Fake Russian Metadata that Will Do Nothing to Prevent Nuclear War

Apparently I’m not the only one troubled by Tom Bossert’s attribution of WannaCry to North Korea the other day.

In this post, Jack Goldsmith suggests the attribution will do nothing for deterrence.

He said that he thought the public attribution alone, without more, accomplished something important in holding North Korea accountable. As he put it, somewhat confusingly, later:

It’s about simple culpability. We’ve determined who was behind the attack and we’re saying it. It’s pretty straightforward. All I learned about cybersecurity I learned in kindergarten. We’re going to hold them accountable and we’re going to say it. And we’re going to shame them for it.

There you have it: The U.S. government thinks that naming and shaming by itself is a useful response to a cyberattack that caused billions of dollars of damage (though relatively little in the United States) and targeted precisely the types of critical infrastructure officials have long warned was a red line.


it’s not just that name and shame is ineffective. For at least two reasons, it is counterproductive for the United States to take evident pride in an attribution of a major cyberattack that it at the same time concedes it lacks the tools to retaliate against or deter. First, the consequence of the attribution, and the emphasis on the damage caused by WannaCry, is to raise expectations, at least domestically, about a response. Second, the effect of such a drum-beating attribution and statement of damage, combined with a weak response, is to reveal what has been apparent for a while: “We currently cannot put a lot of stock … in cyber deterrence,” as former DNI Clapper last year. “It is … very hard to create the substance and psychology of deterrence.” When we overtly signal to North Korea that we have no tools to counteract their cyberattacks, we invite more attacks by North Korea and others—though to be fair, for the reasons Inglis stated, North Korea already has plenty of incentive, since cyber is a relatively inexpensive but very consequential tool for it, and since the United States has already imposed such extensive sanctions and seems out of tools.

I must be missing something here. Probably what I am missing is that the public attribution sends an important signal to the North Koreans about the extent to which we have penetrated their cyber operations and are watching their current cyber activities. But that message could have been delivered privately, and it does not explain why the United States delayed public attribution at least six months after its internal attribution, and two months after the U.K. had done so publicly.

In this thread, Emily Maxima notes that not everyone in the Infosec community agrees with this attribution (here’s an old piece I did on some oddities with it) and worries that the attribution might be used to justify war with North Korea.

So in the context of a potential hot-war with DPRK, the attribution chain from Wannacry to DPRK is *really* fucking important.

She then goes on to explain one of her concerns about the attribution to Lazarus group.

A few months back, I was doing some research into malware that used obfuscation mechanisms in their campaigns and code that could be used to misattribute them to other actors/nations.

It turns out, Lazarus group was one of these actors that had examples of misleading operation that made it seem like it was made in Russia, but was likely built to act as a false flag deus ex machina to lead researchers away from the true actors.


[W]e’re talking about an increasingly tense situation where the largest attack on networked computer infrastructure in probably the last 5 years may be pinned on a group known for running false flag operations.

She points to this article that shows that some 2016 watering hole attacks that had targeted Polish and Mexican bank supervisor sites, which might be associated with Lazarus, used Russian words as a false flag to hide their origin.

In spite of some ‘Russian’ words being used, it is evident that the malware author is not a native Russian speaker.

Of our previous examples, five of the commands were likely produced by an online translation. Below we provide the examples and the correct analogues for reference:

Word Type of error Correct analogue
“ustanavlivat” omitted sign at the end, verb tense error “ustanovit'” or “ustanoviti”
“poluchit” omitted sign at the end “poluchit'” or “poluchiti”
“pereslat” omitted sign at the end “pereslat'” or “pereslati”
“derzhat” omitted sign at the end “derzhat'” or “derzhati”
“vykhodit” omitted sign at the end, verb tense error “vyiti”

Another example is “kliyent2podklyuchit”. This is most likely a result of an online translation of “client2connect” (which means ‘client-to-connect’). In this case, the two words “client” and “connect”were translated separately, then transliterated from the Russian pronunciation form into the Latin alphabet and finally joined to produce “kliyent2podklyuchit”.


Internally, the ActionScript also uses transliterated Russian words, similar to the tactic seen in the bot code:

Transliterated Russian words used in AS Translated from Russian
Podgotovkaskotiny Preparation of farm animals
geigeigei3raza Hey, hey, hey 3 times
chainik Dummy (a stupid person)
chainikaddress Dummy’s address
poishemdatu Let’s search for data
poiskvpro Searching in ‘pro’
vyzov_chainika Calling the dummy (a stupid person)
daiadreschainika Get address of the dummy
runskotina Execute farm animals
babaLEna Old woman Lena

As seen in the table, while the words are technically Russian, their usage is out-of-context.

In one code fragment, the ActionScript contains both “chainik” and “dummy”:

01 private function put_dummy_args(param1:*) : *
02 {
03 return chainik.call.apply(null,param1);
04 }
05 private function vyzov_chainika() : *
06 {
07 return chainik.call(null);
08 }

As such, it is obvious that the word “dummy” has been translated into “chainik”. However, the word “chainik” in Russian slang (with the literal meaning of “a kettle”) is used to describe an unsophisticated person, a newbie; while, the word “dummy” in the exploit code is used to mean a “placeholder” or an “empty” data structure/argument.

The BAE analysis suggests that this incorrect usage is evidence proving the attackers are not native Russian speakers (leaving open the possibility they’re North Korean, though the report doesn’t attribute that aggressively).

I point to all this because of my continuing obsession with attacks featuring Russian metadata — starting from the first stolen Democratic files released by Guccifer 2.0 in June 2016 to faked Macron leak documents and extending to metadata ShadowBrokers left in some SWIFT files released in April — that served to deflect blame.

Perhaps it’s just fashionable to blame Russians these days.

Mind you, that other Russian metadata is for a totally unrelated watering hole attack, not for WannaCry. It’s worth remembering, however, that in addition to using Lazarus code, WannaCry also appears to have used code from Metasploit.

Ah well. I guess none of this will matter when North Korea nukes Seoul.

12 replies
  1. Rapier says:

    It fashionable and downright de rigueur to blame Russia for whatever one can come up with to blame them for, among, and I hate to say it, the elites. Blaming Putin is the little black dress of the DNC, always in fashion. Congress critters on the R side pretty much always express eagerness to march in person to the battle lines at the Russian Federation border to fight for freedom when some Nationalist pol from Estonia, to Poland, To Kiev, to Georgia by the Black Sea, talk Russian invasion. And then there’s Trump.

    So we ended up with a fruitcake leading, . (that’s nobody) Well there was Jarid and Flynn. Well sometimes Flynn. Leading a crack team of nobody to, well to who knows where, is the course now and isn’t the stock market great.

  2. earlofhuntingdon says:

    Hard for me to avoid the conclusion that these sorts of announcements are not policy or strategy based, as counters to an opponent’s moves.  They are the most convenient distraction of the moment for Donald Trump.

    If Trump doesn’t or can’t read, if he lives on twitter, Big Macs and Faux News, if his advisers are so afraid of his Caligula-like instability that they hide news from him or lie to him like a Cold War Russian statistician, then we’re not talking about policy or strategy. 

    We’re talking about how to manage an idiot who has been put in charge, who needs a fix of Pencian adoration instead of alcohol or an opioid, and who uses the nearest outrage of convenience to keep the guy with the safety pin from pricking his bubble.

    • SpaceLifeForm says:

      Fake metadata leads to false attribution.

      It ‘proves’ that someone wants to hide their tracks and allow other groups to be blamed.

      Tor makes things easier to falsely attribute because not only can the ‘traces of origin’ be faked within the malware itself, internet traffic can via Tor, lead to further false attribution because it can lead analysts to falsely ‘confirm’ that the original traces also tie to ip addresses from the alleged country of origin.

      Double false flag.

      Tor has been around much longer than Lazarus. And Lazarus has been blamed for SWIFT attacks, And according to TSB dumps, NSA also had tools to attack SWIFT.

      Spy vs Spy.

      With Tor, both NSA and CIA can be doing the false attribution dance.

      Some dots:


      The core principle of Tor, “onion routing”, was developed in the mid-1990s by United States Naval Research Laboratory employees, mathematician Paul Syverson, and computer scientists Michael G. Reed and David Goldschlag, with the purpose of protecting U.S. intelligence communications online.


      The earliest known attack that the group is responsible for is known as “Operation Troy”, which took place from 2009–2012. This was a cyber-espionage campaign that utilized unsophisticated distributed denial-of-service attack (DDoS) techniques to target the South Korean government in Seoul. They are also responsible for attacks in 2011 and 2013. It is possible that they were also behind a 2007 attack targeting South Korea, but that is still uncertain.


      In its release, WikiLeaks described the primary purpose of “Marble” as to insert foreign language text into the malware to mask viruses, trojans and hacking attacks, making it more difficult for them to be tracked to the CIA and to cause forensic investigators to falsely attribute code to the wrong nation. The source code revealed that Marble had examples in Chinese, Russian, Korean, Arabic and Persian.

  3. Watson says:

     ‘none of this will matter when North Korea nukes Seoul.’
    I assume that Kim Jong-un is not nearly as ignorant and crazy as Trump. (He couldn’t be, right?) The problem is that Kim occupies the top spot in what is essentially a divine monarchy.
    Trump obviously thinks that his Don Rickles-type insult humor is quite clever, but there might come a point at which Kim feels that he has an obligation to his subjects to retaliate for the assaults on his godly status.

  4. bell says:

    “Perhaps it’s just fashionable to blame Russians these days.”

    – indeed… and why is that? cold war 2 has been on tap for how many years now? it sure ramped over ukraine in 2014, and it was op tap in syria 2012 onward, but somehow it is all about what a bozo trump is and how he was cosing up to the russkies, or how russia stole clintons election and on and on..  trump is just another self serving maniac in a long list of them who have held the esteemed office of president of the usa.. any cosing up to russia he did was totally self serving, in spite of any pretensions otherwise… those looking for an excuse to blame russia for this, that and the other thing have no shortage of opportunities.. the western msm is in the gutter and left most of its readers in the same hole..

  5. SpaceLifeForm says:

    So, should one assume that it was really the russian troll armies that meddled in 2016?

    Maybe not so clear. Yeah, attribution again.


    The initiative is run by a little-known Facebook global government and politics team that’s neutral in that it works with nearly anyone seeking or securing power. The unit is led from Washington by Katie Harbath, a former Republican digital strategist who worked on former New York Mayor Rudy Giuliani’s 2008 presidential campaign.

  6. orionATL says:

    – once the technique of generating and disseminating fake russian identifying and routing information (metadata) has become widespread what’s the point of continuing to use it.

    – wouldn’t repeatedly using fake routing and internet ids lead in time to errors, some embarrassing?

    – eventually the russians should find this a useful technique for their own stuff – well, if if weren’t for pesky kaspersky.

    – in the end, fake russian just becomes a mask to hide behind until some clever lass figures out how to test for and translate it. “ah, it’s lazarus or mexican drugga, again.

  7. greengiant says:

    Lot of effort on a attack directed at air gapped Windows XP and 7.0, read voting machines, ATMs infrastructure/centrifuge controls?. In the day there were rumors that white hats would sic a virus out to auto update all targets. The results of Wanna-cry was that Microsoft came out with an XP update. I don’t know, was this a clean up attack, a controlled release of new back doors, an attack to capture new targets, add some more alternatives.
    Maybe it is not about North Korea, maybe this is just misdirection that Wanna-Cry has nothing to do with 2016. Or maybe the audience is Putin or China because someone has helped Kim get bigger rockets yes?

    • orionATL says:

      so could n. koreanos be gucifer 2zero?

      did lazrus steal dem docs and sell to n. koreanos, russians, etc.?

      so many possibilities in this hall of mirrors.

      but gov says gru and fsb did the dirty deed.

      gov has got the analysts and the motive to get the analysis right. how come they are assumed to be dolts by some of the self-styled cognoscenti? i’m thinking of a few dead-end commenters and trolls here, and the dissenting report from the five ex-fbi, ex-nsa types.

      this is where an experienced intell analyst can earn his pay. maybe peter strozok should be taken out of the h. r. file room.

Comments are closed.