Five years on from Wannacry attack – Mandiant

Today, May 12, marks five years since WannaCry, the ransomware attack attributed to North Korea that propagated worldwide by exploiting a Microsoft vulnerability.

Jens Monrad, Head of Threat Intelligence, EMEA at Mandiant comments on how the cyber capabilities of North Korea have evolved in the half a decade since the incident:

“As well as being one of the most widespread and destructive ransomware attacks, WannaCry was a watershed moment for North Korean state-backed cyber operations. It indicated the capabilities and the willingness of the isolated regime – with little incentive to ‘play by the rules’ – to inflict damage against other nations in pursuit of its national interests. This trend continues five years on, with North Korea using its cyber capabilities to support both its political and national security priorities, as well as financial goals.

“Today, while the ‘Lazarus Group’ is often used as an umbrella term for North Korean cyber operators, in reality there are several different clusters that operate as distinct cyber units to fulfil different objectives for the state. For example, the country’s espionage operations are believed to be reflective of the regime’s immediate concerns and priorities, which is likely currently focused on acquiring financial resources through crypto heists, targeting of media, news, and political entities, information on foreign relations and nuclear information.

“At the same time, overlaps in infrastructure, malware, and tactics, techniques and procedures of North Korean groups indicates that there are shared resources amongst cyber operations and therefore overarching coordination. Our assessments suggest that most of North Korea’s cyber operations, including espionage, destructive operations, and financial crimes, are primarily conducted by elements within the Reconnaissance General Bureau.

“Half a decade on from WannaCry, North Korean groups continue to pose a severe threat. We must continue gathering intel about their structure and capability to identify targeting patterns that can inform a proactive defence.”

More information on North Korean threat groups can be found in Mandiant’s blog, Not So Lazarus: Mapping DPRK Cyber Threat Groups to Government Organizations