Private sector security companies had a key role in the U.S. government’s attribution of last year’s WannaCry ransomware epidemic to North Korea, an official at the Office of the Director of National Intelligence (ODNI) said on Friday.
Speaking at a Washington Post Live event, Tonya Ugoretz, director of ODNI’s Cyber Threat Intelligence Integration Center (CTIIC), said that the small agency she leads acted as a liaison to get critical information about the global attack from the private sector to U.S. intelligence agencies.
Ugoretz said that CTIIC learned of information about WannaCry that had been fed to Department of Homeland Security by its private sector partners. The information would play an important role in the attribution to North Korea months later, Ugoretz explained. CTIIC comprises staff from intelligence, law enforcement and other federal agencies with the goal of helping coordinate responses to cyberthreats.
“DHS had that by virtue of their private sector relationships, and we asked ‘Could we share that with the intelligence community? Because we think it could be valuable,” she said. “DHS went back to the private sector partner, got their permission, we shared it with the intel community, and it helped give us a sense early on about how the infection did spread.”
Security researchers did indicate publicly early on in the spring of 2017 that WannaCry shared code with malware attributed Lazarus Group, a hacking group associated with North Korea. But the community stopped short of flat-out attributing WannaCry to North Korea, and the White House didn’t officially lay the blame until December 2017.
Ugoretz explained, however, that the IC was clued in from an early stage that North Korea was behind the attack, “but with low to moderate confidence.” The government wanted to take the time to gain more confidence, she said.
“Private sector cybersecurity researchers felt really confident it was North Korea, and it’s important to establish high confidence in these types of attributions so that we potentially position our policymakers to consider response options,” Ugoretz said. “Some of our partners in the interagency were then able to take that, do additional work, and ultimately acquired that last bit of information that helped us say with high confidence that it was North Korea behind the attack.”
Ugoretz touted the case as an example of how applying a whole-of-government approach in coordination with the private sector can achieve results in the assessment of global cyberthreats.
“The importance was having the relationships and the trust to go be able to go to different partners and say ‘This part of the community needs this piece of information that another part has,’” she said.