May 30, 2017

U.S. intel firm finds Chinese traces in ransomware attack notes

Mark Schiefelbein / AP

U.S. intelligence firm Flashpoint claims with "high confidence" that the notes accompanying the ransomware attack were written by Chinese-speaking hackers from southern China, Hong Kong, Taiwan, or Singapore. The notes, sent out in 28 different languages, warned users they couldn't access their data unless they paid a ransom in an attack this month that hit 150 countries, called the WannaCry attack.

Why this matters: The group that launched the attack is suspected to be a North Korean hacker group. This either adds a hitch to that suspicion or means the North Koreans have gone to great lengths to cast doubt on their identity by forging Korean into Chinese.

The language analysis: Nearly all of the notes were translated using Google Translate, Flashpoint writes. Only three (the English notes and two different versions of Chinese notes) are likely to have been drafted by a human with knowledge of the language, but only the Chinese notes indicate they were written by someone with fluent knowledge of the language.

Two more snags to finding who is responsible for the attack:

  1. TheShadowBrokers, the group that enabled the hack by posting the loophole online, has emptied out its bitcoin account, worth $24,000, a surprising move since this could identify the group. However, the group distributed the bitcoins to multiple addresses to mask the transaction, disrupting chances of identification.
  2. Up next, the group has offered to distribute more hacking tools for about $24,000 and is accepting Zcash, another digital currency much like bitcoin, but which is much harder to track.
Go deeper