyber-attacks can be notoriously difficult - often relying on consensus rather than confirmation.

    For example, North Korea has never admitted any involvement in the Sony Pictures hack - and while security researchers, and the US government, have confidence in the theory, neither can rule out the possibility of a false flag.

    Skilled hackers may have simply made it look like it had origins in North Korea by using similar techniques.

    "It wouldn't stand up in court as it is. But it's worth looking deeper, being conscious of confirmation bias now that North Korea has been identified as a possibility."

    It’s the strongest theory yet as to the origin of WannaCry, but there are also details that arguably point away from it being the work of North Korea.

    First, China was among the countries worst hit, and not accidentally - the hackers made sure there was a version of the ransom note written in Chinese. It seems unlikely North Korea would want to antagonise its strongest ally. Russia too was badly affected.

    Second, North Korean cyber-attacks have typically been far more targeted, often with a political goal in mind.

    In the case of Sony Pictures, hackers sought to prevent the release of The Interview, a film that mocked North Korean leader Kim Jong-un. WannaCry, in contrast, was wildly indiscriminate - it would infect anything and everything it could.

    Finally, if the plan was simply to make money, it’s been pretty unsuccessful on that front too - only around $60,000 (£46,500) has been paid in ransoms, according to analysis of Bitcoin accounts being used by the criminals.

    With more than 200,000 machines infected, it's a terrible return. But then of course, maybe the ransom was a distraction for some other political goal not yet clear.

    Another possibility is that the Lazarus Group worked alone, without instruction from North Korea. Indeed, it could be that the Lazarus Group isn’t even linked to North Korea.

    More questions than answers - and in cyber-war, facts are extremely hard to come by.
     

Share This Page