At a White House press briefing on December 19, 2017, President Donald Trump’s Homeland Security Advisor Tom Bossert publicly attributed the destructive WannaCry cyberattack to North Korea.
Over a period of several days in May 2017, the WannaCry ransomware crippled hundreds of thousands of personal and corporate computer networks in over 150 countries, until a UK computer security researcher, Marcus Hutchins, inadvertently discovered a “kill-switch” in the malware’s code that disabled the attack. Until Tuesday, the attack had not been publicly attributed to any particular state or non-state actor.
“After careful investigation, the United States is publicly attributing the massive WannaCry cyberattack to North Korea,” Bossert said during the briefing. “We do not make this allegation lightly. We do so with evidence, and we do so with partners.”
Bossert went on to praise corporate partners, in particular Microsoft and Facebook, for their role in disabling North Korean hacking and cyber operations directed towards the U.S. “Last week, Microsoft and Facebook and other major tech companies acted to disable a number of North Korean cyber exploits and disrupt their operations as the North Koreans were still infecting computers across the globe. They shut down accounts the North Korean regime hackers used to launch attacks and patched systems.”
Bossert then introduced Jeanette Manfra, Assistant Secretary for the Office of Cybersecurity for DHS. Bossert and Manfra went on to repeatedly stress the importance of public-private sector cooperation in cybersecurity matters. “In many ways, WannaCry was a defining moment and an inspiring one,” Manfra said. “It demonstrated the tireless commitment of our industry partners, a moment that showed how the government and private sector got it right; that our preparation, our investments in cybersecurity, keeping our systems up to date, and sharing information paid off.”
The Assistant Secretary also called for strengthening international cooperation with regards to cyber: “To prevent another attack like WannaCry, we are calling on all companies to commit to the collective defense of our nation. And this commitment does not end on our borders… it is only through international partnerships that the United States had time to prepare.”
On December 26, 2017, North Korea’s envoy in charge of U.S. affairs at the UN, Pak Song Il, demanded that the U.S. prove that the North Koreans were behind WannaCry. North Korea’s state-controlled media denounced the U.S.’s allegations as “reckless.”
Comments on the Recent Indictment of Marcus Hutchins
During the briefing, a reporter asked Bossert for comments on the recent DOJ indictment of Marcus Hutchins on unrelated computer fraud charges in early August. The DOJ has charged Hutchins for his alleged involvement of the Kronos banking Trojan, which experts believe was created in 2014 and distributed via the now-defunct cryptocurrency exchange AlphaBay. Hutchins is currently awaiting a court date, and has pleaded not guilty to the charges.
Bossert declined to comment on the ongoing criminal prosecution. He did acknowledge Hutchins’ role in disabling WannaCry, saying that “we… had a programmer that was sophisticated, that noticed a glitch in the malware, a kill-switch, and then acted to kill it. He took a risk, it worked, and it caused a lot of benefit. So we’ll give him that.”
Bossert did not give Hutchins all, or even most, of the credit, however. “[I]t wasn’t luck — it was preparation,” he clarified. [I]t was partnership with private companies, and so forth.”
Hutchins’ indictment had come as a shock to the cybersecurity community, which considered him somewhat of a hero for his role in disabling WannaCry. Immediately following his arrest, many of his colleagues took to Twitter to voice their skepticism of the charges. In September, however, Brian Krebs, an American investigative reporter and cybersecurity blogger, published an in-depth investigative piece titled, “Who is Marcus Hutchins” on his popular cybersecurity blog, KrebsonSecurity. In intricate detail, complete with screenshots of his process as well as a mindmap of his data points, Krebs excavates the dozens of online pseudonyms, email addresses, and posts in hacker forums linked to Hutchins’ early online accounts. He manages to link Hutchins to several online personas involved in selling malicious software on hacker forums.