epa05965366 Employees watch an electronic board to monitor possible ransomware cyberattacks at the Korea Internet and Security Agency (KISA) in Seoul, South Korea, 15 May 2017. The notorious WannaCry ransomware, a type of malware that locks up files on a computer until victims pay a certain amount of money to hackers, struck South Korea's top theater chain CJ CGV the same day, industry sources said. EPA/YONHAP SOUTH KOREA OUT
The WannaCry cyber attack in May wreaked havoc on tens of thousands of organisations worldwide © EPA

North Korea was “directly responsible” for a massive cyber attack in May that wreaked havoc on tens of thousands of organisations worldwide from the UK’s National Health Service to US delivery services company FedEx, the White House has alleged.

“After careful investigation the United States is publicly attributing the massive ‘WannaCry’ cyber attack to North Korea,” Thomas Bossert, homeland security adviser, said on Tuesday. He denounced North Korea’s actions as a reckless attack that put lives at risk and affected more than 150 countries. 

He said the UK, Australia, Canada and New Zealand — members of the so-called “five eyes” group that includes the US and co-operates closely on intelligence — as well as Japan, agreed with the assessment.

An official said the UK’s National Cyber Security Centre had led the international investigation, identifying links to North Korea on May 12, the first day of the attack. 

The official said the NCSC identified links between a North Korean group known as the Lazarus Group and WannaCry within a week. While the NCSC said the attack sought financial gain, Mr Bossert said fundraising was only “ancillary” and did not raise a lot of money.

The public declaration by the White House is aimed at increasing international pressure on the reclusive regime as tensions between Washington and Pyongyang threaten to spill over into conflict. US president Donald Trump on Monday vowed to “take care” of the regime’s rapidly advancing nuclear and ballistic missile programmes, which he deemed a threat to “millions of Americans”.

“North Korea has done everything wrong,” said Mr Bossert, adding the US was running out of levers and calling for Pyongyang to change its behaviour. “We don’t have a lot of room left here.”

Once derided as inept, North Korea’s cyber capabilities have improved in recent years as Kim Jong Un, the country’s supreme leader, pursues a strategy of asymmetric military development designed to give North Korea an edge over its larger, more powerful adversaries.

Vincent Brooks, commander of US Forces Korea, last year called Pyongyang’s cyber troops “among the best in the world”.

“Cyber operations offer North Korea an asymmetric advantage because its adversaries are much more reliant on technology than North Korea is, which makes North Korea much less vulnerable,” said Tim Wellsmore, a threat intelligence director at cyber security group FireEye.

“As geopolitical tensions continue to run hot, we expect North Korea to continue to escalate its cyber operations . . . Some of North Korea’s attacks appear aimed at procuring hard currency through offensive cyber threat activity, and the explosion in use of cryptocurrency significantly increases their opportunity in this area.”

WannaCry was one of the fastest-spreading and damaging cyber attacks to-date, affecting at least 200,000 computers across 150 countries.

The attack used a category of virus known as ransomware. Once infected, a target’s computer has its files encrypted. The user then gets a ransom demand — usually asking for payment in a cryptocurrency such as bitcoin — which must be paid in order for access to be restored.

Mr Bossert said that in the midst of mass global efforts to shut down WannaCry, an astute programmer noticed a “glitch in the malware” known as a kill-switch, and activated it.

“To some degree, we got lucky,” he said, adding the US had also been well prepared. “[The programmer] took a risk, but it worked.”

Jeanette Manfra, assistant secretary of Homeland Security for cyber security and communication, called on all companies to come to “the collective defence of our nation”, identifying electricity grids, financial systems and communications as potential cyber targets.

Experts say Pyongyang has also increasingly been targeting online exchanges for cryptocurrencies, such as bitcoin, in a bid to evade punitive financial sanctions.

Park Chun-sik, a cyber expert at Seoul Women’s University, said the untraceable and anonymous nature of bitcoin made it attractive to the regime.

Additional reporting by Kang Buseong and David Bond

Get alerts on Cyber warfare when a new story is published

Copyright The Financial Times Limited 2019. All rights reserved.
Reuse this content (opens in new window)

Follow the topics in this article