2.3 Who were the attackers?
At the time of writing, nobody has claimed responsibility, nor has anyone been arrested for spreading the malware. One suspect is the Shadow Brokers group, as they were alleged to have stolen the hacking tool from the NSA. Moty Cristal, a professional negotiator, believed that the attackers did it not for money but to make a point, which was to show the group’s strength and remind large organisations to revise their cyber security strategies. He said:
The failure of the perpetrators to auction it for big money, the leveraging of a long-known vulnerability, the low ransom demand in global parallel attacks (which decreases chances of being paid) and the fact that Russia has been dramatically hit, are all signs that the perpetrators could be American hackers frustrated by their failure to make big money. The attack has the signs of being the work of a group that preferred expressive impact over a modest amount of money.
[…] It was a global show of strength, an expressive one, that caused relatively low financial and operational damage, and ought to be used by UK government as a powerful reminder to revise its cyber security strategies.
However, according to a Washington Post article written by Ellen Nakashima in June 2017, the NSA believed that the hacking group Lazarus, linked to the North Korean government, was behind the WannaCry attack. The report stated that the Obama administration previously believed the Lazarus group was behind a series of cyber-robberies of banks in Asia as well as the 2014 hack of Sony Pictures Entertainment, which demanded that the company withdraw a film that ridiculed the North Korean leader, Kim Jong Un. Sanctions were imposed on North Korea by the US government after these attacks. The report further stated that the security researchers who analysed the code of WannaCry found similarities to the malware used by the Lazarus group, and that there was military intelligence indicating that North Korea was behind the attack.
In December 2017, the US government publicly announced that North Korea was the main culprit behind the WannaCry attack. This view was shared by the UK, Canada, New Zealand and Japan too, according to CBS News (2017). Nevertheless, North Korea always denied the allegation.
Without firm evidence and a proper court trial, it is hard to pinpoint who the culprit behind the WannaCry attack was. However, the Lazarus and Shadow Brokers groups appear to be the prime suspects.