beebright - Fotolia

North Korean Lazarus botnet linked to WannaCry attack

US-Cert puts out an alert on DeltaCharlie, a distributed denial of service tool from North Korean hacker group Lazarus

Reports across the internet have pointed the finger at a notorious North Korean hacking group for last month’s WannaCry distributed denial of service (DDoS) attack that crippled NHS computers.

Quoting US intelligence officials, the Washington Post reported that the National Security Agency (NSA) had linked the attack to cyber actors sponsored by North Korea’s spy agency, the Reconnaissance General Bureau.

In May, following the attack, Symantec said tools and infrastructure used in the WannaCry ransomware attack had strong links to Lazarus, the group responsible for destructive attacks on Sony Pictures Entertainment and the Bangladesh Central Bank.

The WannaCry attack, which started on 12 May, was the biggest single incident that the UK’s new National Cyber Security Centre (NCSC) has faced to date.

As Computer Weekly has previously reported, in response to the attacks, the NCSC’s incident management function was called into action. Its initial focus was to understand the technical characteristics of the attack, how it was spreading, and who the victims were.

The incident management team was also working to establish who was behind the attack and what the initial attack vector was, but these questions remained unanswered to a high level of confidence five days after the attack.

Now the US Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have identified one of the tools used in the attack as DeltaCharlie, a malware variant used to manage North Korea’s DDoS botnet infrastructure. DeltaCharlie is part of a suite of North Korean malware tools classified by the DHS and FBI as “Hidden Cobra”.

DeltaCharlie was first identified by a cross-industry group, Operation Blockbuster, which was set up following the DDoS attack on Sony.

Read more about WannaCry

  • WannaCry reveals some important facts about our dependence on the internet and IT.
  • Statistics show that computers running Windows 7 accounted for the biggest proportion of machines infected with the WannaCry.

An alert posted on US-Cert, the US computer emergency response team, on 13 June confirmed Symantec’s original assessment. US-Cert said: “Since 2009, Hidden Cobra actors have leveraged their capabilities to target and compromise a range of victims. Some intrusions have resulted in the exfiltration of data, while others have been disruptive in nature. Commercial reporting has referred to this activity as Lazarus Group and Guardians of Peace. DHS and FBI assess that Hidden Cobra actors will continue to use cyber operations to advance their government’s military and strategic objectives.”

US-Cert posted a file with the known IP addresses used by DeltaCharlie in a bid to help security experts detect signs of malicious network activity.

Brian Lord, former deputy director GCHQ for cyber and intelligence, who is now managing director of risk management company Protection Group International, said: “Little is known about the exact state command and control that sits around the Lazarus group and how much operational latitude they are given.

“But whether this is a failed large-scale state sponsored/endorsed/tolerated theft, or a wider experimental state capability R&D operation, it continues to demonstrate that the private sector is as equally vulnerable (financially and operationally) to state-linked activity as governmental apparatus is. ”

Read more on Hackers and cybercrime prevention