WannaCry linked to North Korean hackers

Lazarus has been previously linked to North Korea by the USA government and cyber security researchers.

Symantec says it found the digital footprints of the Lazarus Group, a hacking syndicate that took data from Sony Entertainment in 2014 and stole $81 million from Bangladesh's central bank past year.

The cyberattack that infected hundreds of thousands of computers worldwide was "highly likely" to have originated with Lazarus, a hacking group linked to the reclusive state, Symantec said. This is consistent with the theories of many other ransomware experts, who view WannaCry as the work of an unsophisticated group, rather than a nation-state.

Kaspersky Lab warned that the repetition of code and attack infrastructure from other operations attributed to the Lazarus Group could have been meant to mislead investigators.

For example, during the attacks against Sony, a malware family called Backdoor.Destover was deployed.

North Korea has apparently dismissed the reports.

The earlier versions and WannaCry largely the same, with some minor changes, chiefly the incorporation of the EternalBlue exploit. While this isn't a smoking gun, as cybercriminals and state-sponsored groups steal and rework each other's code, it's strong evidence North Korea is involved somehow.

"The intelligence community will probably take away from this that there is a possibility of splinters in the Lazarus Group, or members who are interested in filling their own pockets, and that could help", Thakur said.

The initial attack was stifled when a security researcher disabled a key mechanism used by the worm to spread, but experts said the hackers were likely to mount a second attack because so many users of personal computers with Microsoft operating systems couldn't or didn't download a security patch released in March labeled "critical".

Experts monitoring violations of sanctions on North Korea for the United Nations were reportedly hit with a "sustained" cyberattack by unknown hackers earlier this month.

But Thakur said that some hackers deliberately obfuscate their language to make tracing them harder.

For example, early versions of WannaCry had a bug in the code that prevented victims from paying the ransom.

The security researcher further points out that Lazarus group is known for its targeted and sophisticated attacks and tailored malware for an attack and it's unlikely that they will "launch a global campaign dependent on barely functional ransomware". The hacker group has been previously linked to the 2014 Sony Pictures hack as well as the $81m (£62.3m) heist from Bangladesh's central bank in 2016.

Security researchers started to suggest possible links between WannaCry and Lazarus just days after the attack.

  • Essie Rivera