Cybersleuths unearth more clues linking WannaCry to North Korea

Cybersecurity researchers at Symantec and FireEye have uncovered more evidence tying this month’s WannaCry global ransomware attacks to North Korea.

The cyberattack that infected hundreds of thousands of computers worldwide was “highly likely” to have originated with Lazarus, a hacking group linked to the reclusive state, Symantec said. The software used was virtually identical to versions employed in attacks earlier this year attributed to the same agency, the company said in a report late Monday.

NHS-hospital-CROP.jpg
The Royal Homeopathic hospital stands in Great Ormond Street, in London, U.K., on Wednesday, March 19, 2008. The NHS treatment takes place at the hospital which is based in central London. Photographer: Graham Barclay/Bloomberg News

FireEye on Tuesday agreed WannaCry shared unique code with malware previously linked to North Korea. “The shared code likely means that, at a minimum, WannaCry operators share software development resources with North Korean espionage operators,” says Ben Read, a FireEye analyst.

North Korean diplomats and official media have denied in recent days that the country played any role in the attacks.

WannaCry, the malware behind a global cyberattack dubbed “unprecedented” by Europol, infected an estimated 200,000 computers worldwide, infiltrating global institutions from the UK’s National Health Service to FedEx and PetroChina. It gave its victims 72 hours to pay typically $300 in bitcoin or risk permanent loss of data. As of last Friday however, the estimated total amount of ransom paid failed to hit six figures.

The initial attack was stifled when a security researcher disabled a key mechanism used by the worm to spread, but experts said the hackers were likely to mount a second attack because so many users of personal computers with Microsoft operating systems couldn’t or didn’t download a security patch released in March labeled “critical.”

Last week, a Google researcher posted on Twitter that an early version of WannaCry shared some of the same programming code as malicious software used by Lazarus, the alleged North Korean government hackers behind an attack on Sony in 2014 and the theft of $81 million from a Bangladeshi central bank account at the New York Fed last year.

Other researchers have speculated that if the perpetrators were indeed North Korean, their intent may have been to cause a widespread Internet outage to coincide with a scheduled missile test.

“Despite the links to Lazarus, the WannaCry attacks do not bear the hallmarks of a nation-state campaign but are more typical of a cybercrime campaign,” Symantec wrote in its report.

For reprint and licensing requests for this article, click here.