US says Facebook, Microsoft disabled North Korean cyber threats

Tom Bossert speaks to reporters at the White House in Washington, Dec 19, 2017. PHOTO: NYTIMES

WASHINGTON (REUTERS) - Facebook and Microsoft disabled a number of North Korean cyber threats last week, a White House official said on Tuesday (Dec 19), as the United States publicly blamed Pyongyang for a May cyber attack that crippled hospitals, banks and other companies.

"Facebook took down accounts that stopped the operational execution of ongoing cyber attacks and Microsoft acted to patch existing attacks, not just the WannaCry attack initially," White House homeland security adviser Tom Bossert said on Tuesday.

Bossert did not provide details on the actions by the two American tech heavyweights but said the US government was calling on other companies to cooperate in cyber security defence.

Bossert's remarks came during a White House news conference in which he blamed Pyongyang for the WannaCry attack that infected hundreds of thousands of computers in more than 150 countries, saying the US government had clear evidence that North Korea was responsible. He did not share that evidence.

The US accusation came at a time of high tension with North Korea over its nuclear weapons and missile programmes.

A Facebook spokesman confirmed that the company last week deleted accounts associated with a North Korea-linked hacking entity known as Lazarus Group "to make it harder for them to conduct their activities."

The accounts were mostly personal profiles operated as fake accounts that were used to build relationships with potential targets, the spokesman said.

Remote video URL

Facebook said it also notified individuals in contact with these accounts.

The actions echoed similar steps the social media powerhouse took this year against suspected Russian accounts that Facebook said were used to promote divisive political messages during the 2016 US presidential election.

In a blog post, Microsoft President Brad Smith said the company last week disrupted malware that the Lazarus Group relied upon, cleaned customers' infected computers and "disabled accounts being used to pursue cyber attacks."

Smith said the steps were taken after consultation with several governments, which he did not identify, but Microsoft's decision was independent.

The WannaCry attack was "meant to cause havoc and destruction," Bossert said. He conceded there was little the United States could do to exert further pressure on Pyongyang.

"We don't have a lot of room left here to apply pressure to change their behaviour," Bossert said. "It's nevertheless important to call them out, to let them know that it's them and we know it's them."

Britain and several private sector security researchers previously concluded that North Korea was responsible for the attack. Bossert said other countries including Japan, Australia, New Zealand and Canada also agreed with the US conclusion.

A senior administration official told Reuters on Monday that US intelligence agencies had a "very high level of confidence" that the Lazarus Group carried out the WannaCry attack. Classified sources and methods were used to make that determination, the official said.

Lazarus is widely believed by security researchers and US officials to have been responsible for the 2014 hack of Sony Pictures Entertainment that destroyed files, leaked corporate communications online and led to the departure of several top executives.

North Korean government representatives could not be reached immediately for comment. Pyongyang has denied responsibility for WannaCry and called other allegations that it launched cyber attacks a smear campaign.

The United States did not issue any indictments or name individuals believed to be involved in the attacks.

Worries are mounting in Washington about North Korea's hacking capabilities and its weapons programmes. North Korea this month said it had successfully tested an intercontinental ballistic missile that could place the entire US mainland within range of its nuclear weapons.


Considered unprecedented in scale at the time, the WannaCry attack knocked British hospitals offline, forcing thousands of patients to reschedule appointments, and disrupted infrastructure and businesses around the world.

The attack was defanged when Marcus Hutchins, a British cyber security researcher, detected a so-called kill switch within WannaCry's code. Hutchins was arrested in Las Vegas by US law enforcement in August on unrelated charges that he had built and sold malicious code used to steal banking credentials, for which he has pleaded not guilty. He remains in the United States awaiting court proceedings.

Bossert declined to comment about the Hutchins case, but said "we got lucky" that the WannaCry attack was not more damaging.

"We also had a programmer that was sophisticated who noticed a glitch in the malware," Bossert said. "We'll give him that. Next time we won't get so lucky."

WannaCry was made possible by a flaw in Microsoft's Windows software, which was discovered by the US National Security Agency and then used by the NSA to build a hacking tool for its own use.

In a devastating NSA security breach, that hacking tool and others were published online by the Shadow Brokers, a mysterious group that regularly posts cryptic taunts towards the US government. The tool was then used in the WannaCry attack.

Join ST's Telegram channel and get the latest breaking news delivered to you.