Law enforcement worldwide, either through their own channels or a proxy like Europol, announced a manhunt for the cybercriminals behind the recent “WannaCry” malware. Something of this size, as with most cybercrime of late, breaches any one government’s jurisdiction. And, to counter these exact situations, several nations joined forces under the Joint Cybercrime Action Taskforce (J-CAT) umbrella.
Many countries saw the ransomware target their own hospitals, other infrastructure, and civilians. But WannaCry hit the United Kingdom harder than most countries. So far, law enforcement in the UK took the initiative. Or at least UK law enforcement made the greatest impact on various news sources. “We are absolutely focused in finding out who the criminals behind this attack are,” said the director general at the National Crime Agency, Lynne Owens.
“The response is beyond anything I’ve seen before,” said Steven Wilson, the head of Europol’s EC3 cyber crime unit. “The picture is starting to emerge slowly. This could be something that is going to take us a considerable period of time.” WannaCry needs no introduction. And it goes without saying that many countries have a vested interest in hunting down the person, or persons, behind the malware.
On the NCA website, Owens said, “[a]t this moment in time, we don’t know whether it’s a very sophisticated network or whether it’s a number of individuals working together.” Nearly every country announced at least one central theme with respect to the investigation. Most said, in one way or another, that they anticipated the capture of the perpetrator. Additionally, they acknowledged that the number of perpetrators remained unknown.
Some believed that state-sponsored hackers launched the attack. Others believed the hackers only set the attack up in a way that mimicked a state-sponsored cyberattack. That would have required a well organized structure of hackers. And some, for reasons unknown, suggested that a “bored teenager” caused the infection of 200,000 machines. (The possibility is there; the oddity is the intentionally specific age group.)
Thanks to attribution, though, researchers may have already found a connection this attack and several others. Within the past few years, although with less publicised activity this year, the Lazarus and/or Bluenoroff groups have successfully attacked—more fittingly, infiltrated and then attacked—an unknown number of banks and similar parts of the financial industry. “Lazarus is operating a factory of malware,” one Securelist report explained.
Attribution, in simplified form, is digital forensic analysis. Pieces of information that connect a virus to a locale. Or to another piece of malware. Often the language plays a key role in the process. Other times, not so much; those with the ability to silently break into a SWIFT banking message system are not naive. Securelist researchers, as a point of reference, pointed to consistent typos between viruses to link malware to the Lazarus group.
This time, a Google researcher found shared code between WannaCry and a Lazarus Group APT sample from years ago. This alone led many to believe that WannaCry came from Lazarus Group, even though Lazarus hacked banks for millions of dollars and WannaCry brought in—even now—less than one million dollars. In fairness, Bluenoroff, a group associated with Lazarus, hacked only for financial gain while Lazarus went beyond finance.
Many believe Lazarus has no affiliation with WannaCry and that belief may prove correct. The point here is that even if researchers are incorrect with the Lazarus Group connection, they have an excellent opportunity to narrow down the culprit, cutting down on the work law enforcement needs to accomplish.
So while the Joint Cybercrime Action Taskforce or EC3 or the NCA might not catch the perpetrators, researchers outside of the government have a chance. Not only that, but they have already begun the process.