WH: Kim Jong Un behind massive WannaCry malware attack

White House homeland security adviser Tom Bossert said Tuesday that North Korean leader Kim Jong Un ordered the release of WannaCry, the malware attack that spread rapidly throughout hundreds of thousands of computers in 150 countries during a single week in May. 

“We do not make this allegation lightly. We do this with evidence. We do so with partners,” Bossert said during a White House press conference. 

Victims of WannaCry included the British National Health Service, which had to turn away patients during the attacks. Other severely impacted victims included government systems in India and Russia, FedEx and the Spanish telecom Telefónica.

On Monday evening, Bossert wrote an op-ed piece in The Wall Street Journal formally announcing the White House believed WannaCry was the work of North Korean actors. 

At the press conference, Bossert said other nations, including the United Kingdom, Australia, Canada and Japan, as well as private sector partners, including Microsoft, had agreed with the United States assessment that North Korea was behind the attack.  

Bossert said that the goal of the announcement was to “name and shame” the North Korean actors.

“I hope they stop acting badly online,” he said, adding “If they don’t, this president will act on behalf of the United States.” 

He did not claim to know what shape that response would take, saying the Trump administration had tried “every lever short of starving the people of North Korea to death.” 

Security researchers believe the group behind the WannaCry attack was a notorious North Korean hacking operation known as Lazarus. 

The Lazarus group is best known for being suspected of hacking Sony Pictures in late 2014. Later, the group was tied to a series of digital bank heists utilizing the computer system banks use to request transfers, as well as other attacks. Most recently, Lazarus has been tied to phishing attempts on cryptocurrency exchanges. 

U.S. intelligence publicly attributed the Sony attack to North Korea.

{mosads}Links between the Lazarus group and WannaCry were almost immediately discovered by security researchers, who found overlaps in computer code used in previous attacks, the use of extremely uncommon North Korean internet addresses, as well as early versions of WannaCry that were distributed using tools exclusive to the Lazarus team.

In June, The Washington Post reported that the National Security Agency (NSA) had attributed the WannaCry attacks to North Korea. But no public announcement was made until Monday night. 

British officials publicly attributed WannaCry to North Korea in October. 

Bossert said the delay in making the attribution was a sign of the cautious approach the White House took in coming to its final conclusion. 

“If we had gotten it wrong, it would be more a damage to our national security than a boon to do it quickly,” said Bossert. 

He said that the U.S. had intelligence pointing to Kim Jong Un’s command to release the malware. 

WannaCry initially appeared to be ransomware, malware that encrypts files on a system and charges users a bounty to unlock them. But coding and strategic errors made it impossible for victims paying a ransom to retrieve the encrypted files. 

Some experts passed this off as mistakes. Others believed it was an intentional attempt to cause havoc. Bossert hinted the White House stood in the latter camp. 

“They didn’t want to get a lot of money out of it. If they did, they would open computers once people paid,” he said. 

WannaCry was a particularly virulent attack because it used exposed vulnerabilities in old and unpatched Windows systems. Those vulnerabilities are believed to have been discovered and used by the NSA in intelligence operations before being stolen and leaked by a group known as the ShadowBrokers. 

Though the NSA has not confirmed the vulnerabilities were theirs, the Trump administration has since taken several steps to add more transparency to the process that determines which hacking tools the government is allowed to keep secret. 

Reporters pressed Bossert on the reason President Trump would be willing to accept an attribution of WannaCry to North Korea, but hesitant to accept the attribution of the Democratic National Committee hack to Russia. 

Bossert said the White House “stood with a good record” on accepting and responding to Russia. He noted the administration’s recent ban on Moscow-based Kaspersky Lab’s software and the president extending some of the Obama administration’s actions against Russia. 

Homeland Security Assistant Secretary for the Office of Cybersecurity and Communications Jeanette Manfra said at the press conference that the attribution should serve as a call to private sector companies to collaborate with the government on security matters. She specifically praised Facebook and Microsoft for their work in countering North Korean operations. 

Last week, Facebook deleted several accounts used by the Lazarus group in attacks, work the company said it did in conjunction with Microsoft and other private partners. 

“Facebook has a long-standing commitment to security, and we continue to invest in efforts to protect people from cyber threats and keep our platform safe,” the company said in a statement.

“Our adversaries are not distinguishing between public and private. So neither should we,” she said.