wait a moment

Making North Korea WannaCry

On December 18, 2017, Assistant to the President for Homeland Security and Counterterrorism Thomas Bossert publicly attributed the massive “WannaCry” cyberattack to North Korea in a Wall Street Journal article.[i] He followed up his published piece with a White House press briefing the following morning.

Why did the United States government decide to make the public announcement seven months after the attack, after U.S. and British intelligence agencies had already attributed WannaCry to North Korea back in June 2017?[ii]

As of May 17, 2017, the ransomware strain known as “WannaCry” infected more than 400,000 victims across the world[iii] by using the ETERNALBLUE exploit as a propagation method.[iv] Simply put, the strain of malware encrypts the files of the victims’ computers, rendering the files unreadable and the computers unusable unless a ransom was paid in Bitcoin, a common cryptocurrency.

In general, actors carry out ransomware attacks to make a profit. Sanctions seem to be ineffective, considering North Korea’s continuous violations of international nuclear non-proliferation agreements. In response to additional economic sanctions, the regime’s appetite for cryptocurrencies also increases as it seeks to increase its liquidity. This justifies the motive assessment in the attribution of the attack.

However, the attack was actually only successful at clearing approximately $116,00 from 302 separate Bitcoin payments.[v]

Among the Five Eyes countries plus Japan who endorsed Mr. Bossert’s attribution, Britain was the most impacted victim. WannaCry had infected 48 National Health Service (NHS) healthcare centers, amounting to 20% of the nation’s total. The attack’s impact forced medical authorities to cancel and delay patient treatments. Although patient data was not compromised, hospitals scrambled to find new slots for patients who were denied treatment as a result.

According to representatives at the NHS, there were “a lot of ramifications” such as a knock-on effect on all waiting times in healthcare centers, causing people to wait up to six weeks longer.[vi] Although the shutdown of hospital systems had not been the direct cause of patient deaths, Mr. Bossert asserted that indirect repercussions from the delay in treatments “had put lives at risk”.

Why Public Attribution is Abnormal

At first blush, public attribution is odd considering that past condemnations were generally met with North Korean denial and not much else. It can be further argued that past strategies of naming and shaming via indictments of malicious cyber actors from other nation states and criminal organizations have proven to be more of a badge of honor for the actors’ cohort in their home countries.

Between May and December 2017, there was a series of nuclear and ballistic missile tests by North Korea, international sanctions levied against North Korea, and even threats of “fire and fury” by President Trump. The U.S. had seemingly already engaged in North Korea’s game of brinksmanship prior to Mr. Bossert’s announcement.

On the same day that Mr. Bossert’s piece was published in the Wall Street Journal, the White House released the new National Security Strategy (NSS).[vii] The 2017 NSS’s Deter and Disrupt Malicious Cyber Actors Section states the following:

“The United States will impose swift and costly consequences on foreign governments, criminals, and other actors who undertake significant malicious cyber activities. We will work with allies and friends to expand our awareness of malicious activities…” with a focus on strategic deterrence.[viii]

Furthermore, the NSS lays out its commitment to “swift and costly consequences on foreign governments”.

In line with the new strategy, Mr. Bossert mentioned in his White House press briefing that the governments of Five Eyes (U.S., Britain, Australia, New Zealand, and Canada) and Japan have agreed to publicly denounce North Korea for WannaCry.

However, we have not seen a public response or retaliation from the Five Eyes plus Japan. There are two possible reasons for this: one is covert operation, and the other is a buildup of justification for further actions against North Korea. First a potential way to indirectly claim cover operations against North Korea, or second -and more likely- an attempt to build a case against North Korea for future action.

Claiming Covert Operations

In conflict, it is always difficult to assess what the adversary sees and believes. Therefore, if members of the Five Eyes were to launch a covert operation against North Korea in retaliation, it would be prudent not to publicly indicate who was most likely behind the attack.

With covert action, one can manipulate the adversary’s perception without repercussion or condemnation from the international community. If we look at a timeline of relevant events we observe the following:

  • North Korea launches the WannaCry ransomware attack
  • U.S. publicly declares that North Korea wantonly and recklessly conducted the attack
  • The U.S., in a public document, declares says that cyberattacks will be met with consequences

Following this timeline, hypothetically if North Korea were to be hit with a cyber response covertly, it would be logical for them to conclude with a decent degree of confidence that it was the U.S. and/or the Five Eyes operating jointly based on circumstantial evidence correlating the statements with the NSS and accusations made a high ranking official from the Department of Homeland Security who is tasked with protecting U.S. critical infrastructure, instead of a representative from the U.K. who was the most severely impacted in the attacks.

Building a case against North Korea

A more likely reason behind the public attribution would be to build confidence in the U.S.’s cyber intelligence competency as well as to provide a different dimension of justification of further action against North Korea outside of the scope of their current violations.

The case for North Korea as a dangerous nuclear state has already been well established in the international community. North Korea has demonstrated a continued and blatant disregard for international norms with the significant number of nuclear and ballistic missile test between November 2016 and July 2017.

The NSS mentions North Korea 13 times, with most mentions embedded in sections with titles of “Priority”. By treating the attacks against critical infrastructure and “putting [civilian] lives at risk”,[ix] the public attribution could add fuel to the justification for a form of limited military action against North Korea.

It is key to note that the Mr. Bossert did not assert that North Korea is an irrational actor, but rather that they are “reckless”. This type of language presents a distinct image of North Korea as unable to properly control or consider negative externalities as a result of their actions, ultimately creating a potential danger for those who would not consider themselves a primary target of North Korean operations.

In sum, the joint NSS publication and public attribution is a new avenue for the U.S. to build a case that North Korea is a rogue state that must be stopped at all costs.


In the past, naming and shaming worked against Russian or Chinese Advanced Persistent Threats (APTs) because it could force the attackers to shift their tactics, techniques, or procedures after realizing they had been discovered. The tactic could also serve as a basis for bilateral negotiations to deescalate tensions[x]. However, this does not seem to be the case with North Korean APTs, let alone the regime’s general behavior.

It seems that the U.S. government has attributed the WannaCry attacks to North Korea as tactic of minimal escalation in conjunction with an attempt at diplomatic deterrence.

Nevertheless, the next attributable cyberattack is likely to be met with a response in line with the NSS’s promise to “impose swift and costly consequences”.


[i] Bossert, Thomas. “It’s Official: North Korea Is Behind WannaCry.” The Wall Street Journal, December 18, 2017. Accessed February 1, 2018. https://www.wsj.com/articles/its-official-north-korea-is-behind-wannacry-1513642537

[ii] Alex Hern and Ewan MacAskill, “WannaCry ransomware attack ‘linked to North Korea’,” The Guardian, June 16 , 2017, https://www.theguardian.com/technology/2017/jun/16/wannacry-ransomware-attack-linked-north-korea-lazarus-group.

[iii] Hutchins, Marcus. Twitter Post. May 19, 2017, 7:50 PM. https://twitter.com/MalwareTechBlog/status/865761555190775808

[iv]An earlier version of the malware before the global epidemic leveraged Mimikatz to dump passwords and then spread through a network https://www.symantec.com/connect/blogs/wannacry-ransomware-attacks-show-strong-links-lazarus-group

[v] Johnson, Tim. “Here’s one tally of the losses from WannaCry cyberattack.” Phys.org – News and Articles on Science and Technology. May 25, 2017. Accessed February 25, 2018. https://phys.org/news/2017-05-tally-losses-wannacry-cyberattack.html.

[vi] Neville, “NHS fights to restore services after global hack,” Financial Times , May 13, 2017, https://www.ft.com/content/fa5ed73a-37e7-11e7-ac89-b01cc67cfeec

[vii] The White House, National Security Strategy of the United States of America, December 2017 (Washington, DC, 2017), https://www.whitehouse.gov/wp-content/uploads/2017/12/NSS-Final-12-18-2017-0905.pdf

[viii] The White House, National Security Strategy of the United States of America, December 2017 (Washington, DC, 2017), 13, https://www.whitehouse.gov/wp-content/uploads/2017/12/NSS-Final-12-18-2017-0905.pdf

[ix] Bossert, Thomas. “Press Briefing by Assistant to the President for Homeland Security and Counterterrorism. ” The White House, December 19, 2017. https://www.whitehouse.gov/briefings-statements/press-briefing-on-the-attribution-of-the-wannacry-malware-attack-to-north-korea-121917/

[x] Mandia, Kevin. “FireEye CEO: Need to Take North Korea’s Cyber Threat Seriously.”CNBC, CNBC, 20 Feb. 2018, www.cnbc.com/video/2018/02/20/fireeye-ceo-need-to-take-north-koreas-cyber-threat-seriously.html.