North Korea-linked hackers 'highly likely' behind WannaCry, says Symantec

Posted May 24, 2017

While security researchers at Symantec have followed the digital crumbs to conclude that Lazarus and North Korea are likely responsible for the WannaCry ransomware attack, security analysts at ICIT are of a different opinion.

Cybersecurity researchers at Symantec Corp. and FireEye Inc. have uncovered more evidence tying this month's WannaCry global ransomware attacks to North Korea.

Due to the similarities in the tools, codes and infrastructure used by the hackers, the cyber security company believes tit could be the doing of Lazarus, a North Korean hacking group that was also behind cyber attacks on Sony Pictures and Bangladesh Central Bank, stealing more than $81 million. "We don't think that this is an operation run by a nation-state".

All these associations have rendered Symantec confident enough to declare that Lazarus might indeed be responsible for the widespread WannaCry attacks.

"Had North Korea launched the WannaCry attack, it likely would have either attacked more strategic targets, or it would have attempted to capture more significant profits", Scott adds.

Two of these are known to have been used in the Sony attack.

The earlier versions and WannaCry largely the same, with some minor changes, chiefly the incorporation of the EternalBlue exploit.

The hackers appear to be from the group known as Lazarus, which is known to have direct ties to the North Korean government.

In November 2014, for just one example, Sony Pictures Entertainment became the target of the biggest cyberattack in United States corporate history just before its release of the critically panned racial-caricature comedy "The Interview", which takes North Korea as its setting. While this isn't a smoking gun, as cybercriminals and state-sponsored groups steal and rework each other's code, it's strong evidence North Korea is involved somehow.

WannaCry used a flaw in Microsoft's Windows operating system and a program the U.S. National Security Agency developed to take advantage of it.

After Kaspersky, Symantec also says there is evidence that supports the idea that North Korea may be behind the WannaCry hit.

But Thakur said that some hackers deliberately obfuscate their language to make tracing them harder.

Finally, researchers discovered that Backdoor.Contopee (more malware linked to Lazarus) contains code that has been found in WannaCry.

Beau Woods, deputy director of the Cyber Statecraft Initiative at the Atlantic Council, said that the Korean used in some versions of the WannaCry ransom note was not that of a native speaker, making a Lazarus connection unlikely. The Lazarus Group is believed to be behind the infamous 2014 Sony Pictures data breach and the theft of $81 million from the Bangladesh central bank a year ago.

Lazarus has also been linked to attacks on banks using their SWIFT messaging network.