In May 2017 the world fell victim to a major ransomware attack known as WannaCry. One of the victims was UK’s national health service. Security researchers scrambled to try to figure out how to stop it and who was behind it.
Support for this episode comes from LastPass. LastPass is a great password manager but it can do so much more. It can setup 2FA for your company, or use it to monitor what your users are doing in the network. Visit LastPass.com/Darknet to start your 14 day free trial.
This episode was sponsored by Linode. Linode supplies you with virtual servers. Visit linode.com/darknet and when signing up with a new account use code darknet2020 to get a $20 credit on your next project.
- Video: hacker:HUNTER - Wannacry: The Marcus Hutchins Story - All 3 Chapters
Darknet Diaries is created by Jack Rhysider.
Episode artwork by odibagas.
Audio cleanup by Proximity Sound.
Recording equipment used this episode was the Shure SM7B, a cloudlifter, Motu M2, Sony MDR7506 headphones, and Hindenburg audio editor.
Add this episode of Darknet Diaries to your own website with the following embed code:
<iframe frameborder="0" height="200" scrolling="no" src="https://playlist.megaphone.fm?e=ADV7382284189" width="100%"></iframe>
[START OF RECORDING] JACK: Hey, it’s Jack, host of the show. Listen, you might not be ready for this episode. There’s a few prerequisites I recommend you do first. First, we’re gonna be talking about the Shadow Brokers in this episode and I already covered them in Episode 53, so I highly encourage you to check that episode out first – which is just called Shadow Brokers – before this one. Second, I made Episode 71, 72, and 73 to be listened to in that order, and since this is Episode 73, maybe check out the two episodes before this first. Of course, you don’t have to; this episode still stands on its own anyway, but that’s my recommendation. Okay, so with that out of the way, let’s jump right into it.
TONY: My name is Tony Bleetman. I’m an emergency physician and in 2017, I was working as a freelance senior emergency physician in a number of hospitals in the UK.
JACK: Why did I take up this physician’s precious time to come on a show which talks about hacking? [MUSIC] Because he was at the center of one of the biggest ransomware attacks in history. The date was May 12, 2017, which is a date Dr. Bleetman will remember for a long time.
TONY: I remember pitching up for a shift at a hospital in London at about noon. As I walked into the office, the WannaCry screen had come up on the computers.
JACK: Specifically, the computers in the hospital were stuck on a red screen which said, ‘Oops, your files have been encrypted. Send $300 worth of Bitcoin to this address to decrypt them.’ This is a typical ransomware message. See, if your files get encrypted and you don’t have the key to decrypt them, your files are no longer readable. Some hacker gained control over the hospital’s computers and was demanding Bitcoin to unlock them. Now, this ransomware which was encrypting the files was called WanaCrypt, spelled W-A-N-A, but people quickly just started calling this ransomware WannaCry.
TONY: I just walked into the situation and within a very short time, people understood that this was a cyber-attack affecting the health service, and communication between friends and hospitals confirmed that.
JACK: This WannaCry ransomware not only took over the computers in this hospital, but was hitting other hospitals in UK’s NHS, their National Health Service.
TONY: My take on this is quite simple; that when the technology lets us down in any circumstance, we have to fall back on old fashioned, well-worn, well-proven basic medical techniques. We just had to rely more on clinical judgment and rely a lot less on information systems.
JACK: The NHS had to make a lot of adjustments to stay operational.
TONY: If you think about the process of a patient attending an emergency department, someone has to register them, someone has to order blood tests, and someone has to order x-rays and CT scans. Someone has to communicate with their own family doctor once they’ve finished, and one has to transfer information around the hospital. When that’s all missing, you have no computerized registration of patients, your IC package that tells you where patients are at any time is not working, so we had to compensate for all these things by doing old fashioned things.
When a patient came in, they were registered on paper. We had a big whiteboard on the wall and so, we could write down the names of patients and identify their location within a rather large department. Because we didn’t have computerized blood results from blood tests from the lab, every half an hour we sent a runner to the labs to have a manual printout of the blood tests and deliver them to the department by hand. We had to look at x-rays on portable machines because we couldn’t see them on computers. Things that involved hi-tech interventions were suspended or we found old fashioned alternatives.
JACK: Now, this ransomware was targeting Windows computers and specifically, Windows computers that were connected to the network. Not all Windows computers in the hospital are actually part of the network, [MUSIC] partly because of this exact reason. Some systems like CT scanners were just not plugged into the network with an ethernet cord or anything like that.
TONY: Well, one of the things that we learned is that when your computers are not networked – I mean, a CT scan had its own internal hard drive, so we relied on that. It was limited to a certain amount of memory every day, so we had to restrict the number of scans that we ordered. What it meant was, because – we had to [00:05:00] fall back on machines that were not connected to the network, so standalone diagnostic machines that were not connected to the network were unaffected, so we could run some basic blood tests on isolated machines, and we could run CT scans on machines that were not affected by the virus. It was quite useful. If machines are autonomous and not connected to the wider network, which we used to think was a hindrance than a problem, it actually saved their function because they were not taken out by the WannaCry virus.
JACK: The NHS had to cancel 6,912 appointments because of this. But as of right now, it doesn’t look like anyone died due to this attack. While battling with this problem, the hospital was learning how wide-spread this was.
TONY: We switched on the news and we spoke to friends in other hospitals, and it was obvious very, very early on that this was a national – if not international – problem across the country. Some of the things that we relied upon; trauma centers were temporarily closed, so we had to deal with any trauma cases coming in because the surgeons in the trauma centers were unhappy to operate without CT scans that they could see in the operating room. For a short while, trauma centers weren’t receiving patients, or some of them weren’t, and half the trauma centers were also not receiving patients because they were computerized as well.
JACK: The BBC was playing an interview with Amber Rudd, the Home Secretary of the UK. Here’s a clip.
AMBER: We’re working very hard to make sure that we help the NHS put their systems back in order. So far, we’ve had reassurance from them that no patient data has been compromised. The National Cyber Security Center is working with them to end the disruption, to contain it, and to make sure that we learn lessons from it.
HOST: Can you give us the figures as you understand them at this stage about how many hospitals, how many trusts are affected?
AMBER: Well, we understand that forty-five have been affected out of several hundred. Most of them are being very cautious about this. Some of them are making changes, some of them aren’t. Some of them are managing to carry on with their daily work despite these difficulties. But can I also just point out that this particular attack, this cyber-attack, hasn’t been particularly focused on the NHS? It’s been a worldwide attack. It’s affected a hundred countries, different organizations, but it’s just in the UK that it’s been particularly impacted on our NHS.
JACK: [INTRO MUSIC] The WannaCry ransomware that was unleashed on the world was ripping through thousands of computers, causing destruction everywhere. This is the moment that all IT and security teams both fear and prepare for.
(INTRO): These are true stories from the dark side of the internet. I’m Jack Rhysider. This is Darknet Diaries.
JACK: Okay, so what do we know at this point? It’s May 12th, 2017 and the world is being hit by a huge ransomware campaign. The NHS is one of the bigger networks to be hit by this. The new is reporting on this. Now, when something hits the world on a scale like this, it gets the attention of a lot of security researchers. The whole security community is buzzing about this. For instance, FireEye was one of the companies that began researching WannaCry.
JOHN: My name is John Hultquist. I’m the senior director for intelligence analysis at FireEye.
JACK: FireEye is a threat intelligence company. They spend all day, every day, investigating emerging threats and they provide many tools and services to help companies detect and respond to cyber-attacks. FireEye is a major player in this space and have been called to investigate many high-profile cases. Now, by this time, Twitter was going crazy talking about this. This was a huge attack, hitting companies all over the world. While companies like FireEye can’t investigate every new piece of malware, this one was big enough to pay attention to.
JOHN: Yeah, I think that there was good evidence to believe that this was hitting several organizations simultaneously. We had reason to believe it was going to hit even more of our customers. Usually, in circumstances like that, we spin up a community and protection event. That’s where we basically bring all the power of FireEye, [MUSIC] all the different divisions together literally into a single chatroom, and we start trying to break down the problem as fast as we can. One big piece of that with this was getting our hands on the malware and starting to – have the reverse-engineers start ripping it [00:10:00] apart to look for clues as to what was going on, because we thought that this was ransomware. We didn’t know who it belonged to. We were just trying to figure out why it was moving so quickly at some point. We were essentially asking a bunch of questions that took us a while to answer.
JACK: Now, FireEye wasn’t the only group looking into this. When something like this hits, a lot of companies have to investigate. For instance, this was looking like it was hitting Windows machines specifically, so Microsoft would absolutely have to investigate this, too. But think about all the antivirus companies or threat detection systems that are out there. These companies would all pay attention to an attack like this so that they can find a way to detect and block stuff like this from happening to their customers. Dozens of major companies were all scrambling to get a copy of the WannaCry ransomware. On top of that, you have a lot of independent security researchers who are good at reverse-engineering who also try taking a look.
This was an exciting time for the security research community. This was something brand-new, and it was hitting hard and spreading fast. It’s exciting, like when your favorite author publishes a new book or a favorite video game launches a new level to try. There’s this magical moment in time where there’s just no blog posts about this, there’s no news stories, and nobody understands what’s happening. So, people everywhere are racing to get some answers. Since nobody knows anything about this malware, everyone has to start from square one. You might be the one who finds the hidden key that unlocks this whole mysterious malware. It’s adventurous and exciting to be part of the investigation even if you’re just an independent researcher. Now, another person who was researching this was Matt Suiche.
MATT: My name is Matt Suiche. I’m the founder of Comae Technology. It’s a small startup focused on incident response. Back in May 2017, most of people in InfoSec, we also – that there was a ransomware that was targeting a bunch of companies, and people were all posting screenshots all over Twitter. Then the first thing everyone was trying to do was to get samples of that ransomware.
JACK: Matt is a French security researcher, also an entrepreneur. He’s developed a few companies at this point, but the one he’s building now is called Comae. It specializes in memory forensics. This new ransomware interested Matt, and he grabbed a sample of the malware and began investigating.
MATT: Well, the thing to keep in mind for malware and especially ransomware; they’re very easy to analyze because they are very redundant. What they do is always the same thing. Most of the time there is no obfuscation. You can get a clear idea of what malware or ransomware is doing fairly quickly, like around an hour. It’s not like you have to analyze a root key, anything like this. You can get a very good idea of the big picture of what they do. The idea was just trying to understand what it was doing to be able to write a short writeup, because everyone was panicking around it. Usually, when it’s something like this, especially as a small startup, it’s interesting to release something before everyone else because large companies will not be able to publish blog posts as quickly because of their own internal cycles for publishing anything. That one, the idea was first to analyze what it was doing, how it works, kind of like what it was doing.
JACK: Now, malware like this is precompiled which means if you look at the program itself, it just looks like gibberish. It’s machine code. A computer understands what to do with it, but it’s not human-readable. You have to use a reverse-engineer tool like IDA Pro or Ghidra [MUSIC] to convert it to assembly link which is human-readable, but it’s very rudimentary. Like, put this data in the memory, then move it from here to there, and then remove the data from the memory. You don’t see if L-statements and things that make sense, so because it’s so low-level, it requires a lot of skill to know how to reverse-engineer a program to figure out what it does, which in my opinion is pretty hard to do. But Matt’s good at this, so he dove into the code and saw something remarkable.
MATT: On the exploitation bot, so, what was pretty interesting is – and having even before analyzing it, people had a strong suspicion around it anyway – is oh, it was using the DoublePulsar on EternalBlue that was leaked a few months before by the Shadow Brokers.
JACK: The exploit this malware was using was EternalBlue. Now, let’s back up a second; one month before this WannaCry outbreak, the Shadow Brokers gave the world EternalBlue. You remember Shadow Brokers, right? If not, go check out Episode 53. But the [00:15:00] story goes that someone hacked into the NSA and stole hacking tools and exploits the NSA uses, then slowly released these tools to the public. Now, what’s strange here is a month before EternalBlue was released, Microsoft patched it. We’re not sure if NSA warned Microsoft or if Microsoft found it themselves. Regardless, the patch came out and then Shadow Brokers gave this exploit to the world to use however they want. Now, we still don’t know who the Shadow Brokers were, but they would send messages sometimes. At one point, they called out MalwareJake for being part of Equation Group, or NSA. But there was more to that tweet. It read…
MATT: The Shadow Brokers is not in habit of outing Equation Group members, but had made exception for Big Mouth. It was to MalwareJake and then it was saying, ‘Keep talking shit. M. Suiche, you’re next.’
JACK: Yeah, the Shadow Brokers had mentioned Matt by name in the very tweet they practically doxxed MalwareJake as being part of Equation Group. Was this also saying Matt was part of Equation Group?
MATT: That one, yeah, was nothing. I was like well, that’s kind of flattering but I’m French, you know?
JACK: Matt is not former-NSA or Equation Group, and he didn’t even have to explain this since the Shadow Brokers later clarified this in a tweet saying yeah, they know he’s not ex-NSA since he’s French-born. Why were the Shadow Brokers talking about him? Well, it’s kind of a mystery, actually. First of all, [MUSIC] Matt was really fascinated with the Shadow Brokers and what they were releasing to the world. So, he was screenshotting everything the Shadow Brokers posted, and was blogging about it a lot. During the whole Shadow Brokers ordeal, Matt gave a talk at Black Hat about them.
MATT: Before we start, please raise your hand if you have never heard of the Shadow Brokers.
JACK: On top of that, Matt has a fairly large Twitter following, so it’s possible the Shadow Brokers were just seeing what people were saying about them. They saw Matt’s post and liked him.
MATT: I was flattered though about it because it’s like oh, it’s kind of cool that they’re mentioning me because it means everything; all my blog posts, all the analysis I did of all their release – because that’s how they would know me. Otherwise, there is no way they would have mentioned me. Even at some point, they were kind of saying – I know they’re calling me French. Oh yeah, because I gave a keynote at Black Hat the same year. I was giving an overview of what the Shadow Brokers were doing. I was saying oh, you should come, we should have a beer. He’s like oh, I will only come if you speak at Defcon. I will be in the first row. An interested part of me still do thinks they are American, but it’s kind of hard to prove. But yeah, they were friendly. They’re like oh, Suiche seems to be a friendly guy. They were definitely very entertaining. Also, a lot of the way they speak – because the grammatical mistakes, you can tell they are completely fake.
JACK: Well, the way they type might be a fake accent or something, but the Shadow Brokers releasing EternalBlue to the world was not fake. It was a very serious vulnerability which exploited the way Windows file sharing works, or SMB. [MUSIC] If you have a vulnerable version of SMB running on your computer, a person could easily take remote control of that computer. So, exactly one month after EternalBlue was released, WannaCry was launched which used that exploit, which is one reason why this ransomware infected so many machines; because it was using a wicked-good exploit that just came out not too long ago. What’s more is that this ransomware was a self-propagating worm.
When it would infect one computer, it would then look to try to infect every other computer in that local network. This meant if it could just get a small foothold in a network, it could then spread to a large amount of computers inside your network. A worm like this using a vulnerability like that is going to spread quickly, and it did. Now, again, this exploit was patched in Windows about two months earlier, so anyone who had automatic updates on or were installing the latest security patches for Windows were not affected by this. But as it turns out, a lot of Windows computers in the world don’t update as frequently as they should, and this creates a problem.
JOHN: Yeah, it’s really interesting. There were patching issues; people hadn’t caught up with the patching cycle. There’s no doubt about that. But there are some places that were targeted – or, not necessarily targeted, but that were hit that patching was difficult. I think that probably the most well-known target was the [00:20:00] NHS in the UK. People who work in the medical arena will tell you there’s a lot of equipment there that is just old and it can’t be patched, or can’t be patched because it simply will not function correctly. It’s not always as simple as just patch.
JACK: [MUSIC] In fact, this got so big and impacted so many old computers that Microsoft released even more patches. At this point, Windows XP was no longer supported by Microsoft and they stopped making security patches for it. But a few days after WannaCry came out, Microsoft released a patch for XP, which is very, very rare for them to release patches after they stopped supporting that version entirely. Now, when ransomware hits your computer, it encrypts all the files on it and asks you to pay to unlock them. Some victims were paying the $300 or $600 in Bitcoin to get their files back. But there was a problem. This didn’t seem to work.
A lot of people were reporting they paid but didn’t get a valid key to decrypt their files. In fact, if you analyzed the malware, it just didn’t seem to contain the proper methods for restoring the files at all. These victims who were paying were getting burned twice. Now, at this point, security researchers were starting to think maybe this isn’t ransomware. Maybe this is disguised as ransomware and really has other intentions like destroying a target or a network or something. A lot of questions were starting to rise up. Do you have any – do you have some general tips for if someone gets hit with ransomware like this?
JOHN: I think every situation is different. It’s important, I think, if possible, to have a sense of who’s doing that, right? In this case, it was pretty clear it looked like nobody was going to get their machines unlocked. Obviously, the tip in that case is don’t pay because it would be an absolute waste of money. But there are a handful of operators that we know pretty well and I think they all behave differently. You have different prospects based on who you’re dealing with and what your specific situation is. Usually, the advice is consult an expert on your specific situation.
JACK: Were there any of your customers that were trying to consult you that were big companies that were getting hit?
JOHN: Oh, absolutely. I think at the time we were advising that this is not something that a; a criminal actor that we’re familiar with, and there didn’t seem to be a payment – the payment mechanism didn’t seem fully operational.
JACK: At this point, John’s team had developed a way to detect and block this activity in their clients’ networks. They understood this malware fairly well, but they still had more to figure out.
JOHN: [MUSIC] I think at that point we were – I mean, from my side, I’m the intelligence guy – we were really trying to determine who’s doing this? What’s the motive behind this? Is this a state actor? Is this a destructive attack? Can we find some sort of breadcrumbs that will take us back to other incidents? That’s usually what we’re looking for. We’re trying to take your one, single incident and connect it to a cluster. Hopefully, we can learn from a cluster of other incidents. Sometimes they’ve made mistakes in their other incidents, they’ve taught us something about them, they’ve not – they’ve used infrastructure that maybe we recognize there and then we can tie them back even further. We’re working diligently to find those clues.
JACK: Well, John and his team were busy trying to figure out who did it. I think at this time, Matt was trying to figure out how to decrypt the file somehow. Some other people were looking into different parts of the code for other things. Another security researcher named Marcus Hutchins was looking at the malware and saw something that’s fairly unusual for ransomware. He found that upon infecting a machine, one of the first things this ransomware does is try to go to a specific URL, a website. It’s a forty-character-long URL which just looks like gibberish. WannaCry would check if that URL exists and if it did, it would stop running immediately. It would not encrypt the computer. It would not try to propagate. It would just halt. This is called a kill switch.
Whoever made this ransomware wanted a way to stop it if they had to, and I can imagine a scenario where this could be useful. Suppose whoever wrote this malware was working for a nation state and if they released this to the world and it accidentally infected their own country, yeesh, what a mess they’d have. If that started happening, the [00:25:00] hackers had a way to halt the entire thing worldwide by just making that URL active. [MUSIC] But when Marcus Hutchins found this URL in the code, he did a WHOIS lookup on it to see who owned it, and the domain was not registered. This was odd. You would think that whoever wrote this malware would have registered the kill switch in case they needed to use it. But it wasn’t owned by anyone. What’s Marcus do? He registers the domain himself and makes the URL active.
Instantaneously, the ransomware stopped infecting machines worldwide because as soon as a new computer would be infected, it would check to see if this domain was up. If so, it would stop. Any computers that were already infected were still infected, and any computers that couldn’t get to the URL would still become infected, but the number of new computers getting their hard drives encrypted almost completely stopped. Registering this kill switch turned off this attack. Marcus single-handedly stopped one of the largest ransomware outbreaks in history. He saved the world from hundreds of thousands more infections and billions of dollars more in damages. He became a bit of a legend for doing this. Here’s Marcus in an interview with The Telegraph a few days later.
MARCUS: I’ve had people sort of inundating with messages thanking me, saying I’m a hero. I mean, I sort of just registered this domain for tracking and I didn’t intend for it to blow up and me to be all over the media. I was just doing my job and I don’t really think that I’m a hero at all.
JACK: Quite suddenly, all this stopped. The malware completely lost its teeth and was just fizzling out quite abruptly. But a few days after that, a new variant of WannaCry started spreading, infected one computer after another, and spreading in the same manner the first variant did. Matt Suiche immediately jumped on this version.
MATT: I got the sample from @benkow_, analyzed it in a text like, less than a minute, because once you’re familiar with the malware, it’s quite a straightforward thing.
JACK: Matt had a hunch that in order to start this ransomware back up, all they would have to do is just change the domain name of the kill switch and it would start working again. This would be easy to change. He wouldn’t even have to recompile the code; just change one character in the binary. So, this was one of the first things Matt looked for, whether the kill switch was there and what domain was it using? Sure enough, the kill switch was there, but this time it had a new domain name. Still a long forty-character string, but just a couple letters had changed. Well, Matt checked to see if that domain was registered, and to his astonishment, it wasn’t. So, he quickly got to work.
MATT: [MUSIC] Extract the domain name and registered it, then I started to also build a platform around it to be able to collect data on the infection.
JACK: Very quickly, he started seeing computers hitting his domain, checking if the kill switch was on or not. So, he began collecting data on this which gave him a firsthand look of what this malware was doing, where it was infecting machines, and how big it was getting.
MATT: It is quite cool but the thing is, that one was not the main one. Even though it got registered very early, no major infection happened. I think it was between – even below one hundred at that point. It was in the low-hundred infection hit.
JACK: Because Matt was paying close attention and knew where to look in the code, this malware didn’t have a chance to spread exponentially. Matt stopped it before it did any significant damage. But two days after that, another variant was released, and this time it was a security team at a company called Check Point that saw the new kill switch and nobody had registered that domain, either. So, Check Point registered it. Quite quickly too, which meant not many machines got infected with that version, either. Then, a few days later, a fourth variant showed up, and this time it did not have a kill switch which meant there was no easy way to stop it.
This one had the potential of ripping through millions of computers and infecting them, but I don’t think this one was very aggressive because we didn’t really see it do anything. It never really got in the wild and spread. I guess by the time this variant was released, antivirus companies had already detected it and put out signatures for it, and people were patching their computers more, or at least closed that port on the network. So, even without a kill switch, this new variant did not have a substantial impact. Since then, this malware has significantly died down. We have the people who found these kill switches and registered them to thank for stopping this from engulfing a large portion of the internet.
MATT: But that kill switch, I kept for around a year. It had a few million hits pretty easily, enough that one of us – well, I don’t really want to just manage it [00:30:00] on my own because the platform and everything. I was like well, I’m not really sure of what to do with this data anymore at this point because I don’t think it’s of any interest for anyone. I reached out to Microsoft Domestic Team, and I was like oh, do you guys want that kill switch from WannaCry? I think it would be in better hands if it’s with you, you know? Just so you can keep archiving it or something. They were okay for it. Actually, they had to step back and say well, the legal department says it’s too much of a risk. We cannot take it. At the end of the day, they didn’t take it. The people from the Chronicle security at Google said to take it and then I just gave it to them. But I thought it was quite funny that Microsoft could not take it because of legal, you know?
JACK: [MUSIC] The estimate is that WannaCry infected 230,000 computers in 150 countries. How many of those infected people paid up? 330 which, added up, means whoever did this made $140,000 worth of Bitcoin. Who did this? Well, let’s listen to a statement given by the US Department of Justice.
DOJ: We have unsealed criminal charges against a North Korean computer programmer for participating in a conspiracy that conducted sophisticated cyber-attacks around the world on behalf of the North Korean government. Members of the conspiracy are responsible for some of the most damaging and most well-known cyber intrusions in history including the cyber-attack targeting Sony Pictures, the cyber-heist of Bangladesh Bank, and creating the WannaCry ransomware.
JACK: There you go; North Korea did this. Specifically, they’re charging the same person for the Sony hack, Bangladesh Bank hack, and this WannaCry ransomware. Park Jin Hyok is the person named in the indictment. In fact, he’s now one of FBI’s Cyber’s Most Wanted. As people investigated this further, they found there were earlier versions of WannaCry that hadn’t been effective because they weren’t using EternalBlue which hadn’t been released yet. But on May 9th of 2017, a company called CyberRisk published a proof-of-concept using EternalBlue as an exploit. They even included source code and explained how to use it. Three days later, the new version of WannaCry with EternalBlue was released.
It looks like the same code was used in this malware, so it seems to me that someone in North Korea saw the blog post by RiskSense, copied the code from it into their existing WannaCry ransomware, and released it on the world three days later. It’s hard to point fingers here. Yeah, North Korea is who pulled the trigger on all this. Okay, but they may not have done that if they didn’t see the blog post by Risk Sense. But Risk Sense wouldn’t have published that blog post if it wasn’t for the Shadow Brokers releasing EternalBlue to the world. But Shadow Brokers wouldn’t have released EternalBlue if it wasn’t for the NSA creating it to begin with, and EternalBlue would have never existed if Microsoft just would have caught the bug during development and testing.
It’s a weird series of events that led up to this massive ransomware campaign, but then was ultimately stopped because they forgot to register the domain of the kill switch. [MUSIC] The Department of Justice showed how they found artifacts in the different variants of the WannaCry malware which led them to believe it was launched by someone in North Korea. But I’m willing to bet that they’re leaving out some key evidence which squarely points to North Korea behind this. The thing is, if the US shows what evidence they have, it might burn their spy channels into North Korea. They have to be very careful on how much they reveal. The indictment reads like a typical digital forensic analysis; you see IP addresses, malware analyzed, user agents, and so many more details that they were able to collect. When the DOJ followed all these threads, it led them to North Korea. Who’s this Park Jin Hyok guy in the indictment?
Well, a journalist for ZDNet, Catalin Cimpanu, really helped me understand this better because he mapped it out and started connecting the dots. This guy Park went from North Korea to China in 2013 to study programming. Specifically, Java, PHP, and Visual C++. At the time, Park was working for a company called Chosun Expo Joint Ventures which is supposedly a company handling e-Commerce and lottery services for North Korea. In 2014, Park returned to North Korea and shortly after his return, North Korea launched a bunch of hacking campaigns. Not to mention, most of the malware used in North Korea was written in the same programming language Park had studied in China. [00:35:00] Now, to carry out these attacks, the hackers had to get servers to use for command and control.
Obviously, they didn’t want to use a server in North Korea, so they rented a server from somewhere else in the world. Now, to rent the server, you had to have an e-mail address. So, the Department of Justice began submitting warrants to figure out what e-mail addresses were registering these servers. On top of that, there were some phishing attacks which also used e-mails. The DOJ was able to get these details and compile all these e-mail addresses during their investigation. Let’s take a look at these e-mail addresses. I count thirty different e-mail addresses in the indictment. Most of them are Gmail accounts, with a few being Hotmail and AOL. Well, since Google is a US-based company, the DOJ can get a warrant and then ask Google for information about these Gmail accounts. From there, they’re able to see what accounts they were connected to and what IP addresses were logging into them, and what browsers were used, and all this kind of stuff.
Six of these accounts had used the name Kim Hyon Woo. As you dig into that, you start seeing connections to Park. Like, both Kim and Park’s accounts had access to the same files and sent mail between each other. The DOJ saw enough evidence to believe that Kim Hyon Woo was an alias of Park Jin Hyok. So, Kim wasn’t even a real person. Then when they followed the clues, they saw that Kim was the person who registered so many of these servers and sent phishing e-mails. They know this because they see commonalities in IP addresses and access to those Gmail accounts, and the browsers used to access them, and connected accounts. All these things together make it clear that the same person owned all these e-mail addresses. So, it seems that over the course of four years during which Park used thirty different e-mail addresses, he made a few mistakes where he accidentally connected his real name to his fake persona.
That’s how the feds figured out who was behind this. The FBI also followed the money. All that Bitcoin, where did it go? Well, it was held in a crypto-wallet at first and then transferred to a Bitcoin exchange. I’m assuming the FBI got logs from the exchange which showed them that whoever accessed the wallet was running Firefox Version 52.0 on Windows 7. At the Bitcoin exchange, they transferred the Bitcoin to Monero, which is another type of cryptocurrency. This has extra security features like the amount of coins sent are hidden and a random one-time address is created for each transaction. Once the money is converted to Monero, it’s extra-hard to track, if not impossible. What else do we really know about these North Korean hackers?
Well, it’s hard to get any good information out of there since it’s so secluded, but I looked into this and found some extra stuff. First, the intelligence agency of North Korea is known as the Reconnaissance General Bureau. This is a military branch that conducts clandestine operations. Now, within the Reconnaissance General Bureau is another branch called Bureau 121, and Bureau 121 is where we believe North Korean hackers are working from. People in the security community call the North Korean hackers The Lazarus Group. There are a couple North Korean defectors that have helped us understand what goes on there in pretty good detail. First is Kim Hueng-kwang. He was a professor at the university at the capital. He says students study computer hacking in this school and then are hand-picked to go to work at Bureau 121.
There’s also a defector named Jang Se-yul. He went to school to study computer science at the same college where Bureau 121 recruits people from. He says Bureau 121 has about 1,800 people working in it, and those people are considered elite members of the military. They’re trained just like any other hacker would be; they learn how different operating systems work, how to program, how to use attack tools, and everything in between. North Korean’s main attack targets seem to be South Korea, Japan, and the United States. But as you heard, they have no problem unleashing huge attacks in other parts of the world. Now, when North Korean hackers wage their attacks, they often physically travel out of North Korea to do it. They’ll go to Nepal, India, Kenya, Mozambique, or China to wage their attacks because the internet in North Korea is pretty locked down, and there’s so many people watching what goes in and out of North Korea.
Stuff can just be easily tracked if they do anything from there so they physically get out of the country, then proxy around from there. There are actually quite a few North Koreans who are able to leave the country. I mean, North Korea competes in the Olympics and has a whole cheering squad and everything. North Korea attends United Nations meetings. North Korea has dozens of embassies all over the world, [MUSIC] and North Korea also sends hackers to other countries to hack. Currently, India seems to be the preferred place from which to launch their attacks. North Korea always fascinates me which is why I wanted to do this three-part series on them. At the same time, I think places like the US are trying to hack into North Korea too, mainly to see how advanced their weapons systems are and to monitor that.
[00:40:00] But it’s just so weird to think about the differences of why the US hacks North Korea and why North Korea hacks the US. The US is hacking into North Korea to keep an eye on their intercontinental ballistic missiles, but North Korea hacks into the US to try to stop a movie from being made which makes fun of North Korea. Whenever we see a cyber-attack, the hackers usually fall into one of three categories. It’s either hacktivism, like doing it for a bigger cause, cyber-crime, which is doing it to make money, or nation state hacking, like, doing it to spy. But the motives for North Korea seems to fall squarely in the center of all three of these. The Lazarus Group are hacktivists, criminals, and spies. But I think this is the perfect military strategy for North Korea. I mean, they’ve made millions of dollars from their hacking activities, and they’ve gotten away with it.
They cause lots of damages to their enemies. Look how much damage they did to Sony, all without firing a single bullet or missile. The whole time, they can deny they did anything. Hacking seems to be the perfect weapon for North Korea since they can do it all remotely, hide under the cover of the internet, face a lot less consequences for their actions, and do it all at a fraction of the cost of kinetic warfare. In July 2020, the European Union imposed sanctions on North Korea. The report specifically mentioned that the Lazarus Group is who carried out the attacks on Sony, did the Bangladesh Bank heist, and conducted WannaCry. It says that there’s now a travel ban in effect because of that, as well as some assets being frozen.
This is the first time ever that the EU has imposed sanctions on another country because of a cyber-attack. While I think it’s totally insane what North Korea has done, trying to steal billions of dollars, trying to threaten the free speech of a movie studio, and trying to destroy a large number of computers with WannaCry, I actually think this isn’t peak-crazy for what North Korea might do next. My guess is that I think we’ll see even more destructive attacks that may even result in loss of life. They obviously have the capability to cause some serious destruction, and they never seem to have any remorse for the damage they cause.
We know they can be provoked to carry out physical attacks, so I think it’s just a matter of time before we see them unleash some kind of cyber-attack that causes major physical havoc. 2017 was a busy year for information security professionals; to go from the Shadow Brokers releasing EternalBlue, then seeing WannaCry use it like this, and then the very next month, in June, is when NotPetya hit Ukraine which also used EternalBlue. The month after that, Equifax was breached. Hopefully these major attacks help us wake up to the dangers that many companies face while doing business online. Hopefully, we all learn from this and take our security a little bit more seriously, because we never know how crazy the hacker might be on the other end of that connection.
(OUTRO): [OUTRO MUSIC] A big thank you to Dr. Tony Bleetman for coming on the show and telling us his story. Thanks John Hultquist, the senior director for intelligence and analysis at FireEye, and thanks Matt Suiche, CEO of Comae. You can find links to these people and what research they’ve done in the show notes or at darknetdiaries.com. Please remember, a lot of time and energy goes into making these episodes and I bring them all to you for free. If you’re getting value by listening, please consider donating to the show through Patreon. By supporting the show, it ensures we have enough resources to continue to bring you more great content.
Oh, and as a thank-you, if you join Patreon, you get access to bonus episodes, too. So, check those out. Learn more at patreon.com/darknetdiaries. Thanks. Also, you’re invited to the Darknet Diaries Discord where you can chat with other listeners of the show. I like to pop in on there sometimes, too. To join us, visit discord.gg/darknetdiaries. This show is made by me, the slow coder, Jack Rhysider. Sound design and original music was created by the always-encrypted Garrett Tiedemann, editing help this episode by the devilish Damienne, and our theme music is by the raucous Breakmaster Cylinder. Even though when I meet up with my other tinfoil hat-wearing friends, I secretly use aluminum foil, this is Darknet Diaries.
[INTRO MUSIC ENDS]
[END OF RECORDING]