Microsoft may have provided a security update to protect against the world-wide WannaCry ransomware crisis, but we still don’t know who was behind the attacks. According to cybersecurity experts, one of the prime suspects starting to emerge is none other than North Korea-run hackers the Lazarus Group.
Researchers from Symantec, Google, Kaspersky, and South Korea’s Hauri Labs have all found similarities in the WannaCry code and tools created by the Lazarus Group, which was behind the 2014 Sony Pictures hack and the heist on a Bangladeshi bank last year.
Google security researcher Neel Mehta was the first to discover the possible connection. He found links between the ransomware, which has infected hundreds of thousands of computers across 150 countries, and a strain of malware called Contopee that was used during the $81 million hit on the Bangladeshi Bank’s US Federal Reserve account in 2016.
Similitude between #WannaCry and Contopee from Lazarus Group ! thx @neelmehta - Is DPRK behind #WannaCry ? pic.twitter.com/uJ7TVeATC5
— Matthieu Suiche (@msuiche) May 15, 2017
Security firm Kaspersky has cautiously acknowledged the link. "Neel Mehta’s discovery is the most significant clue to date regarding the origins of WannaCry,” the Russian firm wrote in a blog post. "We believe it’s important that other researchers around the world investigate these similarities and attempt to discover more facts about the origin of WannaCry.”
Kaspersky did add, however, that more research is required before a solid connection can be made. "Looking back to the Bangladesh attack, in the early days, there were very few facts linking them to the Lazarus Group. In time, more evidence appeared and allowed us, and others, to link them together with high confidence. Further research can be crucial to connecting the dots," the company added.
Simon Choi, a senior researcher with Hauri who has studied North Korea’s hacking program extensively, also believes that WannaCry is linked to the hermit nation. "It is similar to North Korea's backdoor malicious codes," he said, adding that the country has been developing and testing ransomware since last August.
Others are more skeptical about the Lazarus Group connection. "The similarities we see between malware linked to that group and WannaCry are not unique enough to be strongly suggestive of a common operator," FireEye researcher John Miller told Reuters.
There’s always the chance that someone could have just copied the code used by Lazarus in its earlier attacks, or purposely made it look as if the group was responsible, but Kaspersky says the “false flag” theory is improbable.
Echoing the opinion of researchers, U.S. and European security officials told Reuters it was too early to say for definite who is behind WannaCry, but North Korea wasn’t being ruled out.
The creators of the malware have reportedly received just $50,000 worth of bitcoin ransom as a result of the hack. It seems the bigger winners are the cybersecurity firms; the five biggest companies in the industry saw their market capitalization rise almost $6 billion over the weekend, with shares in Symantec alone adding $750 million to its market cap.
