In media res: the FBI’s WannaCry Attribution

I’ve been working through the complaint charging Park Jin Hyok with a slew of hacking attributed to the Lazarus group associated with North Korea. Reading it closely has led me to be even less convinced about the government’s attribution of the May 2017 WannaCry outbreak to North Korea. It’s going to take me a series of posts (and some chats with actual experts on this topic) to explain why. But for now, I want to point to a really suspect move the complaint makes.

The FBI’s proof that Park and Lazarus and North Korea did WannaCry consists, speaking very broadly, of proof that the first generation of the WannaCry malware shared some key elements with other attacks attributed to Lazarus, and then an argument that the subsequent two generations of WannaCry were done by the same people as the first one. While the argument consists of a range of evidence and this post vastly oversimplifies what the FBI presents, three key moves in it are:

  • The earlier generations of WannaCry are not known to be publicly available
  • Subjects using a known Lazarus IP address were researching how to exploit the Microsoft vulnerability in the weeks before the attack
  • Both WannaCry versions 1 and 2 cashed out Bitcoin in a similar way (which the complaint doesn’t describe)

For now, I’m just interested in that middle point, which the complaint describes this way:

221. On March 14, 2017, Microsoft released a patch for a Server Message Block (SMB) vulnerability that was identified as CVE-2017-0144 on its website, Microsoft attempted to remedy the vulnerability by releasing patches to versions of Microsoft Windows operating systems that Microsoft supported at the time. Patches were not initially released for older versions of Windows that were no longer supported, such as Windows XP and Windows 8.

222. The next month, on April 15, 2017, an exploit that targeted the CVE-2017-0144 vulnerability (herein the “CVE-2017-0144 exploit”) was publicly released by a group calling itself the “Shadow Brokers.”

223. On April 18, 2017 and April 21, 2017, a senior security analyst at private cyber security company RiskSense, Inc. (“RiskSense”) posted research on that exploit on his website:

224. On May 9, 2017, RiskSense released code on the website with the stated purpose of allowing legal “white hat” penetration testers to test the CVE-2017-0144 exploit on unpatched systems. Essentially, RiskSense posted source code that its employees had reverse-engineered for the CVE-2017-0144 exploit, which cyber security researchers could then use to test vulnerabilities in client computer systems. I know based on my training and experience that penetration testers regularly seek to exploit vulnerabilities with their customers’ consent as a proof-of-concept to demonstrate how hackers could illegally access their customers’ systems.

225. On May 12, 2017, a ransomware attack called “WannaCry” (later identified as “WannaCry Version 2,” as discussed below) began affecting computers around the globe.


242. Records that I have obtained show that the subjects of this investigation were monitoring the release of the CVE-2017-0144 exploit and the efforts by cyber researchers to develop the source code that was later packaged into WannaCry Version 2:

a. On numerous days between March 23 and May 12, 2017, a subject using North Korean IP Address #6 visited, the general domain where Microsoft hosted specific webpages that provide information about Microsoft products, including information on Windows vulnerabilities (including CVE-2017-0144), although the exact URL or whether the information on this particular CVE was being accessed is not known.

b. On April 23, April 26, May 10, May 11, and May 12, 2017, a subject using North Korean IP Address #6 visited the blog website, where, on April 18, 2017 and 21, 2017, a RiskSense researcher had posted information about research into the CVE-2017-0144 exploit and progress on reverse-engineering the exploit; RiskSense subsequently released the exploit code on

According to the in media res story told by the FBI, the following is the chronology:

March 14: Microsoft drops a vulnerability seemingly out of the blue without publicly calling attention to it

Starting on March 23: Someone using known Lazarus IP address #6 tracks Microsoft’s vulnerabilities reports (note, the FBI doesn’t mention whether this was typical behavior or unique for this period)

April 15: Shadow Brokers releases the Eternal Blue exploit

April 18 and 23: RiskSense releases a reverse engineered version of Eternal Blue

Starting on April 23 and leading up to May 12: Someone using that same known Lazarus IP #6 makes a series of visits to the RiskSense site that released an exploit reverse engineered off the Shadow Brokers release

May 12: A version of WannaCry spreads across the world using the RiskSense exploit

Of course, that’s not how things really happened. FBI neglects to mention that on January 8, Shadow Brokers offered to auction off files that NSA knew included the SMB exploit that Microsoft issued a patch for on March 14.

Along with that important gap in the narrative, the FBI Agent who wrote the affidavit behind this complaint, Nathan Shields, is awfully coy in describing Shadow Brokers simply as “a group calling itself the ‘Shadow Brokers.'” While the complaint remained sealed for three months, by June 8, 2018, when the affidavit was written, the FBI assuredly knew far more about Shadow Brokers than that it was a group with a spooky name.

As public proof, DOJ signed a plea agreement with Nghia Pho on November 29 of last year. Pho was reportedly the guy from whose home computer some of these same files were stolen. While the publicly released plea has no cooperation agreement, the plea included a sealed supplement, which given the repeated delays in sentencing, likely did include a cooperation agreement.

Pho is due to be sentenced next Tuesday. The sentencing memos in the case remain sealed, but it’s clear from the docket entry for Pho’s that he’s making a bid to be treated in the same way that David Petraeus and John Deutsch were — that is, to get a misdemeanor treatment and probation for bringing code word documents home to store in an unlocked desk drawer — which would be truly remarkable treatment for a guy who allegedly made NSA’s hacking tools available for theft.

And while it’s possible that FBI Agent Shields doesn’t know anything more about what the government knows about Shadow Brokers than that it has a spooky name, some of the folks who quoted in the dog-and-pony reveal of this complaint on September 6, not least Assistant Attorney General John Demers, do know whatever else the government knows about Shadow Brokers.

Including that the announcement of the sale of Eternal Blue on January 8 makes the searches on Microsoft’s site before the exploit was actually released on April 15 one of the most interesting details in this chronology. There are lots of possible explanations for the fact that someone was (as the FBI’s timeline suggests) searching Microsoft’s website for a vulnerability before the import of it became publicly known.

But when you add the January 8 Shadow Brokers post to the timeline, it makes culprits other than North Korea far more likely than the FBI affidavit makes out.

13 replies
  1. roger p tubby says:

    I don’t have the talent/skills/resources to track through these things like you have. But bravo for getting these timelines out there for visibility and further discussion. (Where do you find the time?)

  2. oldoilfieldhand says:

    Amazing Marcy! Not sure how you manage to keep up with so many parts of the puzzle @ once, but am eternally grateful for the work that you do!

    Can someone who is not a lawyer still be appointed to the Supreme Court?

  3. orionATL says:

    i’m glad to be able to read something substantive rather than the detritus from the trump derecho.

    speaking of that wind, though, it does occur to me that the doj publicity about north korean citizen park jyn huok might be connected to the trump admin’s recent follies with n. korea and nuclear arms which had predictable unfruitful results, but has surprised and annoyed the u.s. perpetrator of those follies.

    in any event, this doj activity must surely have some connection to the doj/fbi harrassment of marcus hutchins (malware tech) which ew has also been covering.

    as for n. korean responsibility for eternal blue/wanna cry, that may be the case, but n. korea is very isolated and needs anti-u.s. support to survive. i have read the russian government provides some of this support and now china.

    finally, and most importantly for me, i have long been annoued by the extremely muted response of the obama administration to the russian attack on the u.s. election process of 2016. the conventional explanation is that they did not want to be appearing to be favoring clinton. that may be so, but a lot of the u.s.response could have been covert, a very powerful covert u.s. internet/digital attack on russia and any of its collaborators (moldavia) using the capability of the nsa activity. this did not happen. why?

    in my not so well informed mind, one explanation for the obama admin’s very timid response to the russian attack may have been the shadowbrokers’ summer 2016 public boast about having control of the nsa’s most powerful microsoft pc systems intrusion tools. a boast that coincided with months of russian efforts to interfer in the u.s. federal elections, damaging the candidacy of secretary clinton and boosting the candidacy of developer donald trump.

    i worry that the obama admin’s timidity may have been because it understood very well what shadowbrokers had taken possession of, and, far more importantly, what damage the russians (or an ally acting for them) coiuld have done across the globe.

    in terms of damage to organizational operations, the results could have been analogous to a barrage of low-level nuclear weapons being detonated on targets across north america, europe, and asia, affecting at the least many tens of millions of people.

    • Kevin says:

      I believe Marcy has suggested this same scenario. It will be interesting when all is said and done to see the full role of the Shadow Brokers in all of this…

      • orionATL says:

        look, hotshot. i come here every day to get a corrected version of current events. 90% of what i write here is derivative of posts here, of comments here, or of cites i bring here. the other 10% (or less :) ) is reasonably imaginative or creative and, i hope and intend, of modest value.

        given that you seem to have a remarkable memory of the ew’s remarkable productivity, why don’t you go back and pick out those quotes that demonstrate your thesis and post them here.

        keep in mind democritus and dalton are both credited “atom” in history texts.

  4. orionATL says:

    the nytimes has put together the most readable tale of the russian intervention in 2016 election and the trump-putin dance that led to trump’s squeaker of a victory that i have read.

    no doubt there will be critiques of its details, but for ordinary  citizens like myself it is an excellent history primer.

    what is missing is a sharp critique of journalistic obtuseness and folly in the midst of the trump-putin dance, in particular the obtuseness of the nytimes with its stable of  vaunted reporters and its experience with its own folly in its multi-decade effort to destroy the reputation of one or the other of the clintons. once again the nytimes follies bergere overtly helped to install the wrong person for the job in the u.s. presidency.

Comments are closed.