We tend to accept facts and given situations whenever we have a reliable source and a decent level of evidence. The interesting side is that howling to the moon like a group of sheep hoping the lone wolf will not hear them is an equally weird revelation. The question becomes at that point, who is the lone wolf and who are the sheep, because neither position nor identity is a given. Now, for the first art, we have the Guardian article (at https://www.theguardian.com/politics/2017/may/27/eu-theresa-may-combat-terror-brexit-europol), with the expected title ‘We need deal with the EU to combat terror, experts tell Theresa May‘, which of course gets them the DGSE, yet the usefulness of the rest becomes a bit of an issue. For this part we need to look somewhere else, and we will do that after the given quote in the mentioned article “Although our partnership with the US for intelligence sharing is extremely important, the fact is that the current terrorist threat is very much a European dimension issue. The Schengen database and knowing about who has moved where are all intimately dependent on European systems and we have got to try to remain in them“. This could be a valid and valued statement, yet is that truly the case? For this we need to take a little gander to another place of intelligence and Intel interest. The Cyber monkeys, or is that the cyber-mercenaries? The difference is merely a moment when you WannaCry 1.4. You will have heard, or perhaps read regarding the NHS as it was struck, here again we see: “However, it instead appears to be down to organisations and individuals failing to run keep Windows up to date“, which was actually voiced by NHS Digital, the failure of policies as they were not adhered to by IT staff, or at least those responsible for keeping those PC’s up to date with patches. The second quote given much earlier in the IT article is ““To be abundantly clear, the recent speculation concerning WannaCry attributes the malware to the Lazarus Group, not to North Korea, and even those connections are premature and not wholly convincing,” wrote James Scott, a senior fellow at the Institute for Critical Infrastructure Technology (ICIT)“, which is where I have been all along. The one nation that has less computer and internet innovation than a Nintendo GameCube sets this level of hardship? It is just too whack for thought. It is the quote “At best, WannaCry either borrowed heavily from outdated Lazarus code and failed to change elements, such as calls to C2 servers, or WannaCry was a side campaign of a minuscule subcontractor or group within the massive cybercriminal Lazarus APT” that changes the game. In addition we see: “The publication referred to “digital crumbs” that the cyber security firm had traced to previous attacks widely attributed to North Korea, like the Sony Pictures hack in late 2014″, we will exclude the quote “Shadow health secretary Jon Ashworth has said Labour would invest an extra £5 billion into new IT infrastructure for the NHS, after hospitals and services were affected by the widespread Ransomware attack on Friday“, especially as Labour had in the previous government wasted £11.2 billion on an IT system that never worked, so keeping them away from it all seems to be an essential first.

The issue is now in several phases. Who got hit (those not updating their systems). It affected according to some sources thousands of systems, yet when it comes to backtracking to a point of origin, the Cyber Intelligence groups remain unclear. The IT article (at http://www.itpro.co.uk/security/28648/nhs-ransomware-north-korea-may-not-be-behind-wannacry), gives us a few things, yet the clear reference to the Guardians of Peace, the identity the hackers had given themselves in the Sony event gives a few additional worries. Either this is clearly a mercenary group without identity, or we have a common new issue on identity when it comes to Cyber criminals. You see, as we see more and more proclaiming the links between the Lazarus group and North Korea, we do not get to see a clear link of evidence. Many sources give us ‘could be linked‘, or ‘highly likely‘, which is an issue. It makes the evidence too shallow and circumstantial. The NY Times gives us (at https://www.nytimes.com/2017/05/22/technology/north-korea-ransomware-attack.html) yet they are basically stating what Symantec game us and mention that. My issue here is “But the hackers left behind a trail of digital crumbs that Mr Chien and his colleagues had traced to previous attacks by the Lazarus Group“, what if the crumbs were an intentional side? You see, the quote “another group of hackers that call themselves the Shadow Brokers published the details of National Security Agency hacking tools that the WannaCry hackers were able to use to add muscle to their attacks” give a different light. The fact that there is a team reengineering tools and flaws to get somewhere fast is one. We have seen the lack of actual cyberpower of North Korea in the past, the fact that they are regarded on the same level as Chinese Cyber forces is a bit silly. You see, any country has its own level of savants, yet the fact that North Korea, a nation as isolated as it is, gets to be on par with China, an actual superpower that has Cyber infrastructures, experts at the University of Shanghai (the white paper on cracking AES-256, 2001), as well as a growing IT technology base is just a little too whack.

This now reflects back to the European need of Schengen. The UK needs quality intelligence and with the US breaches of Manchester, the fact that no high quality evidence was ever given regarding the Sony Hack, the growing source of all kinds of hacker names and no validity or confirmable way to identify these groups leaves us with a mess that pretty much anyone could have done this. In light of the NSA flaw finders, there is now more evidence in the open giving the speculative hacker as one with skills that equal and surpass people graduating with high honours at MIT, than anything North Korea could produce. It does not put North Korea in the clear (well the fact that the generals there had no comprehension of a smartphone should be regarded as such), and as we see the entire Bitcoin go forward, we need to take more critical looks at the given evidence and who is giving that evidence. We all agree that places like Symantec and Kaspersky should be highly regarded, yet I get the feeling that their own interns know more about hacking then the sum of the population of all North Koreans do, which is saying a lot. We see supportive evidence in the Business Insider (at http://www.businessinsider.com/wannacry-ransomware-attack-oddities-2017-5). Here we see IBM with “IBM Security’s Caleb Barlow, researchers are still unsure exactly how the malware spread in the first place. Most cybersecurity companies have blamed phishing emails — messages containing malicious attachments or links to files — that download the ransomware. That’s how most ransomware finds its way onto victims’ computers. The problem in the WannaCry case is that despite digging through the company’s database of more than 1 billion emails dating back to March 1, Barlow’s team could find none linked to the attack“, one billion emails! That is what we call actual evidence and here IBM is claiming that the issue of HOW the malware spread remains a mystery. Now, can you see that the entire North Korean issue is out of touch with the reality of Common Cyber Sense and Actual Cyber Security? Two elements, both are essential in all this. It is the lack of actual evidence that seems to be the issue, giving us the question, who wants the North Korea issue propagated? Any answer here is more likely to be political than anything else, which now gives us additional questions on where for Pete’s sake the need of European Intelligence remains as they fall short of providing answers. In light of the Schengen database. Why would that not be shared? If the US has access as a non-European, non-EC nation, why would the UK, a clear European nation be barred from access? With all the flawed acts by the US, having actual professionals look at Schengen data, seems to be an elemental first, would you not agree?

An additional question would be on how these Bitcoins would be cashed, it is not like an isolated nation like North Korea ever had a flying business in Bitcoins in the first place. It is actually (yes, I am shocked too), that quality information comes from PwC. In this case Marin Ivezic, a cyber-security partner. He gives us “EternalBlue (the hacking tool) has now demonstrated the ROI (return on investment) of the right sort of worm and this will become the focus of research for cybercriminals“, which would be a clear focus for veteran cyber criminals, yet the entire re-engineering foundation gives another slice of circumstantial evidence that moves us actually away from North Korea. So in this we have two elements. As the FBI and CIA have been all about pointing towards North Korea, the question becomes, where do they not want us to look and whatever else do they not have a handle on? These points are essential because we are shown an elemental flaw in Intelligence. When the source is no longer reliable, why would they be around in the first place? We can agree that governments do not have the goods on Cyber criminals, because getting anything of decent value, tends to require inside knowledge, which is the hardest to get in any case, especially with a group as paranoid as cyber criminals. The second side is that China and Russia were on the list as one of the few abled parties to get through Sony, yet Russia has fallen of the map completely in the last case, that whilst they are actually strengthening ties with North Korea. That does not make them guilty, yet on the sale required Russia was one of the few with such levels of Cyber skills. The fact that we see in the NY Times that it is too early to blame North Korea is equally some evidence, it gives vision to the fact that there are too many unknowns and when IBM cannot give view of any mail that propagated the worm, gives additional consideration that there are other places who cannot claim or show correctly how the worm got started, which is now an additional concern for anyone altering the work for additional harm. As the point of infection is not known, stopping the infection becomes increasingly difficult, any GP can tell you that side of the virus. There is one more side I would like to raise. This comes from a source (at http://securityaffairs.co/wordpress/59458/breaking-news/wannacry-linguistic-analysis.html), it is not a journalistic source, or a verified source, so please take consideration that this news could be correct. It is however compelling. The quote ““The text uses certain terms that further narrow down a geographic location. One term, “礼拜” for “week,” is more common in South China, Hong Kong, Taiwan, or Singapore. The other “杀毒软件” for “anti-virus” is more common in the Chinese mainland.” Continues the analysis “Perhaps most compelling, the Chinese note contains substantial content not present in any other version of the note, is lengthier, and differs slightly in format.” The English note of the ransomware appears well written, but it contains a major grammar mistake that suggests its author is either not a native speaker or possibly someone poorly educated“, that would make sense, yet how was that source acquired?

The second quote: ““Given these facts, it is possible that Chinese is the author(s)’ native tongue, though other languages cannot be ruled out,” Flashpoint concluded. “It is also possible that the malware author(s)’ intentionally used a machine translation of their native tongue to mask their identity. It is worth noting that characteristics marking the Chinese note as authentic are subtle. It is thus possible, though unlikely, that they were intentionally included to mislead.” The Flashpoint analysis suggests attackers may have used the Lazarus code as a false flag to deceive investigators, a second scenario sees North Korean APT recruiting freelance Chinese hackers to conduct the campaign” gives us a few elements, the element of misdirection, which I had noted on from other sources and the element that North Korea is still a consideration, yet only if this comes from a freelance hacker, or someone trying to get into the good graces of Pyongyang, both options are not out of the question as the lack of Cyber skills in North Korea is a little too well set from all kinds of sources. The writer Pierluigi Paganini is a Cyber professional. Now even as Symantec’s Eric Chien is from California, did they not have access to this part and did no one else correctly pick up on this? As I stated, I cannot vouch for the original source, but as I had questions before, I have a few additional questions now. So, exactly how needed is European Intelligence for the UK? I think that data should be shared within reason. The question becomes, how is Schengen data not shared between governments? The Guardian gives us “After the Manchester attack, which killed 22 people and left dozens of others grievously injured, it was revealed that suicide bomber Salman Abedi had travelled back to England from Libya via Turkey and Dusseldorf four days before the attack“, so how reliable is Turkish intelligence in the first place? How could he have prepared the bomb and get the ingredients in 4 days? There is an additional view on ISIS support active in the UK, yet as we now see that this drew attention to him, why on earth was the trip made? Also, was Libya or Mecca the starting point (source: claim from the father in earlier Guardian article)? How would sharing have resolved this?

Now look at this in light of the US leaks and the Cyber Intelligence of a dubious nature. There is a growing concern that the larger players NSA, DGSE, GCHQ have flaws of their own to deal with. As they are relying more and more on industry experts, whilst there is a lack of clear communication and reliable intelligence from such sources, the thoughts now become that the foundation of fighting terror is created by having a quality intelligence system that recognises the need for Cyber expertise is becoming an increasing issue for the intelligence branch. Should you wonder than, then reconsider the quote: ‘demonstrated the ROI (return on investment) of the right sort of worm and this will become the focus of research for cybercriminals‘, if you think that cyber jihadists are not considering the chaos that they could create with this, then think again. They will use any tool to create chaos and to inflict financial and structural damage. They might not have the skills, yet if there is any reliable truth to the fact that the Lazarus group is in fact a mercenary outfit, there would be enough critical danger that they will seek each other out, that is providing that ISIS could bring cash to that table. I have no way of telling how reliable or how certain such a union could be. What is a known is that Sir Hugh Orde is not answering questions, he is creating them, as I personally see it. The quote “UK membership of EU bodies such as Europol and Eurojust, which brokers judicial co-operation in criminal cases, not only allowed access to huge amounts of vital data, but also meant UK police could set up joint inquiries with German police or those from other national forces without delay“. You see, the UK remains part of Europe and Interpol existed before the EC, so as we now see the virtual creation of red tape, the question becomes why the EU has changed rules and regulations to the degree that the UK would fall out of the boat. Is it not weird that the EU is now showing to be an organisation of exclusion? Even if we laugh on the ridiculous promises that Corbyn is making, just to be counted shows that there is a larger problem in place. Why is there suddenly a need for 1,000 more intelligence staff? Can we not see that the current situation is causing more issues then resolve them? As such, is throwing money and staff on a non-viable situation nothing less than creating additional worries?

The last part is seen in “The Schengen database and knowing about who has moved where are all intimately dependent on European systems and we have got to try to remain in them“, yet this does require all players to enter the data accurately, in addition, that only applies to people entering Schengen, yet as has been shown in the past, after that getting locations on people is becoming an increasingly difficult problem. The fact that after the Paris attacks, some people of interest were found to be in Belgium is one side, the fact that these people could have met up with all kinds of contacts on the road is another entirely. The truth is that the intelligence branch has no way of keeping track in such details. In addition we have seen that the list of people of interest is growing way beyond normal means and organising such data streams and finding new ways not just to find the guilty, but to decrease the list by excluding the innocent is growing in complexity on a nearly daily basis. And that is before the cyber mess is added to the cauldron of nutrition. There is at least a small upside, as the technology stream will soon be more and more about non-repudiation, there will be additional sources of information that adds the branches by pruning the list of people of interest. The extent of pruning is not a given and time will tell how this is resolved.

It all affects the evidence that the parties hold and how it is applied, it remains a matter of time and the proper application of intelligence.