U.S. says Facebook, Microsoft disabled North Korean cyber threats
By: Dustin Volz
WASHINGTON – Facebook Inc and Microsoft Corp disabled a number of North Korean cyber threats last week, a White House official said on Tuesday, as the United States publicly blamed Pyongyang for a May cyber attack that crippled hospitals, banks and other companies.
“Facebook took down accounts that stopped the operational execution of ongoing cyber attacks and Microsoft acted to patch existing attacks, not just the WannaCry attack initially,” White House homeland security adviser Tom Bossert said on Tuesday.
Bossert did not provide details on the actions by the two American tech heavyweights but said the U.S. government was calling on other companies to cooperate in cyber security defense.
Bossert’s remarks came during a White House news conference in which he blamed Pyongyang for the WannaCry attack that infected hundreds of thousands of computers in more than 150 countries, saying the U.S. government had clear evidence that North Korea was responsible. He did not share that evidence.
The U.S. accusation came at a time of high tension with North Korea over its nuclear weapons and missile programs.
A Facebook <FB.O> spokesman confirmed that the company last week deleted accounts associated with a North Korea-linked hacking entity known as Lazarus Group “to make it harder for them to conduct their activities.” The accounts were mostly personal profiles operated as fake accounts that were used to build relationships with potential targets, the spokesman said.
Facebook said it also notified individuals in contact with these accounts.
The actions echoed similar steps the social media powerhouse took this year against suspected Russian accounts that Facebook said were used to promote divisive political messages during the 2016 U.S. presidential election.
In a blog post, Microsoft <MSFT.O> President Brad Smith said the company last week disrupted malware that the Lazarus Group relied upon, cleaned customers’ infected computers and “disabled accounts being used to pursue cyber attacks.” Smith said the steps were taken after consultation with several governments, which he did not identify, but Microsoft’s decision was independent.
The WannaCry attack was “meant to cause havoc and destruction,” Bossert said. He conceded there was little the United States could do to exert further pressure on Pyongyang.
“We don’t have a lot of room left here to apply pressure to change their behavior,” Bossert said. “It’s nevertheless important to call them out, to let them know that it’s them and we know it’s them.”
Britain and several private sector security researchers previously concluded that North Korea was responsible for the attack. Bossert said other countries including Japan, Australia, New Zealand and Canada also agreed with the U.S. conclusion.
A senior administration official told Reuters on Monday that U.S. intelligence agencies had a “very high level of confidence” that the Lazarus Group carried out the WannaCry attack. Classified sources and methods were used to make that determination, the official said.
Lazarus is widely believed by security researchers and U.S. officials to have been responsible for the 2014 hack of Sony Pictures Entertainment <6758.T> that destroyed files, leaked corporate communications online and led to the departure of several top executives.
North Korean government representatives could not be reached immediately for comment. Pyongyang has denied responsibility for WannaCry and called other allegations that it launched cyber attacks a smear campaign.
The United States did not issue any indictments or name individuals believed to be involved in the attacks.
Worries are mounting in Washington about North Korea’s hacking capabilities and its weapons programs. North Korea this month said it had successfully tested an intercontinental ballistic missile that could place the entire U.S. mainland within range of its nuclear weapons.
‘WE GOT LUCKY’
Considered unprecedented in scale at the time, the WannaCry attack knocked British hospitals offline, forcing thousands of patients to reschedule appointments, and disrupted infrastructure and businesses around the world.
The attack was defanged when Marcus Hutchins, a British cyber security researcher, detected a so-called kill switch within WannaCry’s code. Hutchins was arrested in Las Vegas by U.S. law enforcement in August on unrelated charges that he had built and sold malicious code used to steal banking credentials, for which he has pleaded not guilty. He remains in the United States awaiting court proceedings.
Bossert declined to comment about the Hutchins case, but said “we got lucky” that the WannaCry attack was not more damaging.
“We also had a programmer that was sophisticated who noticed a glitch in the malware,” Bossert said. “We’ll give him that. Next time we won’t get so lucky.”
WannaCry was made possible by a flaw in Microsoft’s Windows software, which was discovered by the U.S. National Security Agency and then used by the NSA to build a hacking tool for its own use.
In a devastating NSA security breach, that hacking tool and others were published online by the Shadow Brokers, a mysterious group that regularly posts cryptic taunts toward the U.S. government. The tool was then used in the WannaCry attack.