A top White House official on Tuesday personally thanked Microsoft and Facebook for helping counter North Korean hackers and said the National Security Agency was “not at all” at fault for this year’s infamous WannaCry ransomware incident.
Thomas Bossert, the president’s homeland security adviser, mentioned the two companies by name in a press conference on North Korea’s connections to WannaCry.
The Trump administration publicly attributed WannaCry to North Korea for the first time yesterday.
Security researchers have said the hackers behind the ransomware outbreak in May amplified its effects by using computer code from a leaked NSA hacking tool known as EternalBlue.
The briefing followed the publication Monday night of an editorial by Bossert in the Wall Street Journal that was the first time the Trump administration attributed the WannaCry outbreak to North Korea. Bossert broadly cited “evidence” without describing it outright.
Statements shared by Facebook and Microsoft with CyberScoop imply that the companies’ efforts against North Korean hackers came last week and were not directly related to WannaCry. Instead, they appear to have been more broadly focused on inhibiting North Korea’s ongoing cyber-espionage operations.
A Facebook spokesperson said the social network had moved to disable a number of accounts that it linked back to the predominant hacking group associated with North Korea, which is known to the security research community as the Lazarus Group. Facebook said the hackers were using these profiles to communicate with one another while also targeting specific individuals.
Microsoft has said that its efforts included disabling accounts and working directly with Facebook on other issues. A Microsoft spokesperson did not respond to subsequent questions sent by CyberScoop concerning how Microsoft disrupted a malware framework used by Lazarus Group.
Microsoft’s revelations come as the company’s relationship with Washington remains strained in the fallout of the EternalBlue leak, which came in early 2017 by mysterious group that calls itself the Shadow Brokers. The tool effectively allowed WannaCry to automatically bounce between millions of vulnerable, internet-connected machines which were all running older versions of Microsoft Windows.
While answering a question on the matter, Bossert did not mention the group by name but said that the U.S. is currently taking steps to stop other, future disclosures concerning the intelligence community’s secretive hacking capabilities.
“I think that while the US government needs to better protect its tools and things that leak are very unfortunate and we need to apply security measures that prevent that from happening, I think Brad [Smith of Microsoft] also now appreciates more and better what we hold onto and why we hold onto it,” Bossert said. “And in part he appreciates that more and better because we’ve made it a transparent process.”
CyberScoop previously confirmed that tools leaked by the Shadow Brokers belonged to the NSA. Further reporting found that the group had likely gained physical access to a hard drive, containing various other outdated exploits and implants designed for sophisticated offensive operations. The NSA has yet to publicly comment on the nature and cause for these apparent leaks.
A National Security Council spokesperson said at least one other company contributed to the efforts by Microsoft and Facebook.
In a company blog post published on May 14, Microsoft President Brad Smith had criticized the NSA and White House for their roles in allowing EternalBlue fall into the hands of hackers.
“An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen,” Smith wrote at the time. “And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.”
A newly released blog post written by Smith mentioned that Microsoft took steps last week to “disrupt the malware this group relies on, cleaned customers’ infected computers, disabled accounts being used to pursue cyberattacks and strengthened Windows defenses to prevent reinfection.”
The post continues, “Microsoft welcomed the opportunity to work with Facebook and others in recent weeks to address this issue. As we look to 2018, it’s essential that we act with shared responsibility to strengthen further the partnerships with the security community and governments to combat cyberattacks against civilians.”