Overnight Cybersecurity: NSA links Wanna Cry ransomware to North Korea | Dem proposes center to counter Russian hacks | Senators raise questions about leaker's security clearance

Overnight Cybersecurity: NSA links Wanna Cry ransomware to North Korea | Dem proposes center to counter Russian hacks | Senators raise questions about leaker's security clearance
© Getty Images

Welcome to OVERNIGHT CYBERSECURITY, your daily rundown of the biggest news in the world of hacking and data privacy. We're here to connect the dots as leaders in government, policy and industry try to counter the rise in cyber threats. What lies ahead for Congress, the administration and the latest company under siege? Whether you're a consumer, a techie or a D.C. lifer, we're here to give you ...




The National Security Agency (NSA) linked ransomware that negatively impacted more than 300,000 people in 150 countries to North Korea, according to The Washington Post. The NSA's assessment, which is not available to the public, states that "cyber actors" thought to be sponsored by North Korea's spy agency, the Reconnaissance General Bureau, were behind the WannaCry computer worm.

To read the rest of our piece, click here.

--...'MODERATE[LY]' CONFIDENT: According to the Washington Post report, the NSA reached that conclusion with "moderate" confidence.

--...KASPERSKY LAB, SYMANTEC WERE ALREADY PRETTY CONFIDENT: Symantec noted that early versions of the ransomware were installed on computers also infected with North Korean espionage malware. The ransomware also used source code borrowed from other North Korean tools -- code that wasn't available on source code repositories to cut and paste -- and used the same intermediary servers to communicate.

--...SPEAKING OF KASPERSKY AND WANNA CRY: Rep. Clay Higgins (R-La.) told two House Science subcommittees they should take antivirus magnate Eugene Kaspersky up on his offer to testify before Congress during a joint hearing on Wanna Cry on Thursday. Kaspersky Lab continues to receive government contracts, despite lawmakers' suspicions that the Moscow-headquartered outfit may have ties to the Russian government. There is no public evidence linking the two, but the Department of Homeland Security has issued guidance to avoid the vendor. Kaspersky has also become a frequent topic of conversation at Senate Intelligence Committee meetings. Both Kaspersky and his company have pushed back against these claims. In May, Eugene Kaspersky said he would testify before Senate Intelligence.  "The FBI, CIA and NSA advise this body that they do not trust Kaspersky," said Higgins, adding, "I strongly suggest we take him up on his offer." Eugene Kaspersky was educated at a KGB-sponsored university and served in Russian military intelligence. As is the case with American cybersecurity firms, many of the Russia-based employees come from the public sector.

--...A SIMILAR, MORE FRIENDLY OFFER FOR NORTH KOREAN PROGRAMMERS: Witnesses at the hearing noted that coding errors likely prevented millions of additional infections of the malware and that the prevailing theory was that North Korea had launched the attack. Higgins jokingly asked the panel what they thought might happen to the coders and issued an invitation to any programmers feeling heat from Pyongyang to come to America. "We'd love to have you before the Committee," he said. "We'll give you some real good food."

To read the rest of our piece, click here.




Russian President Vladimir Putin on Thursday offered to give political asylum to former FBI Director James Comey, poking at tensions between Comey and President Trump. "If Comey will be under the threat of political persecution, we are ready to accept him here," Putin said at a press conference, according to Russian state media outlet TASS.  

To read the rest of our piece, click here.

--WHO WILL INVESTIGATE OBSTRUCTION? With the announcement yesterday that the Senate Judiciary would investigate political pressures at the FBI, the Senate Intelligence Committee will not be focusing on the issue and will turn over evidence to the special prosecutor. Over in the House Intelligence committee, Ranking Member Adam SchiffAdam Bennett SchiffGOP strategist confronts ex-Trump staffer: ‘I’m sick of you guys making excuses for him’ Shepard Smith goes after Trump for not condemning Russia in tweets Trump: Why didn't Obama 'do something about Russian meddling?' MORE (D-Calif.) said he wanted to keep that focus alive.

--DEM PROPOSES RUSSIAN HACKING DEFENSE CENTER: Rep. Joseph Kennedy (D-Mass.) introduced legislation on Thursday to create a response center to combat Russian cyber attacks amid ongoing probes into Moscow's interference in last year's election. Dubbed the National Russian Threat Response Center, the new initiative would be responsible for examining information relevant to Russia's online aggression and seek to close gaps in intelligence collected about the Kremlin. "Russia's attack on our election was not guided by party affiliation but instead by a deep desire to weaken trust in our institutions and shake the very foundation of our democracy," Kennedy said in a statement.

To read the rest of our piece, click here.

--MEANWHILE, PRESIDENT TRUMP DID SOME TWEETING. "They made up a phony collusion with the Russians story, found zero proof, so now they go for obstruction of justice on the phony story. Nice" (6:55 a.m.)... "You are witnessing the single greatest WITCH HUNT in American political history - led by some very bad and conflicted people! #MAGA" (7:57 a.m.)... "Why is that Hillary Clintons family and Dems dealings with Russia are not looked at, but my non-dealings are?" (3:43 p.m.)... "Crooked H destroyed phones w/ hammer, 'bleached' emails, & had husband meet w/AG days before she was cleared- & they talk about obstruction?" (3:56 p.m.).

--...TRUMP ALLY WOULD HAVE ADVISED AGAINST IT: Rep. Chris Collins (R-N.Y.), one of President Trump's most ardent allies on Capitol Hill, on Thursday criticized the timing of the president's latest tweets attacking the investigation into Russian election meddling. "I think timing could have been better on that, and I can't speak for the president, obviously he does what he does," Collins said on CNN. "Clearly, he's frustrated by the investigation, and the investigation is going to run its course, probably for many, many, many months." "I'm not counseling the president, but I would have certainly not advised that that tweet go out today, because we're still very much reacting to yesterday's shooting," he added.

--...POLL: MAJORITY ASSUME MEDDLING: A majority of American adults in a new poll thinks President Trump has tried to interfere in the investigation into Russian meddling in the U.S. presidential race. An Associated Press/NORC Center for Public Affairs Research poll found about 60 percent of Americans think Trump attempted to obstruct or impede the investigation. But opinions are largely split among partisan lines, with only about 25 percent of Republicans saying they think Trump tried to meddle in the probe. The poll also finds that 68 percent of Americans are at least moderately concerned Trump or his campaign associates had inappropriate links to Russia. Just about 30 percent of Americans said they were not concerned. Only 22 percent of Americans support Trump's decision to fire former FBI Director James Comey, compared with the more than half of Americans who disapprove of the president's decision.

To read the rest of our piece, click here.



TODAY IN QUESTIONABLE CORRELATIONS: Programmers who use spaces to format computer code make more money than those who use tabs.  



MORE FROM THE WANNA CRY FRONT: ElevenPaths, a cybersecurity division of Telefonica, found a few new odds and ends inspecting the metadata from the files in Wanna Cry.

Telefonica is intimately familiar with Wanna Cry; the Spanish telecom was one of its largest victims.

The coding of Wanna Cry has already been torn apart by researchers, who by and large believe it was filled with coding mistakes. Those include the "killswitch" that hamstrung the ransomware, poor coding practices making it easy to recover many of the encrypted files without paying, having no method to tell who paid the ransom and struggling to infect Windows XP servers.

The choice of file types used in the attack may also have been mistakes. By using document types that allowed colorful typography, the files in Wanna Cry reveal that the default keyboard setting on the computer that typed the ransom note was Korean and that it used the EMEA version of Microsoft Word.

A package of compressed files in the .zip format reveals that the attackers updated the software until 2:22 a.m. on May 12. But the attack was first seen before 2:22 a.m. in a number of time zones. Assuming the time codes were unaltered and accurate, the only time zones with a chronologically correct 2:22 a.m. are in West Africa, Western Europe, Russia, Asia and Australia.

Other notes: Metadata shows that some software was registered in the name Messi, which may be a reference to the soccer player Lionel Messi.

ElevenPaths cautions that metadata can be changed and otherwise fabricated by programmers, making it shaky evidence. The metadata may have been altered to change the keyboard settings or time codes. It's possible all of this is a red herring.

ElevenPaths notes that the programmer might not even be a fan of Lionel Messi.



REALITY WINNER'S SECURITY CLEARANCE: The leaders of a key Senate panel are pressing the federal government for information about the security clearance of a government contractor recently accused of passing classified material to a news outlet.

Reality Leigh Winner was arrested by the FBI in early June and charged in federal court with violating a section of the Espionage Act. Her arrest has been linked to The Intercept's publication of a purported classified National Security Agency document detailing Russian hacking efforts aimed at U.S. election and voting infrastructure.

Winner, an Air Force veteran, had worked as a contractor at Pluribus International Corporation, was assigned to a government facility in Georgia and held a top-secret clearance, according to the criminal complaint.

On Thursday, Sens. Ron JohnsonRonald (Ron) Harold JohnsonTrump spars with GOP lawmakers on steel tariffs Overnight Regulation: Trump unveils budget | Sharp cuts proposed for EPA, HHS | Trump aims to speed environmental reviews | Officials propose repealing most of methane leak rule Trump budget seeks savings through ObamaCare repeal MORE (R-Wis.) and Claire McCaskillClaire Conner McCaskillMcCaskill welcomes ninth grandson in a row Dem group launches M ad buy to boost vulnerable senators Senate Dems block crackdown on sanctuary cities MORE (D-Mo.) wrote to the head of the Office of Personnel Management (OPM) seeking more information about which government agency conducted Winner's initial security clearance and when. They also asked the agency to disclose the last time Winner was reinvestigated as part of her active security clearance, in addition to other inquiries.

"The leaking of classified information jeopardizes our national security," McCaskill said in a statement. "We need to determine if Ms. Winner's security clearance process was handled correctly or if we missed any red flags."

To read the rest of our piece, click here.



Links from our blog, The Hill, and around the Web.

A new Russian sanctions deal tied to Iranian sanctions cleared the Senate, but Sen. Bernie Sanders (I-Vt.) objects to the package. (The Hill)

Rep. Tom Suozzi (D-N.Y.): America must unite to fight Russian attacks on all western democracies. (The Hill)

Facebook has a new plan to target terrorist content. (The Hill)

A British hacker pleaded guilty to hacking the DOD. (The Hill)

The House looks to solve the cross border data warrant riddle. (The Hill)

Crash Override amplified electric grid hacking concerns. (The Hill)

Facebook AI taught itself to lie to get what it wants. (Quartz)

A new initiative looks to make public Congressional browsing habits. (Sophos)

The Department of Energy is injecting $250 million into supercomputer R&D. (FCW)


If you'd like to receive our newsletter in your inbox, please sign up here.