US short of options to punish North Korea for serious cyberattack
By MATTHEW PENNINGTON AND KEN THOMAS | Associated Press | Published: December 19, 2017
WASHINGTON — The Trump administration vowed Tuesday that North Korea would be held accountable for a May cyberattack that affected 150 countries, but it didn't say how, highlighting the difficulty of punishing a pariah nation already sanctioned to the hilt for its nuclear weapons program.
The WannaCry ransomware attack infected hundreds of thousands of computers worldwide and crippled parts of Britain's National Health Service. It was the highest-profile cyberattack North Korea has been blamed for since the 2014 hack of Sony Pictures after it produced "The Interview," a satirical movie imagining a CIA plot to kill leader Kim Jong Un.
While that destructive attack led to leaks of confidential data from the movie studio and emails that embarrassed Sony talent, the implications of the WannaCry intrusion were altogether more serious. Homeland security adviser Tom Bossert said it was "a reckless attack and it was meant to cause havoc and destruction." He said it put lives at risk in British hospitals.
Other experts say the attack was more likely an attempt by Kim's cash-strapped government to extract money. Last year, the same hacking group was suspected in a malware attack that penetrated the Bangladesh Central Bank's computer system, stealing $81 million.
Whatever the motivation, the public declaration of blame by Washington reflects growing concern over North Korea's cyber capabilities that appear all the more threatening because of Pyongyang's scant regard for international norms. North Korea is the only country to test nuclear weapons this century and is closing in on a missile that could strike anywhere on U.S. mainland.
"President Trump has used just about every lever you can use, short of starving the people of North Korea to death, to change their behavior," Bossert told reporters at the White House. "And so we don't have a lot of room left here to apply pressure to change their behavior."
In a sign of continuing malevolent online activity, Microsoft and Facebook said Tuesday that they worked together last week to help disable hackers tied to the same hacking group that was behind WannaCry.
Under Trump, the U.S. has piled on economic sanctions against North Korea, both on its own and with wide international support. Secretary of State Rex Tillerson said Tuesday that the pressure campaign "will be intensified as time goes by." Experts say North Korea's access to hard cash could be further hurt by more targeting of Chinese intermediary banks and companies, but U.S. options for punishing steps are limited.
"Sanctions on North Korea really aren't going to change its behavior," said James Lewis, a technology and intelligence expert at the Center for Strategic and International Studies, who proposes not just targeting North Korea's revenue sources but also its government's own limited access to the internet. "Sending a carrier battle group off North Korea won't get them to stop hacking."
In January 2015, President Barack Obama responded to the Sony attack by imposing sanctions on North Korea's primary intelligence agency and a state corporation involved in ballistic missiles and arms trading, as well as on officials who worked for it. He also warned of further unidentified actions that would take place "at a time and manner of our choosing."
If any further action was taken, it was never made public.
While experts say North Korea lacks the elite capabilities of Russia or China, it has honed its cyber skills and has been accused of increasingly serious attacks.
South Korea, which said in 2015 that North Korea had a 6,000-member cyberarmy, says the North was suspected of hacking a South Korean military data center. Last year, the North was also accused of hacking the personal data of more than 10 million users of an online shopping site and dozens of email accounts used by government officials and journalists. It is also suspected of targeting South Korean banks and the operator of the nation's nuclear power plants.
"Their technical abilities are not the best out there, but they are plenty good enough to find a weak point and take advantage of it," said Benjamin Read, manager for cyberespionage analysis at online security provider FireEye.
FireEye says that in September it detected and stopped spear phishing emails sent to U.S. electric companies by a group affiliated with the North Korean government, though it did not observe the use of any method designed to compromise power supply. They also believe that North Korean hackers are targeting bitcoin exchanges to supplement the government's income.
Bossert said Microsoft and foreign governments, including the United Kingdom, Australia, Canada, New Zealand and Japan, confirmed the U.S. finding of responsibility for WannaCry. He said the U.S. seeks to partner with other nations and the private sector to prevent future attacks.
While WannaCry raised relatively little money for its perpetrators — few paid up after it proved that paying the ransom didn't unlock affected computers — its impact was vast. Government offices in Russia, Spain and other countries were disrupted, as were Asian universities, Germany's national railway and global companies such as automakers Nissan and Renault.
British hacker Marcus Hutchins disarmed the attack by identifying a "kill switch" in the code. In a twist, the FBI arrested Hutchins months later during a visit to the U.S.; he pleaded not guilty and awaits trial on charges he created unrelated forms of malware.
Associated Press writers Matt O'Brien in Ridgefield Park, New Jersey, and Josh Lederman in Ottawa, Canada, contributed to this report.