News agencies around the world are claiming that the computer-virus known as Wanna Decryptor 2, or WannaCry, was designed and released by a DPRK-sponsored cyber-warfare team nicknamed Lazarus. The deceitful media claims worldwide were based on a single source: Simon Choi, a director of Seoul-based Hauri, the producer of computer-security software called the ViRobot.
Analysis of hard evidence and background events show Lazarus to be a fictitious entity, the villain in a charade to shield the actual perpetrators of Wannacry and previous cyber-attacks including DarkSeoul and the devastating strike against Sony Pictures Entertainment.
The facts gathered for this investigative report on the “Lazarus Deception” indicates that Hauri is a cyber-espionage group and propaganda voice for South Korea’s National Intelligence Agency (NIS, formerly known as the KCIA) and a vehicle for psychological operations (psy-ops) by that country’s Defense Ministry. Its role in the WannaCry cover-up shows that the NIS acts in partnership with the US National Security Agency (NSA) and Japan’s National Institute of Information (NII).
A ghost “army of 6,000 North Korean hackers” is the stuff of computer games, which exists only in the imagination of Choi, a gaming addict and propaganda mouthpiece, who is certainly not a credible computer expert. Before taking apart his nonsensical web of childish lies, allow me first to castigate Reuters, AP and other shameless media stooges for serving as willing pawns of the remnant Cold War establishment.
Can a robot be trusted?
Up-to-date anti-virus knowledge is a key element for hacking, especially penetration of the computer networks of leading nation-states. As in a ninja raid on a heavily guard castle, a successful offense must relying on a thorough knowledge of the defenses.
The news media on the isolated tip of peninsular South Korea has touted Hauri’s ViRobot is touted as “the world’s best computer security system”, thereby revealing an abysmal ignorance of cyber-espionage.
The US Department of Homeland Security (DHS) has the opposite opinion, as shown in its National Vulnerabilities Database (NVD), which states: the “filescan in Global Hauri ViRobot 2.0 does not verify the Cookie HTTP header, which allows remote attackers to gain administrative privileges via an arbitrary cookie value.”
ViRobot is spyware, which can be remote-controlled by third parties, presumably the South Korean intelligence services. Seven hidden doorways for hackers in the Hauri software were discovered by CVE (Common Vulnerabilities and Exposures), an index for the computer industry approved by the US National Institute for Standards and Technology (NIST) and the US Defense Information Systems Agency (DISA). Cyber-espionage activities put Hauri on the National Security Agency’s suspect list in 2015, indicating past attempts to hack America’s military and intelligence computer systems.
For a leading computer-protection software and consulting company in the same market as Samsung, Hauri remains a shadowy entity. Founded in March 1998, the private company keeps a low profile under its latest CEO Heechung Kim, who replaced Young-Kwon Hyun. Despite its pathetically weak sales volume , the company has overseas offices in Southern California, Mexico, Brazil, India and Chile.
Agents of the Japanese spy service
Hauri’s first CEO Seok-chul Kwon is a member of the tight-knit Association of Asian Anti-Virus Reseachers (AAVR). The regional group is sponsored by the Japan Computer Security Research Center (JCSR) under Japan’s National Institute of Information (NII). Hauri has received a reward for collaboration with Japan’s cybersleuths in a contract with Fujitsu, which appears to be a political payoff.
AAVR founder Seiji Murakami is the founder of JADE, the first computer-security provider to the government of Japan, which later formed a partnership with McAfee. Murakami has served also as the chief anti-virus expert with the government’s powerful MITI/METI trade ministry, which sponsors the external trade office known as JETRO.
During the early 1990s, Shinzo Abe was assigned to the JETRO office in New York City for cyber-espionage to hijack advanced weapons designs from the Pentagon’s DARPA network. His chief hacker was a national champion computer-gamer recruited from Tokyo University who was a member of the Aum Shinrikyo sect, which was later enmeshed in the subway gassing. (My knowledge of this black operation is due to the fact that the hacker’s newlywed wife, one of the top translators in my newspaper section, mysteriously left for the US to work for Abe.)
Collaborating with Japanese intelligence
This early history of cyber-security reveals the existence of a joint South Korea-Japan cyber-espionage project, which often uses so-called “North Korean hackers” and “Lazarus” to camouflage their hacking against “allies” such as the United States and more overt attacks against foes including China and Russia. As for the DPRK’s potential, Pyongyang still lacks the capability in hardware, software and cryptography skills to be a significant player in these cyber-spy games.
The Japan-funded Asian Anti-Virus Researchers’ recent annual conference was held from late November to early December 2016 in Kuala Lumpur, the Southeast Asia regional center for South Korean-Japanese joint intelligence operations. That was less than four months prior to the assassination of Kim Jong-Nam at Kuala Lumpur International Airport (KLIA). t can be assumed from the video drama at KLIA that the complex method of killing and disinformation campaign were planned well in advance.
This year’s AAVR conference is scheduled for Beijing, a few months after China’s financial centers were the major target for the NSA-launched WannaCry outbreak. (In previous articles, I have charted out the players, motives and methods in that global cyber-attack.)
The Korean-Japanese collaboration in foreign cyber-espionage and secret joint development of anti-virus tools is a legacy of the “special relationship” between South Korean military intelligence and the right-wing of the Liberal Democratic Party, which is historically based in the Kempeitai(憲兵隊), Japan’s internal security force and military police corps during the colonial and wartime era. Park Chung-Hee was a product of this institution, so thoroughly indoctrinated in the Tokyo-headquatered military middle school and high school (陸軍士官学校Rikugun Shikan Gakko) that he became more fluent in Japanese than in any dialect of Korean.
Park served in the Manchukuo military occupation army as an intelligence officer under the name Takagi Masao (高木正雄), and later with the pseudonym Okamoto Minoru (岡本実) spied on anti-colonialist independence fighters. Park’s obsession with suppressing Korean nationalism is reflected in Operation Lazarus, a two-edged sword directed against Pyongyang and South Korean supporters of reunification.
The Boy Who Cried ‘Wolf!’
As in the limited information about his bosses, nothing substantive has ever been disclosed about the background and education of Simon Choi, Hauri’s “cyber-security expert” and the news media source on Lazarus.
His most laughable mistake was to swallow the NSA disinformation about the theft of $81 million from the central bank of Bangladesh, which was held in an account at the Federal Reserve Bank of New York. Using a commercial SWIFT bank transfer to rob the Fed is nonsense, since even much smaller sums must be cleared by a manager and interbank communications by voice and text.
The financial background to the confiscation of the Bangladeshi funds is that Dacca has amassed a sovereign debt of more than $26 billion, meaning that the nation is technically insolvent. The removal of $81 million from its Fed account, which served as a small guarantee on debt repayment, is a warning signal to Dacca that if doesn’t get its balance sheet under control, there will soon be even more dire action taken by a foreign creditor known as Uncle Sam. The US Treasury is the only power that can seize and impound funds held in the Federal Reserve system, regardless of the fine print under international banking accords.
The blame was cast on North Korean hackers because the DPRK is not a signatory of the World Bank and IMF system. Repeating the deliberate disinformation from Fed officials proves that Choi is a brainless twit who acts as a mouthpiece for cynical officials at the US Embassy in Seoul. He should know also that it is much more feasible for a human to walk on Mars than for any hacker team, including Ocean’s Eleven and Mission Impossible, to rob the Federal Reserve.
On his Twitter account, Choi posted a huge chart of more than 40 alleged online bank robberies allegedly committed by North Korean hackers. The pattern of thefts have one thing in common: a line drawn to the Postal and Telecommunications Bank of North Korea. Among the international banks allegedly fooled into sending funds directly into North Korean account were supposedly Wells Fargo and Citibank in New York. Since when have US banks broken economic sanctions by allowing fund transfers from New York to Pyongyang? So what is Choi’s bigger sin: deceitfulness or stupidity?
Then, in ignorance of the Shadow Brokers theft of WannaCry among the many cyber-weapons stolen from the NSA in August, and its subsequent cat-and-mouse game with Microsoft starting in January, Choi posted: “According to recent intelligence, North Korean hackers have begun making Ransomware. (Dec, 2016)” Contrary to his ridiculous accusations, WannaCry and its keyhole, the EternalBlue exploit, had absolutely nothing to do with the North Koreans. Read up on Shadow Brokers to learn the basics of cyber-espionage, cyberpunk.
The NSA’s chorus of “security” experts
Tweets from Kaspersky Lab security experts Juan Guerrero-Saade and Costin Raiu, the latter a Romanian, and Matt Suiche at MoonSol, show how cyber-security nerds are so desperate for their 15 minutes of fame earned by blaming the North Koreans. At first glance, it is astonishing that Kaspersky staffers would join the chorus after the Shadow Brokers (who are former NSA contractors) stressed that NSA-Equation have planted agents inside every major computer-security company, even in Moscow.
Google, like a Pope of Cyberspace, gave its blessing to the deception with a false positive from Neel Mehta linking WannaCry to Lazarus and therefore by implication putting blame on the North Koreans to avoid embarrassing the NSA over its Shadow Brokers fiasco.
On May 15, satisfied that the major players had all joined the NSA cover-up, Choi tweeted a Reuters headline: “BREAKING: Symantec, Kaspersky looking into technical clues that suggest North Korea-linked Lazarus Group may be behind global cyber attack.”
The Western news media immediately picked up comments from Choi, “their man in Seoul”, to spread the falsehood. Repeat a lie a hundred times and it becomes the truth. Oh my gosh, the North Koreans did it! Shadow Brokers? Never heard of them . . . . Nerds, spineless cowards, pathetic liars all!
Reuters reported: “’It (WannaCry) is similar to North Korea’s backdoor malicious codes,’ said Simon Choi, a senior researcher with Hauri who has done extensive research into North Korea’s hacking capabilities and advises South Korean police and National Intelligence Service. . . . Hauri researcher Choi said the code bore similarities with those allegedly used by North Korean hackers in the Sony and bank heists. He said based on his conversations with North Korean hackers, the reclusive state had been developing and testing ransomware programs since August (2016).”
This leading “cyber-sleuth” who claims to converse with North Korean hackers (don’t laugh too hard) Choi missed a key point: Why would the nefarious saboteurs at Lazarus bother to install a kill-switch into the WannaCry code? Since when do evil hackers worry about rescuing their victims?
DarkSeoul written in Israel
Lazarus was also blamed for DarkSeoul, a virus that hit two small South Korean banks and national TV stations in 2013. Simon Choi got his first minutes of fame back then by blaming the ghost army of North Korean hackers. In hard fact rather than fuxxy fiction, the code for DarkSeoul was based on the Israeli hacker program Shamoon, a virus that shut down workstations at Saudi Aramco petroleum company in 2012, a year after 911. Shamoon, DarkSeoul, Sony-Lazarus and WannaCry are all derivations of a code created by the Israel Defense Force (IDF) cyber command. None of those hacks have anything to do with North Korea.
It all makes one wonder whether South Korean intelligence agencies adapted the DarkSeoul code to produce the “Lazarus-created” virus that took down Sony’s in-house network. Sony, after all, is the great rival of South Korea’s high-tech industry. Prior to the Sony affair, Google chairman Eric Schmidt, a video crew from VICE TV, and NBA player Dennis Rodman, visited Pyongyang to tour its new Internet facilities. That politically odd but perfectly timed visit was just before the announcement of release of the Sony movie “The Interview” and the so-called Lazarus cyber-attack. It all reeks of cyber-espionage.
In that same year, Schmidt spend a lot of days in Seoul, even dancing with Psy, the master of Gangnam style. Since then, Google has opened its first campus in Asia – in Seoul in 2015. Are we by now getting closer to the origins of Lazarus?
South Korea has the world’s highest rate of computer break-ins, which doesn’t say a lot for ViRobot, which from the evidence appears to be a tool for military and police online surveillance and tracking of the South Korea population. Hauri is part of the cancer online surveillance spreading through cyberspace, which promotes the return of militarism, neocolonialism and domination by the war industry.
The threat to internet freedoms on the Korean Peninsula isn’t coming from across the DMZ but is home-made in Seoul. Following the ouster of the Park dynasty from the Blue House, radical surgery is urgently needed in order to protect the user’s right to online privacy, confidentiality and safe navigation.
Yoichi Shimatsu, Senior Advisor and Contributing Editor for The 4th Media, who was former editor with the Japan Times, is a science journalist who writes for Fourth Media.
The 4th Media