Group Behind Leak of Tools Used in Ransomware Attack Says Ready to Sell More Code

The hacker group behind the leak of cyber spying tools from the U.S. National Security Agency, which were used in last week’s “ransomware” cyberattack, says it has more code that it plans to start selling through a subscription service launching next month.

The group known as Shadow Brokers posted a statement online Tuesday saying the new data dumps could include exploits for Microsoft’s Windows 10 operating system, and for web browsers and cell phones, as well as “compromised network data from Russian, Chinese, Iranian or North Korean nukes and missile programs.”

Shadow Brokers tried unsuccessfully last year to auction off cyber tools it said were stolen from the NSA.

The WannaCry ransomware virus exploited a vulnerability in Microsoft’s older Windows XP operation system. The company had largely stopped offering support such as security updates for Windows XP, but did release a patch to protect users against the attack that demanded people pay to avoid losing their data.

There is no definitive evidence yet of who used the NSA tools to build WannaCry.

Cybersecurity experts say the technical evidence linking North Korea to the cyberattack is somewhat tenuous, but Pyongyang has the advanced cyber capabilities, and the motive to compensate for lost revenue due to economic sanctions, to be considered a likely suspect.

Since Friday, the WannaCry virus has infected more than 300,000 computers in 150 countries, at least temporarily paralyzing factories, banks, government agencies, hospitals and transportation systems.

On Monday, analysts with the cybersecurity firms Symantec and Kaspersky Lab said some code in an earlier version of the WannaCry software had also appeared in programs used by the Lazarus Group, which has been identified by some industry experts as a North Korea-run hacking operation.

“Right now we’ve uncovered a couple of what we would call weak indicators or weak links between WannaCry and this group that’s been previously known as Lazarus. Lazarus was behind the attacks on Sony and the Bangladesh banks for example. But these indicators are not enough to definitively say it’s Lazarus at all,” said Symantec Researcher Eric Chien.

Bureau 121

Symantec has linked the Lazarus group to a number of cyberattacks on banks in Asia dating back years, including the digital theft of $81 million from Bangladesh’s central bank last year. 

The U.S. government blamed North Korea for the hack on Sony Pictures Entertainment that leaked damaging personal information after Pyongyang threatened “merciless countermeasures” if the studio released a dark comedy movie that portrayed the assassination of Kim Jong Un. And South Korea had accused the North of attempting to breach the cybersecurity of its banks, broadcasters and power plants on numerous occasions.

Pyongyang is believed to have thousands of highly trained computer experts working for a cyberwarfare unit called Bureau 121, which is part of the General Bureau of Reconnaissance, an elite spy agency run by the military. There have been reports the Lazarus group is affiliated with Bureau 121. Some alleged North Korean-related cyberattacks have also been traced back to a hotel in Shenyang, China near the Korean border.

“Mostly they hack directly, but they hack other countries first and transfer [the data] so various other countries are found when we trace back, but a specific IP address located in Pyongyang can be found in the end,” said Choi Sang-myung, a senior director of the cybersecurity firm Hauri Inc. in Seoul.

Ransom

It is not clear if the purpose of the WannaCry malware is to extort payments or to cause widespread damage.

The WannaCry hackers have demanded ransoms from users, starting at $300 to end the cyberattack, or they threatened to destroy all data on infected computers. So far the perpetrators have raised less than $70,000 according to Tom Bossert, a homeland security adviser for U.S. President Donald Trump.

The countries most affected by WannaCry to date are Russia, Taiwan, Ukraine and India, according to Czech security firm Avast.

Suffering under increased economic sanctions for its nuclear and ballistic missile programs, it would not be surprising for North Korea to attempt to make up for lost revenue through illicit cyber theft and extortion. But the WannaCry ransomware is more advanced than anything North Korean hackers have used in the past.

“Previous ransomwares required people to click an attachment in an email or access a specific website to get infected, but this time [computers] can be infected without getting an email or access to a website, just by connecting an Internet cable,” said Choi.

FireEye Inc., another large cybersecurity firm, said it was also investigating but cautious about drawing a link to North Korea.

In addition to past alleged cyberattacks, North Korea had also been accused of counterfeiting $100 bills which were known as “superdollars” or “supernotes” because the fakes were nearly flawless.

Youmi Kim contributed to this report.

write a comment: