The Trump administration on Monday evening publicly acknowledged that North Korea was behind the WannaCry computer worm that affected more than 230,000 computers in more than 150 countries earlier this year.
"The [WannaCry] attack was widespread and cost billions, and North Korea is directly responsible," Thomas P. Bossert, Trump's homeland security adviser, said in an op-ed published in the Wall Street Journal on Monday. "We do not make this allegation lightly. It is based on evidence. We are not alone with our findings, either."
At the White House on Tuesday, Bossert called the WannaCry attack “a defining moment,” saying it affected individuals, businesses and governments worldwide, and put money as well as lives at risk.
“This was a reckless attack and it was meant to cause havoc and destruction,” he said at a news conference. Drawing a connection between North Korea’s alleged cyber activities and its development of nuclear weapons, he added, “I think, at this point, North Korea has demonstrated that they want to hold the entire world at risk, whether it be through its nuclear program or cyberattacks.”
Bossert acknowledged that the United States has few options left to retaliate against North Korea and to pressure the isolated nation to change its behavior, short of starving its people or attacking it. North Korea already is one of the most heavily sanctioned countries in the world. He said it was important nonetheless to call North Korea out publicly.
“We’re going to hold them accountable and we’re going to say it and we’re going to shame them for it,” Bossert said.
North Korea was widely suspected of creating the virus, paired with ransomware that encrypted data on victims’ computers and demanded money to restore access. Until now, the U.S. government had not publicly stated as much.
In June, The Washington Post reported that the National Security Agency had linked North Korea to the creation of the worm. In October, the British government declared that it believed North Korea was the culprit. The following month, the CIA issued a similar classified assessment, which has not been previously reported.
In a statement Tuesday, Britain’s Foreign Office said: “The indiscriminate use of the WannaCry ransomware demonstrates North Korean actors using their cyber programme to circumvent sanctions.”
The Foreign Office added that “the decision to publicly attribute this incident sends a clear message that the U.K. and its allies will not tolerate malicious cyber activity.”
Bossert credited two U.S.-based corporations, Facebook and Microsoft, for acting last week to disable North Korean accounts, and he issued a broad call to all U.S. companies to help defend the country and its allies against future cyberattacks.
“Some say that defending cyberspace is impossible and that hackers are inevitable,” Bossert said. “I disagree. . . . Government and industry must work together, now more than ever, if we are serious.”
The U.S. government has released technical details of North Korean cyber tools and operational infrastructure, and has worked with other countries to lessen North Korea’s ability to conduct further tests or generate illicit funding, U.S. officials said.
The May 12 global attack hit critical sectors, particularly Britain’s National Health Service. It did not affect the United States as much, although some systems were disrupted.
This follows a pattern of disruptive and harmful cyber activity by the reclusive country. Leader Kim Jong Un has pushed to develop hacker forces as a low-cost, high-impact tool that can rattle the nerves and damage the systems of more powerful nations.
In November 2014, North Korea hacked Sony Pictures networks, disrupting computer systems, stealing and releasing corporate emails and demanding that the studio cancel the release of a satirical film depicting Kim's assassination. The attack led to economic sanctions from the Obama administration.
The WannaCry attack, said one U.S. official, who was not authorized to speak for the record, "demonstrates the importance of basic cyber hygiene, including keeping systems patched and up to date, as well as the need for strong cooperation between public and private sectors to share information, prevent and mitigate cyberthreats."
Democratic lawmakers criticized the disparity in the administration's response to Russian hacking during the 2016 presidential campaign and its reaction to North Korea's cyber activities.
"President Trump is handling the intelligence assessments regarding North Korea and Russia completely differently, staging an elaborate media rollout to press on sanctions against North Korea while at the same time discrediting the assessment by these very same intelligence agencies that the Kremlin interfered with our election," said Rep. Elijah E. Cummings (Md.), the ranking Democrat on the House Committee on Oversight and Government Reform.
Dmitri Alperovitch, cofounder of the cybersecurity firm CrowdStrike, said the U.S. government’s official public blaming of North Korea “is another step in establishing the importance for regularly attributing significant attacks to nation-states and criminal groups.”
The attribution also raises public awareness about North Korea’s growing offensive cyber capabilities, he said. The country’s hacking operations date back at least a decade, starting with espionage, evolving into destructive attacks and in the last few years moving into cybercrime with ransomware and bank heists, said Alperovitch, whose firm has tracked the North Korean threat for years.
“They are a very capable actor that is known to have developed 0-day [previously unknown] exploits and their own unique malware code,” he said. “As such, they pose a major threat to organizations globally, especially as tensions between the U.S. and North Korea over the nuclear and missile programs continue to escalate.”
Karla Adam in London, Josh Dawsey and Tom Hamburger contributed to this report.