The Trump administration publicly declared that the North Korean government was responsible for the WannaCry ransomware attack, which struck more than 150 countries around the world in May.
First in an op-ed in The Wall Street Journal on Dec. 18, and then in a public appearance on Dec. 19, Thomas Bossert, the White House homeland security adviser, declared that the administration now has enough evidence to conclusively attribute the attack to North Korea. The attack, as Boosert notes, “encrypted and rendered useless hundreds of thousands of computers in hospitals, schools, businesses and homes.”
“We do not make this allegation lightly. It is based on evidence,” Bossert wrote in the op-ed. “We are not alone with our findings, either. Other governments and private companies agree. The United Kingdom attributes the attack to North Korea, and Microsoft traced the attack to cyber affiliates of the North Korean government.” Cybersecurity researchers suspected in the immediate aftermath of the attack that it was linked to North Korea, but the evidence was deemed inconclusive.
On Tuesday, according to CBS News, Bossert said during a briefing at the White House that Canada, New Zealand and Japan have seen the Department of Homeland Security’s analysis “and agree with the U.S. conclusion,” CBS reports. Bossert said that the U.S. “looked not only at operational infrastructure, but [also] tradecraft and routine used in past attacks.”
CBS reports: “Bossert also noted that the North used intermediaries to carry out the attacks. Though he didn't say where those intermediaries were, he noted that outside North Korea, hackers would have access to better technology and tools than are likely available in the North.”
Attributing cyberattacks to specific sources is often extremely difficult, and Bossert acknowledged the administration “took a lot of time to look through classified and sensitive information.” The United States was able to make a “confident” attribution. “We can’t get it wrong. We can't rush it,” he said.
Bossert also disclosed that Microsoft and Facebook acted last week to disable a number of potential North Korean cyberattacks, Reuters reports. “Facebook took down accounts and stopped the operational execution of ongoing cyber attacks and Microsoft acted to patch existing attacks, not just the WannaCry attack initially,” he said.