WannaCry had North Korea's fingerprints all over it. The massive ransomware attack that hit over 150 countries last week reportedly contained code linked to other cyber crimes allegedly perpetrated by the Hermit Kingdom. But while it might take weeks or months for researchers to identify the culprit through forensic analyses, another set of clues already points to North Korea: motive.
There are rarely smoking guns when it comes to major cyber attacks, but clear patterns and evidence have emerged that indicate which foreign governments are responsible for the biggest ones. Would Russia or China have tried to take down hospitals in the U.K. for a measly $300? Probably not. China veers more towards stealing military and trade secrets, while Russia prefers operations that destabilize foreign governments. But North Korea will definitely hack for cash.
Here's a quick guide to distinguishing cyber threats from North Korea, China, or Russia:
Subscribe to The Week
Escape your echo chamber. Get the facts behind the news, plus analysis from multiple perspectives.
SUBSCRIBE & SAVE
Sign up for The Week's Free Newsletters
From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.
From our morning news briefing to a weekly Good News Newsletter, get the best of The Week delivered directly to your inbox.
1. North Korea
Why are they attacking? What are their goals?
North Korea is a relative newcomer to the field of cyber warfare, yet it has quickly established itself as a formidable foe. The isolated country has long employed a strategy of asymmetrical warfare, so cyber attacks fit neatly into its preference for cheap, unpredictable operations that hold minimal risks of retaliation. Hit hard by sanctions, cash-strapped North Korea has recently shifted its cyber capabilities to generate income through theft and ransom — a strategy it might have just blown up to a global scale.
Who do they target?
Before the WannaCry attack, North Korea's primary targets were South Korean banks and media companies as well as American corporations and international institutions. An attempted cyber attack on a Polish bank last year, for instance, inadvertently revealed that North Korea was also targeting the World Bank, the European Central Bank, and Bank of America. An indiscriminate attack like WannaCry might be a first, but it would hardly be surprising given their past behavior.
What do they take? How do they use it?
Even before it was implicated in the WannaCry attack, North Korea had taken to ransom. Last year, the country stole the personal data of more than 10 million customers from Interpark, a South Korean online retailer. Interpark was alerted to the breach after it received an anonymous message that demanded $2.7 million in bitcoin or else the attack would be publicized. Interpark refused to pay the ransom and alerted South Korean authorities. Interestingly, despite causing so much havoc, the WannaCry operation has seen relatively meager returns: Only about $70,000 in bitcoin has been netted to date.
North Korea's most profitable operation, however, wasn't ransomware at all, but a heist. Last year, it attempted to steal nearly $1 billion from a bank in Bangladesh, and successfully made off with $81 million.
All of the country's attacks aren't for money, though. Before WannaCry, its highest profile attack was on Sony Pictures Entertainment, when it infiltrated the company's network in an attempt to stop the release of a comedy about the imagined assassination of North Korean leader Kim Jong Un. Hackers released a trove of embarrassing emails that were widely reported on. But what received less attention was the damage done to Sony's systems. A highly destructive form of malware was introduced and over 70 percent of its computers were left inoperable.
How did they get in?
North Korea's sophisticated cyber capabilities are surprising considering its extreme isolation and poor infrastructure. Given the country's limited connectivity to the outside world, its massive army of hackers, estimated to be 1,700 strong, are allowed to live and work abroad, mostly in China, Southeast Asia, and Europe. The ability to live outside of North Korea is actually a major perk for hackers given how few opportunities there are to leave the barren country. As an added bonus, many North Korean hackers are allowed to run illegal gambling websites to earn additional income.
What's next?
With the United States and other nations ratcheting up sanctions in response to North Korea's growing nuclear program, it is likely that North Korean hackers will continue to generate cash from hacking. Whether it returns to targeted operations or tries another indiscriminate attack like WannaCry, though, remains to be seen.
2. China
Why are they attacking? What are their goals?
Chinese cyber attacks are closely aligned with China's broader national goals of rapidly developing its economic and military might. To that end, Chinese cyber attacks have been aimed at gathering intelligence and stealing military and trade secrets, effectively saving China billions of dollars in research and development costs and helping it quickly catch up to the U.S. in certain key areas.
Who do they target?
China's targets stretch across American businesses, industries, and government agencies. It is widely believed that China has been responsible for many high-profile cyber attacks against the U.S. in recent years, including: stealing plans for the F-35 fighter jet; infiltrating the U.S. Chamber of Commerce's and the State Department's networks; making off with the personal records of over 20 million Americans from the Office of Personnel Management; and breaking into the 2008 McCain and Obama presidential campaigns.
What did they take? How did they use it?
China employs a "grain of sands" approach to hacking, meaning they steal massive amounts of information — often low-level — and sift through it to find valuable nuggets.
When Coca-Cola was in the midst of negotiating the purchase of a Chinese company, for instance, Chinese hackers were poring over Coca-Cola's systems, hoping to learn more about their negotiation strategy. In a more far-reaching and pernicious attack, Chinese hackers broke into RSA, a computer security company that supplies the SecurID tokens many employees at U.S. banks, intelligence agencies, and military contractors use to securely access computer systems. Two months later, Chinese hackers successfully penetrated Lockheed Martin's systems partly using data stolen in the heist.
Other cyber attacks have focused on companies that manage critical infrastructure like electrical power grids and gas and water lines. One successful effort targeted a company with detailed blueprints and remote access to over 60 percent of oil and gas pipelines in North America.
How did they do it?
China loves to phish. Most cyber attacks begin with an innocent-seeming email often with an attachment. Once the attachment is opened, hackers are able to gain entry into computer networks and hunt for information. Such attacks are called spear phishing and were used to gain access to Coca-Cola, RSA, and even the State Department. Once inside, hackers can carefully prowl a network, stealing information or unleashing damaging malware.
What's next?
After decades of widespread and brazen cyber attacks, Chinese intrusions have dramatically fallen. Since the Obama administration signed an agreement with the Chinese government to curb economic espionage in 2015, Chinese cyber attacks have decreased more than 90 percent. Chinese hackers have since turned their attention inwards to help President Xi Jinping root out corruption, and have significantly ramped up attacks on Russian industries.
3. Russia
Why are they attacking? What are their goals?
Russia possesses highly advanced cyber capabilities and is a "near peer" to the United States, according to Gen. Keith Alexander, the former head of the NSA and the military's Cyber Command. America's Cold War adversary has moved beyond espionage and regularly uses influence operations and electronic warfare to disrupt and destabilize countries hostile to Russian interests.
Who did they target?
Like China, Russia targets an array of Western businesses, defense contractors, government agencies, and most notably political campaigns. However, unlike China, Russia has used stolen information far more publicly.
What did they take? How did they use it?
The first major Russian cyber attack on the U.S. was uncovered in 1996. After a two-year investigation, it was discovered that hackers had broken into NASA, the Air Force, the Navy, and the Department of Energy, stealing whole weapon designs. Since then, Russia has changed tactics to influence operations and full-out cyber warfare.
Following a 2007 dispute between the Kremlin and Estonia, a former Soviet satellite state, over the relocation of a monument, Russian hackers shut down nearly all of the Estonian government's websites, many of the country's major news outlets, and its biggest banks. The attacks lasted nearly three weeks.
Cyber attacks were also unleashed during Russia's war with Georgia in 2008 as well as its invasion of Crimea in 2011. In 2015, Ukraine blamed Russia for a cyber attack that left over 200,000 Ukrainians without power.
Off the battlefield, Russia has focused on influence operations aimed at undermining opponents of Russia, destabilizing governments, and discrediting democratic processes. The most notable instances, of course, were during the U.S. presidential election last year, when Russia allegedly stole and published emails from Clinton campaign chairman John Podesta and hacked into the Democratic National Committee servers in an effort to damage Hillary Clinton's candidacy.
Meanwhile, in Europe this year, hackers successfully stole emails from the campaign of now-French President Emmanuel Macron and infiltrated Germany Parliament's computer networks.
How did they do it?
Like China, Russia relies on spear-phishing attacks to gain access to networks. Their willingness, however, to cause physical damage is unique and highly advanced.
In its attack on Ukraine's power grid, Russia showed the world its sophisticated capabilities. In a carefully planned attack that took months to execute, Russian hackers slowly wormed their way into Ukrainian power companies' networks, then carefully studied the infrastructure and planted malware at power substations before launching a synchronized assault.
What's next?
Unless it is severely punished, Russia will continue to use cyber attacks to hack elections, spread false information, and sow chaos.
Today's political cartoons - November 2, 2024
Geoff Capes obituary: shot-putter who became the World’s Strongest Man
Israel attacks Iran: a 'limited' retaliation
Has the Taliban banned women from speaking?
Cuba's energy crisis
Putin's fixation with shamans
Chimpanzees are dying of human diseases
Deaths of Jesse Baird and Luke Davies hang over Sydney's Mardi Gras
Quiz of The Week: 24 February - 1 March
Will mounting discontent affect Iran election?
Sweden clears final NATO hurdle with Hungary vote
