North Korean Cyber Warfare

It has been over a month since WannaCry Ransomware made headlines all over the globe. Based on different reports, it has affected from 150.000 to 300.000 computers worldwide, raking in from $60.000USD to $140.000USD in ransom payments.

Now there seems to be enough evidence to suggest that the infection was first launched by North Korean hackers. The difference between regular hackers and the North Korean ones is that the North Korean hackers are backed by the country’s government. So when you deal with a North Korean hacker, you can more or less be sure that this is the government you have to fight, too.

In this article, we will look closer at WannaCry Ransomware, how researchers figured out that possible links with North Korea; and why the country is indulging in such hacking practices.

WannaCry Ransomware

As mentioned, WannaCry Ransomware infected hundreds of thousands computer in more than 150 countries around the world. And those are not just personal computers we are talking about here. The infection hit many businesses and corporations, with over 40.000 companies affected in Asia alone. Some of the bigger institutions affected include UK’s National Health Service (NHS), Spanish telecommunications giant Telefónica, the American delivery service company FedEx, and others.

At first, it would seem that the ransomware program did not differ much from other programs that come from the same category. Most of the ransomware applications are distributed via spam email. This is also how WannaCry Ransomware got into the target systems as well. However, it happened to spread a lot faster than previously released infections because it employed a worm to get from one computer on the network to the other. That is why the program infected so many corporate computers connected to the same network.

What’s more, the distribution method alone was not responsible for the speedy infection. The program was able to exploit a vulnerability in the older versions of Windows operating systems that had file-sharing enabled between network computers. With this function enabled, the program hopped from one computer to another without much difficulty. It is rather regrettable, considering that Microsoft released the patch for this vulnerability two months before the infection broke out. It means that it is possible to avoid such infections if users and corporations keep their operating systems updated. In other words, it is not a good idea to turn off the automatic update feature. Also, corporations should consider upgrading their operating systems, too; because quite a few infected computers were running on Windows XP, and Microsoft ended support for this operating system back in April 2014.

Computer security experts also suggest that the program was not supposed to spread at a lightning speed, and it simply fell out of hand because of the worm that was used to distribute from one computer to another.

Attribution to North Korean Hackers

The chaotic nature of this infection is not the main reason security researchers pin it on the North Korean hackers. The link was actually suggested by research Neel Mehta at Google, and then further analyzed by Symantec, Kaspersky, and other security companies, all coming to a similar conclusion: WannaCry Ransomware COULD be created and distributed by the North Korean government. Now, where did these associations come from?

The hacking tool used by WannaCry is called EternalBlue. It was published by Shadow Brokers on the darknet, and they supposedly obtained it from the United States National Security Agency. This is also the reason leaders of a few countries called the US out, saying that by isolating such an important vulnerability, they should have also provided a way to contain it and fight it. What’s more, a few security specialists from South Korea have mentioned that the moment this code was leaked, they thought that the North would jump at such opportunity to utilize it immediately.

Furthermore, when researchers analyzed the earlier versions of WannaCry, they found a code for the Contopee backdoor, which is usually used by the Lazarus Group. It is a group of hackers that is usually associated with the North Korean government.

The Lazarus Group is known for several hacking incidents, the most prominent of which was probably the notorious attack on Sony in 2014. It was supposedly related to the film Interview, which mocked the North Korean regime. The group is also said to be responsible for the Bangladesh bank theft when over $81 million US dollars were swept from the bank’s accounts, and also the Interpark user data leak. Interpark is a major Korean online shopping mall, and it has experienced a massive data leak in 2016, losing personal data from over 10 million accounts.

Of course, there are also doubts whether the North Korean government is really behind WannaCry Ransomware. The point is that it is really hard to find the culprit behind such infections because normally, you should narrow down and analyze the code from infected computers. But the problem with this epidemic is that there are so many infected systems that it is hard to isolate the code and attribute it to one group or the other.

Also, there is a potential of the so-called code repetition, when a group of hackers uses a code created by another group just so that the blame for the infection would fall on that other entity. This is called “false flag” and while such a situation is possible, most of the researchers say it is highly “improbable” because the code that was discovered is unique for the Lazarus Group, and replicating it just so that someone could blame North Korea for the hacks would be too much of a trouble.

North Korean Cyber Attacks

And if it is really North Korea behind the attack, we might encounter the question as to why a country does such a thing. There seems to be not much logic in it because the ransom payment for this infection was from $300USD to $600USD, and the program even lacked the mechanism that would allow the perpetrators to know whether the victim has paid the ransom or not. In fact, the program managed to “steal” less than $150.000USD from its victims, which is just some sad pocket money for the regime. Especially when one considers that one of the main reasons North Korea encourages hacking is money.

The isolated country has limited sources of income because international sanctions, so it may attempt to use any means to boost up its budget. Even if it means trolling the world, as it never takes responsibility for various hacks, albeit it does enjoy basking in the publicity.

At first, such behavior might seem illogical and irrational, but any expert on North Korean issues would tell you the country’s political decisions and seemingly erratic behavior is actually very realistic and rational. Especially so, if you consider that North Korea is completely backed into a corner by the international community and it has nothing more to lose when it needs to keep the stronger countries in check. So even if some of the cyber attacks are not profitable, they manage to maintain their international presence, just like with their ballistic missile tests.

These hacks that are backed by North Korea seem to be far-reaching, too. The information released by Department of Homeland Security (DHS) and the FBI show that a hacker group Hidden Cobra (which, in turn, is closely associated with the Lazarus Group) has targeted multiple companies in the United States. The scope includes financial, aerospace, media corporations and even critical infrastructure.

It shows that North Korea is getting bolder with time, as previously most of its cyber attacks used to be distributed denial of service (DDoS) attacks on various South Korean companies and other international entities. Unlike notorious terrorist organizations, North Korea does not take blatant credit for the attacks. It allows the country to navigate complicated diplomatic waters. Also, it is a rather logical choice to invest in cyber hacking because North Korea does not have that many targets of its own, and so it is less risky than a full-out weapon demonstration.

The bottom line is that involvement in cyber crime at a governmental level presents us with even higher security risks, and reputable cyber security companies have to consider them very seriously. It is clear that in the 21st century the so-called hybrid warfare is the domineering form of international conflict, and the North Korean hacking gigs are one of the best illustrations of that.


  1. Scott Campbell. North Korean hacking group is thought to be behind cyber attack which wreaked havoc across the globe. MailOnline.
  2. Andy Greenberg. The WannaCry Ransomware Has a Link to Suspected North Korean Hackers. Wired.
  3. Andy Greenberg. North Korea’s Sloppy, Chaotic Cyberattacks Also Make Perfect Sense. Wired.
  4. Selena Larson. Researchers find possible North Korea link to massive cyberattack. CNN Tech.
  5. Chris Perez. North Korean hackers may be behind global cyberattack. New York Post.