
WannaCry: End of Year Retrospective - jgrahamc
https://blog.kryptoslogic.com/malware/2017/12/20/end-of-year.html
======
kodablah
A bit disappointed, but not surprised, that this retrospective chose not to
discuss the origin of the 0day itself.

------
pegas1
"When federal law enforcement is detached from the mission of national
security and focuses (perhaps shortsightedly) on criminalizing certain benign
behaviors, a chilling response from the security community will develop, and
an even greater divide between law enforcement and the security community will
unfold"

------
razakel
No mention of their arrested employee...

------
joering2
I listened to a lot of US gov speaking on the subject past 2 days... but all I
hear is "we believe", "we think", "we know"... without a shred of evidence!

This whole story only missed Secretary of State Colin Powell holding a model
vial of anthrax and we could roll tanks onto North Korean soil already!

~~~
nikcub
There is a lot of independent analysis pointing at North Korea[0][1][2][3]

The infosec industry are _extremely_ skeptical of attribution especially
coming from government - it took a long time for a higher-certainty
attribution to be established in the Sony and Bangladesh reserve bank cases,
and there are still open cases of attribution in other incidents

Along with technical evidence, Wannacry also fits the North Korea m.o of
financial incentive but also incentive to sow chaos[12], as well as how their
attackers operate in Singapore and China and outsource some components.

On the contrary there is little to no evidence pointing anywhere else -
meaning the second best probability of attribution for Wannacry is much
further down the list.

The key difference there is that during the Iraq invasion there was zero
corroborative evidence, the actual weapons inspectors said there was _no_
evidence.

Further - the USA doesn't need a made-up pretext for war with North Korea.
They're technically still at war and North Korea are in violation of UN
Security Council resolutions and treaties (they routed around the UN for Iraq)

North Korea has sunk a ship[4], downed an airliner[5], attacked South Korean
islands[6], tested nuclear weapons, developed a missile program, fired across
the DMZ[7] (as recently again as today[8]), assassinated foreigners on foreign
soil[9], been caught attempting to sell weapons of mass destruction[10], sold
arms to Syria and others in violation of sanctions[11] and more. Either one of
those is a stronger and not made-up pretext for an act of war - and one that
would have much broader support than Iraq ever did.

[0]
[https://twitter.com/neelmehta/status/864164081116225536?lang...](https://twitter.com/neelmehta/status/864164081116225536?lang=en)

[1] [https://www.symantec.com/connect/blogs/wannacry-
ransomware-a...](https://www.symantec.com/connect/blogs/wannacry-ransomware-
attacks-show-strong-links-lazarus-group)

[2] [https://blog.comae.io/wannacry-links-to-lazarus-group-
dcea72...](https://blog.comae.io/wannacry-links-to-lazarus-group-dcea72c99d2d)

[3] [https://securelist.com/wannacry-and-lazarus-group-the-
missin...](https://securelist.com/wannacry-and-lazarus-group-the-missing-
link/78431/)

[4]
[https://en.wikipedia.org/wiki/ROKS_Cheonan_sinking](https://en.wikipedia.org/wiki/ROKS_Cheonan_sinking)

[5]
[https://en.wikipedia.org/wiki/Korean_Air_Flight_858](https://en.wikipedia.org/wiki/Korean_Air_Flight_858)

[6]
[https://en.wikipedia.org/wiki/Bombardment_of_Yeonpyeong](https://en.wikipedia.org/wiki/Bombardment_of_Yeonpyeong)

[7] [http://edition.cnn.com/2017/11/21/asia/north-korea-
defector/...](http://edition.cnn.com/2017/11/21/asia/north-korea-
defector/index.html)

[8] [http://www.bbc.com/news/world-
asia-42435798](http://www.bbc.com/news/world-asia-42435798)

[9] [https://en.wikipedia.org/wiki/Kim_Jong-
nam](https://en.wikipedia.org/wiki/Kim_Jong-nam)

[10] [http://www.smh.com.au/nsw/alleged-north-korean-agent-
arreste...](http://www.smh.com.au/nsw/alleged-north-korean-agent-arrested-in-
sydney-charged-with-trying-to-arrange-sale-of-missile-
technology-20171217-h0659d.html)

[11] [https://qz.com/962995/the-war-in-syria-has-been-great-for-
no...](https://qz.com/962995/the-war-in-syria-has-been-great-for-north-korea/)

[12] [https://securelist.com/lazarus-under-the-
hood/77908/](https://securelist.com/lazarus-under-the-hood/77908/)

~~~
rando444
No. There is independent analysis pointing at a group called 'Lazarus' which
is believed to be linked to North Korea.

So, it's either a North Korean group, or a group shielding their identities
pretending to be North Korean.

Given the lack of publicly available evidence linking the group to NK, and the
sophistication of the majority of the things attributed to them, I personally
have a very difficult time believing that NK would be capable of these
things.. as this would mean extremely talented computer skills, which to
develop would require unfettered access to the entire internet for extremely
long periods of time, knowledge of several languages, and a host of skill sets
that are not usually you'd associate with living in an oppressive regime that
can barely keep the power on.

I'm going to go with Occam's razor on this one because it's far more likely
that it's easier to pretend to be from NK than for NK to do what they are
being accused of.

~~~
LV-426
> it's far more likely that it's easier to pretend to be from NK than for NK
> to do what they are being accused of

For all the hot air about "analysis" and "evidence" and crimes NK committed
when Kim was a baby five presidents ago, it's extremely easy to know North
Korea wasn't responsible for this:

Because the idea that _any_ nation state could function in any capacity while
simultaneously being so broke that a puny act of organized crime involving
Bitcoins could make any difference is utterly beyond the realm of absurdity.

Nobody with even moderate critical faculties can seriously believe such a
ridiculous premise, and the only thing anyone does by arguing it, sincerely or
otherwise, is reduce their own credibility.

~~~
bane
It's so bad for North Korea that they operate series of restaurants for the
sole purpose of bringing exportable cash back to the country.
[https://www.washingtonpost.com/news/worldviews/wp/2016/04/08...](https://www.washingtonpost.com/news/worldviews/wp/2016/04/08/the-
weird-world-of-north-koreas-overseas-restaurants/?utm_term=.366f89fcf69b)

It's so bad for North Korea that they "sell" large groups of laborers to
friendly countries to work in remote areas for the sole purpose of bringing
exportable cash back to the country.
[https://www.vice.com/en_us/article/kwnw3w/north-korean-
labor...](https://www.vice.com/en_us/article/kwnw3w/north-korean-labor-camps-
part-1)

It's so bad for North Korea that for many years they operated a factory town
on the border with their active enemy South Korea that used low payed North
Korean workers to make goods to sell back to South Korea, under South Korean
management for the sole purpose of bringing cash into the country.
[https://en.wikipedia.org/wiki/Kaesong_Industrial_Region](https://en.wikipedia.org/wiki/Kaesong_Industrial_Region)

The list goes on.

The GDP of North Korea is estimated to be about $30 billion with the per
capita income being around $1,000 per person. North Korea is deeply cash
strapped, has few trading partners, and produces very little that anybody
would want anyways. It doesn't take much money to move the needle. To not be
aware of this is to not posses even remotely moderate critical faculties.

~~~
LV-426
> The list goes on.

The list of what? Different ways in which the North Korean economy
legitimately functions?

However "weird" you or the Washington Post think running a restaurant and
remitting money back home is (or are they fronts for money laundering? the
story can't seem to decide), or a country sending its workers abroad (look up
the population of the UAE sometime), or _operating a factory_ (?), all of
those things are legitimate, legal and commonplace around the world, and in no
way analogous to a Bitcoin ransomware attempt.

> The GDP of North Korea is estimated to be about $30 billion [...] It doesn't
> take much money to move the needle.

The amount made by WannaCry wouldn't even move the needle in the Bitcoin
economy, never mind the economy of a nation state. Hell it wouldn't move the
needle for some posters to HN.

If North Korea was that interested in acquiring cryptocurrency they could make
far more simply running darknet markets or Bitcoin exchanges.

But - no - according to some people it makes far more sense to enact a
convoluted and easily killswitched extortion scam with flashing neon arrows
pointing straight back at them.

SMH

------
nodesocket
For all holding BitCoin who are US citizens... Just know that you are
indirectly supporting enemies of the US (including Russia and China). You
could be investing in US companies via the stock market and promoting US
growth and jobs instead.

~~~
dang
Would you please not post off-topic flamebait here?

~~~
nodesocket
Dang, I don’t think I was being off-topic, directly related to the fact that
the US announced that North Korea was behind “WannaCry” and that they hold
large amounts of Bitcoin. My point is factual.

~~~
r3bl
That's as ridiculous as stating that, if ISIS has a lot of USD, you shouldn't
use USD because that's "supporting enemies."

~~~
jermaustin1
I've been trying to switch to Spanish Reales, but the coke machine wont take
them.

------
alexcasalboni
"the six-month anniversary"? lol

