Analysis of Competing Hypotheses, WCry and Lazarus (ACH part 2), (Wed, May 31st)

May 31st, 2017
by The Feeder


In my previous diary, I did a very brief introduction on what the ACH method is [1], so that now all readers, also those who had never seen it before, can have a common basic understanding of it. One more thing I have not mentioned yet is how the scores are calculated. There are three different algorithms: an Inconsistency Counting algorithm, a Weighted Inconsistency Counting algorithm, and a Normalized algorithm [2]. The Weighted Inconsistency Counting algorithm, the one used in todays examples, builds on the Inconsistency algorithm, but also factors in weights of credibility and relevance values. For each item of evidence, a consistency entry of I width:300px” />

Today, I will apply ACH to a recent quite known case: WCry attribution. There has been lots of analyses and speculations around it, lately several sources in the InfoSec community tied WCry strongly to Lazarus Group [3][4][5][6], while some others provided motivation for being skeptical about such attribution [7]. Therefore, it is a perfect case to show the use of ACH: several different hypotheses, facts, evidences and assumptions.

Digital Shadows WCry

ACH analysis About two weeks ago, Digital Shadows published a very well done post on ACH applied to WCry attribution [8]. Regarding possible attribution to Lazarus though, as stated on their post, At the time of writing, however, we assessed there to be insufficient evidence to corroborate this claim of attribution to this group, and alternative hypotheses should be considered. Therefore among the hypotheses considered is missing one specifically for Lazarus in place of a more generic nation state or state affiliate actor. The following are the four different hypotheses considered by Digital Shadows:

  • A sophisticated financially-motivated cybercriminal actor – H1
  • An unsophisticated financially-motivated cybercriminal actor – H2
  • A nation state or state-affiliated actor conducting a disruptive operation – H3
  • A nation state or state-affiliated actor aiming to discredit the National Security Agency (NSA) width:600px” />

    Given the final scores computed, they have assessed that though by no means definitive, a WannaCry campaign launched by an unsophisticated cybercriminal actor was the most plausible scenario based on the information that is currently available. Just one note on my side, from my calculation seems they have made a mistake, and H2 score should be -2.121 rather than -1.414. This does not change the final result, but brings H2 and H4way closer.

    My WCry ACH Analysis

    Although the Digital Shadows analysis was a very good one, I felt something was missing, both on the hypotheses as well as on the evidences side. Particularly, in my opinion, I would add three more hypotheses.

    When thinking about NSA being the final target of this, other than A nation state or state-affiliated actor aiming to discredit the NSA, I think that it should be considered also a (generic/unattributed) TA aiming at unveiling/exposing the extent of possible NSA network of compromised machines (H5). This is something one would expect from a hacktivist maybe, although it seems to be way more sophisticated than what hacktivist have got us used to. One difference with the H4 could be on the lack of supporting media narrative. While if one wants to discredit NSA would be ready to have a supporting media narrative, if the goal was simply to unveil and show to everyone the potential extent of NSA infected machines, the infection as it was would have been sufficient, given also the abundant media coverage it got. Although this may still be seen as too close to H4 to be a different hypothesis, I still do see a case for it.

    The other hypothesis Im considering is Shadow Brokers being behind it (H6). This because they had collected some big failures in the previous attempts of monetizing their dumps, as apparently not much credit was given to them or to the quality of their claims. The WCry incident proved the high quality of their leak. As one of the arguments for this, by timely coincidence as soon as the first Lazarus attribution started to come up, SB announced their data dump of the month service [9]. How many people will now think more about buying their offer?

    Finally, I believe a specific hypothesis for Lazarus, other than generic nation state actor, is needed given the number of reports and evidence attributing WCry to it (H7). If I consider Lazarus, I consider financial gain as the motivation behind it, since historically this has been its focus and the ransomware is indeed a lucrative market. However, H7 would be inconsistent with the failed of decrypting after ransom was paid. This does not serve as good advertisement, and fewer victims would start paying once the rumor that files won width:600px” />


    While from the results above there seems to be a clear winner inH5, (generic/unattributed) TA aiming at unveiling/exposing the extent of possible NSA network of compromised machines, what I see in cases like this are three clear losers: H1, a sophisticated financially motivated attacker, H3, a nation state or state-affiliated actor conducting a disruptive operation, and H7, Lazarus Group. I would then focus on looking for other elements with regards to the hypothesis that are left in the refinement face.

    Given that ACH is done better when multiple analysts contribute with their views, please share your feedback. As stated by the guys at Digital Shadows too, also my analysis is by no means definitive.

    Finally, Im sharing my Excel template I made and use to do ACH, for those who would like to experiment with it. You can find it here

    Happy Hunting,


    [1] P. Stirparo, Analysis of Competing Hypotheses (part 1),
    [2] Palo Alto Research Center, ACH1.1: A Tool for Analyzing Competing Hypotheses
    [3] Neel Mehta,
    [4] Kaspersky, WannaCry and Lazarus Group the missing link?
    [5] Symantec, WannaCry: Ransomware attacks show strong links to Lazarus group
    [6] BAE Systems, WanaCrypt0r RansomWorm
    [7] ICITech, Theres Proof That North Korea Launched the WannaCry Attack? Not So Fast! – A Warning Against Premature, Inconclusive, and Distracting Attribution
    [8] Digital Shadows, WannaCry: Analysis of Competing Hypotheses
    [9] The Shadow Brokers, OH LORDY! Comey Wanna Cry Edition,

    Pasquale Stirparo, Ph.D. @pstirparo

    (c) SANS Internet Storm Center. Creative Commons Attribution-Noncommercial 3.0 United States License.

Posted in Uncategorized | Comments (0)