Wednesday, 24 May 2017

Attribution Is Difficult - Consider All The Evidence

There have been several headlines in recent days suggesting that the attacks by the Wannacry malware in May 2017 has been "linked" to the North Korean regime. 

Now, whilst I wouldn't put it past that regime to mount any form of attack, I've been very surprised at the certainty with which the attacks are being attributed to North Korea: the evidence is tenuous and the attribution seems to ignore other evidence that appears to point elsewhere.  We seem to have created a new bogeyman in the form of the infamous North Korean Unit 180 (who are doubtlessly up to no good) but by settling for them as the culprits of this attack there is a danger that we might stop looking and the real criminals might slink off into the dark.

It might yet prove that North Korea was behind the May 2017 Wannacry attack, but lets examine the evidence presented so far.  It is encapsulated in the Symatec blog here.  This in turn built upon evidence gathered by a Google researcher, Kaspersky and well respected researchers such as Matthieu Suiche. This evidence showed that elements of the code used in attacks in February and March had a payload with significant similarities to the payload used in the May Wannacry attack.  As the code from the early 2017 attacks was in turn similar to code used in other malware attacks which had been tied to the Lazarus group, the researchers concluded (some with a high degree of confidence) that it must have been the Lazarus group that was behind the May Wannacry outbreak.

If interested in what else we know about Wannacry there was a very useful factsheet produced during the outbreak which contains what many of us were able to glean before the code was fully disassembled.

The headline writers went further. As the Lazarus group had previously been associated with working for the North Korean regime, the May Wannacry attack was thus attributed to North Korea. However, even before one looks at the technical detail this is a stretch.  Think about it. The May outbreak hit over 30,000 machines in China, disabled 1000 machines in the Russian Interior Ministry, and disrupted countless devices in other countries that North Korea has gone to some lengths not to upset previously. Symanetc's own heat map of the attacks shows just how wide ranging the attacks were.

To be fair, the researchers putting forward the Lazrus group theory did try to point out in their reports that Lazrus group was not synonymous with North Korea but some of this was lost in the interpretation by the media. 

So what about the technical data that was presented as evidence tying the May attacks to the Lazarus group:

1. The Feb/March 2017 attacks using the Wannacry payload used a mechanism for spreading that had been used previously in attacks attributed to the Lazarus group. But, whilst the payload may have stayed relatively unchanged, the payload had been repackaged for the May attacks using the now infamous Eternalblue SMB worm.  It is quite possible for even a relatively inexperienced group to obtain the malicious Wannacry payload and to have repackaged this.  Hence, the only thing actually tying the May attacks to the earlier Wannacry attacks is the payload, which criminals often copy.

2. The command and control structure used in the Feb/March 2017 attacks was again the same as previous attacks which were attributed to the Lazarus group.  But, the command and control infrastructure used in the May attacks was not the same.  It was hidden behind the Tor network for the most part.  Whilst this evidence adds credence to the claim that Feb/Mar attacks may have been by the Lazrus group, it doesn't appear to add to any linkage between the Lazrus group and the May attacks.  One might argue that the similarities in the payload between Feb/Mar and May mean that it must have been the same group and as the C&C structure in Feb/Mar were the same as previous Lazarus group attacks ergo May is attributable to the Lazrus group.  However, this level of abstraction starts to stretch the credibility of any such claim beyond the bounds of what would normally be considered "evidence", not to mention the point raised in 1 above.  One could equally argue that the differences in the C&C structure militate against it being the Lazrus group.

Now one has to consider other data that was not mentioned by those who attributed the attack to North Korea.  This additional data is equally important:

1. The so called "kill switch" looks very much as if it was an attempt to build in a sandbox evasion method. The problem is that the developers didn't quite think it through.  Hence, by simply registering the peculiar domain name it caused the malware to think it was in a sandbox and hence to cease execution.

2. The code in the May Wanncry attack contained a method for generating a Bitcoin address for each victim.  This is now common as it spreads the criminals' risk by making it more difficult for law enforcement to "follow the money".  However, the code contained a race condition that meant that this Bitcoin address generation never happened and the default, hardcoded Bitcoin addresses were used.

3. The unlocking mechanism appears to have been remarkably manual.  It was not scalable. It required the criminals to respond with a decryption key having been contacted manually by the victim.  The success of ransomware has taught criminals that this process needs to be automated.

4. There is an IP address in May code that appears quite random and has little meaning.  However, there is evidence that this IP address is used because the SMB worm was produced using code that was posted on GitHub.  Several of us saw this code and thought the correlation suspicious, and suggestive that the criminals had simply cut and paste from this open source code that was being developed to enable the Metasploit pen testing tool to emulate Eternalblue.  The code has since been removed but the episode is documented here.

All of these points suggest a less than experienced malware developer.  Assuming these are not deliberate mistakes, which seems unlikely, the way in which the May Wannacry code was assembled appears inconsistent with the quality of the exploits that have been previously associated with the Lazrus group.  It could be that they were developing code that escaped before it was ready but this is pure speculation and demonstrates that attributing malware to Lazrus or anyone else is extremely difficult and when it begins to rely upon speculation or evidence that is remote from the events being analysed, any results become highly questionable.

I think that by considering the evidence we have as a whole there are several, equally likely possibilities. It may well have been the Lazrus group, but it is doubtful they were working at the behest of North Korea. It may have been some group of script kiddies who tried to cobble together the Wannacry payload with the Eternalblue worm and ended up with something far more virulent than they ever imagined.

More evidence is required before any theory begins to be more likely than the others. Thus I would urge anyone reporting on these issues to be as sceptical as possible, to report the counter arguments and to avoid headlines that others will take in isolation.

UPDATE (26/05/2017): An interesting piece of linguistic analysis was done on the ransom note that accompanied Wanncry.  This note had been translated into 28 languages.  There were two findings of note in the contexst of the above blog post:

1. The author appeared to be fluent in Chinese of a form consistent with its use in Southern China, Hong Kong, Taiwan, or Singapore.

2. The author appears to have been familiar with the English language although probably not a native

The other translations may well have been machine translations from the English version of the ransom note.

The further shows the sometimes contradictory nature of the evidence that emerges, and why all the evidence should be considered.