North Korea starts to emerge as prime suspect behind WannaCry ransomware

By midian182 ยท 13 replies
May 16, 2017
Post New Reply
  1. Microsoft may have provided a security update to protect against the world-wide WannaCry ransomware crisis, but we still don’t know who was behind the attacks. According to cybersecurity experts, one of the prime suspects starting to emerge is none other than North Korea-run hackers the Lazarus Group.

    Researchers from Symantec, Google, Kaspersky, and South Korea’s Hauri Labs have all found similarities in the WannaCry code and tools created by the Lazarus Group, which was behind the 2014 Sony Pictures hack and the heist on a Bangladeshi bank last year.

    Google security researcher Neel Mehta was the first to discover the possible connection. He found links between the ransomware, which has infected hundreds of thousands of computers across 150 countries, and a strain of malware called Contopee that was used during the $81 million hit on the Bangladeshi Bank’s US Federal Reserve account in 2016.

    Security firm Kaspersky has cautiously acknowledged the link. "Neel Mehta’s discovery is the most significant clue to date regarding the origins of WannaCry,” the Russian firm wrote in a blog post. "We believe it’s important that other researchers around the world investigate these similarities and attempt to discover more facts about the origin of WannaCry.”

    Kaspersky did add, however, that more research is required before a solid connection can be made. "Looking back to the Bangladesh attack, in the early days, there were very few facts linking them to the Lazarus Group. In time, more evidence appeared and allowed us, and others, to link them together with high confidence. Further research can be crucial to connecting the dots," the company added.

    Simon Choi, a senior researcher with Hauri who has studied North Korea’s hacking program extensively, also believes that WannaCry is linked to the hermit nation. "It is similar to North Korea's backdoor malicious codes," he said, adding that the country has been developing and testing ransomware since last August.

    Others are more skeptical about the Lazarus Group connection. "The similarities we see between malware linked to that group and WannaCry are not unique enough to be strongly suggestive of a common operator," FireEye researcher John Miller told Reuters.

    There’s always the chance that someone could have just copied the code used by Lazarus in its earlier attacks, or purposely made it look as if the group was responsible, but Kaspersky says the “false flag” theory is improbable.

    Echoing the opinion of researchers, U.S. and European security officials told Reuters it was too early to say for definite who is behind WannaCry, but North Korea wasn’t being ruled out.

    The creators of the malware have reportedly received just $50,000 worth of bitcoin ransom as a result of the hack. It seems the bigger winners are the cybersecurity firms; the five biggest companies in the industry saw their market capitalization rise almost $6 billion over the weekend, with shares in Symantec alone adding $750 million to its market cap.

    Permalink to story.

  2. frostyshield

    frostyshield TS Enthusiast Posts: 40   +44

    Suddenly everyone forgets the NSA has tools to fake who did an attack...
  3. ypsylon

    ypsylon TS Booster Posts: 114   +21

    NK isn't worried. They can take blame for everything.

    It will be a propaganda tool like no other:

    "We are responsible for this, that and few other things. Tremble you stupid imperialist dogs before our Dear Marshall might."
    Darius Moon and andres meza like this.
  4. Uncle Al

    Uncle Al TS Evangelist Posts: 3,355   +2,004

    Initially I scoffed at the idea that N. Korea could be behind this attack, but after news of it's simplicity came out I think there is a slightly better than 50/50 chance it could be them. On the flip side, the recent report of hacking world wide still shows that the USA has the highest number of hackers around the world (no mention if NSA or CIA were included). Sadly, the same thing that makes bitcoins great also makes it more difficult to track down the instigators.
  5. I seriously doubt NK is behind this massive cyber attack.
    Darius Moon likes this.
  6. VitalyT

    VitalyT Russ-Puss Posts: 3,670   +1,959



    Last edited: May 16, 2017
    Darius Moon, Phr3d, qking and 4 others like this.
  7. How can we know what to believe anymore. Is this another Gulf of Tonkin incident, another Marco Polo bridge incident, another Gleiwitz incident, these are just the ones I know off the top of my head so to speak.
    To save Google some searches:
    Gulf of Tonkin: "is of historical significance because it gave U.S. President Lyndon B. Johnson authorization, without a formal declaration of war by Congress, for the use of conventional military force in Southeast Asia."
    Marco Polo bridge: "There are some disputes among historians over the incident. Some believe the incident was an unintentional accident. Some believe that the incident may have been fabricated by the Japanese Army to provide a pretext for the invasion of China" which was the start of World War II in 1937
    Gleiwitz incident: "was a false flag operation by Nazi forces posing as Poles on 1 September 1939, against the German radio station Sender Gleiwitz in Gleiwitz, Upper Silesia, Germany (since 1945: Gliwice, Poland). The goal was to use the staged attack as a pretext for invading Poland." starting WWII in the West
    Darius Moon and JudasSheep like this.
  8. Bruno M. Villar

    Bruno M. Villar TS Member Posts: 16

    The attack points toward Lazarus Group. One guy discovered similar traces on Wcrypt code with the one generated by lazarus on the Bangladesh Bank Heist.
  9. MannerMauler

    MannerMauler TS Addict Posts: 183   +44

    I have the same mouse as the supreme leader o.O
  10. JudasSheep

    JudasSheep TS Booster Posts: 96   +74

    Nice to see someone referring to history. Lets not forget the sinking of the Lusitania that helped bring the US into WWI or the explosion of the USS Maine to bring on the Spanish American War. You can search those if you want to know more if you do not know your history.

    Only time will tell if you are correct. It would be the first cyber attack to be the cause of a conflict (or at least the scapegoat reason for one). Interesting to consider when other states have been responsible for breaches. Granted in this case it would be one of many reasons to go "postal" on NK, if it was them.
  11. koblongata

    koblongata TS Enthusiast Posts: 60   +15

    OMG... just look at the picture... did Kim eat all the generals' food? They all look like they are dying!
  12. Darius Moon

    Darius Moon TS Member Posts: 25

    You beat me to saying it. True researchers stay from attribution anyways, due to code reuse, easy to fake patterns, and inability to prove source vectors.

    Who benefits by burning that 0day with ransomware? Who has the experience and reputation for delivering ransomware?

    I'm thinking we will see alot more articles / discussion.
  13. MannerMauler

    MannerMauler TS Addict Posts: 183   +44

    Something I just noticed in the main picture. why does Kim have a pair of binoculars to use the computer, does he not know how to use the zoom function?
  14. VitalyT

    VitalyT Russ-Puss Posts: 3,670   +1,959

    And he drank all their milkshakes.

Similar Topics

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...