Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

ATTRIBUTION GAMES: LAZARUS, SHADOWBROKERS, BLOFELD.

with one comment

The Game:

I figured since everyone else is playing the ATTRIBUTION GAMES over Wannacrypt0r that I would get in on the action and give it my own personal spin. The big difference here is that I am not selling any of you anything so if you read this post it is all about not buying my shiny new machine learning, next gen machine that goes PING! Nope, I just thought I would put a few words down to stop the insanity so to speak that I already see in the eyes of those $VENDOR’s out there about to hit SEND on their latest salvo of shenanigans concerning the Wannacry event of last week.

That’s right, I am already calling shenanigans!

Right so this game here is a red team on the idea that Wannacry was either an APT Nation State actor (either LAZ or SHADOW) or a criminal gang who will be represented by Ernst Stavro Blofeld. Once this is all said and done I hope that some sanity will ensue and more to the point, some elaborate death will be planned out, set into motion, and then foiled by James Bond…

Wait… what?

Let’s begin… DOMINATION OF THE WORLD….. Let’s just list the indicators and possible motivations all kinds of bulletized shall we?

THE LAZARUS GROUP (UNIT 180):

  • LAZARUS code snippets found in WANNACRY samples
  • LAZARUS has been active in stealing large sums of money from banks, as this attack was about ransom and money… well… UNDERPANTS GNOMES AND PROFIT!
  • LAZARUS aka Un, would likely love to sow terror by unleashing the digital hounds with malware attacks like this to prove a point, that they are out there and to be afraid.
  • LAZARUS aka Un, might have done this not only to sow fear but also to say to President CRAZYPANTS (Official USSS code name btw) “FEAR US AND OUR CYBER PROWESS
  • LAZARUS aka Un, is poor and needs funds so ransoming hospitals and in the end gathering about $100k is so gonna fill the coffers!
  • LAZARUS aka UNIT 180 players are “Freelancing” and using TTP’s from work to make MO’ MONEY MO’ MONEY MO’ MONEY (No! Someone actually really floated that idea!)
  • LAZARUS is a top flight spooky as shit hacking group that needed to STEAL code from RiskSense (lookit that IPC$ from the pcap yo) to make their shit work.. Huh?

SHADOWBROKERS (GRU):

  • SHADOWBROKERS made no money on their auction and posted a long pissy diatribe about it after the incident reached critical media frenzy
  • SHADOWBROKERS had the code already and then needed to CRIB some of the ETERNALBLUE/FUZZBUNCH NSA code ganked from RiskSense because they lack the ability to make the shit work themselves… Which they then re-coded in C…  Huh?
  • SHADOWBROKERS want to just sow mayhem with WANNACRY and continue the massive schadenfreude that the NSA is feeling from their theft (*cough MOLE HUNT cough*) but once again, they had to STEAL that code snippet to make it work… Or, is that just another poke at the US? A diversion? A red herring so to speak? Hmmmm….
  • SHADOWBROKERS re-used or re-purposed old malware WANNACRYPT0R and threw in some code snippets from LAZARUS GROUP TTP’s to muddy the waters and have EVERYONE pointing their collective fingers at the Hermit Nation because WHY THE FUCK NOT HUH!? This would sow more FUD and gee, isn’t that the playbook chapter like 3 in ACTIVE MEASURES komrade?

ERNST STAVRO BLOFELD:

  • ERNST has a well known volcano lair and upkeep is rather steep in this global market so ransomware is the way to go baby!
  • ERNST is a Devil may care kind of guy and wants to sprinkle clues for both RUSSIAN and DPRK actors here to cause all kinds of mayhem while he sits and strokes his cat while the bitcoins amass.
  • ERNST is a gangster and his coders, well, sometimes they suck so they stole the ETERNALBLUE snippets but then they couldn’t make that work UNTIL they coded it all in C so.. yeah..
  • ERNST is a nihilist at heart so he just slapped this shit together and then made sure that there was a killswitch in there as a safety valve, I mean, look at how many times he tried to kill Bond but always missed by that much!

Well there you have it. I have gamed it all out for you. Who do you think dunnit? If you look at all of these players and their motivations along with the superior threat intel evidence we have out there that the attribution firms are selling…

OBVIOUSLY IT’S ALL OF THEM! THEY ARE WORKING TOGETHER PEOPLE! IT’S THE NEW SPECTRE! CAN’T YOU ALL SEE THAT WITH THE PLETHORA OF EVIDENCE WE HAVE! COME ON!

*breathe…..**

Ok ok ok… See what I did there? I am making a point with humor.

IT DOESN’T FUCKING MATTER WHO DID IT!

PATCH YOUR SHIT.

DO THE THINGS.

STOP.

Dr. K.

Written by Krypt3ia

2017/05/23 at 20:04

Posted in ATTRIBUTION, Cyber

One Response

Subscribe to comments with RSS.

  1. And THIS is why I come here – awesome. So very tired of salivating vendors trying to sell their silver bullets and magical hoo-doo, spells and incantations to protect us all from the malware-of-the-day.

    beej

    2017/05/23 at 20:19


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: