North Korea may be behind the ransomware attacks that disrupted computer systems across the world over the weekend, cyber security experts said Tuesday, suggesting a link between the latest attack and a hacking group associated with Pyongyang.
Researchers from two cybersecurity providers, US software company Symantec and the Russian-based Kaspersky Lab, said that some of the code found in the latest “WannaCry” ransomware was nearly identical to code used by the Lazarus Group, a North Korean-run hacking operation.
An early version of WannaCry is similar to the code used in a 2015 backdoor created by Lazarus Group, which was implicated in a cyberattack on Sony Pictures in 2014 and an US$81 million (S$90 million) heist on a Bangladeshi bank in 2016. The group has allegedly used Bitcoin in their hacking operation.
“This is the best clue we have seen to date as to the origins of WannaCry,” Kaspersky Lab researcher Kurt Baumgartner told Reuters.
Choi Sang-myung, security researcher at Seoul-based software firm Hauri, echoed the view, saying the ransomware attack is attributable to North Korea because they have used their own cryptic hacking logics that have never been found in other malware.
US-based security researchers, however, stuck a more cautious tone, saying the indication is far from conclusive. The researchers said while they did not rule out North Korea as a suspect, it is too early to confirm the link.
Eric Chien, an investigator at Symantec, told The New York Times, that all the findings are “a temporal link.” FireEye researcher John Miller told Reuters that the similarities are “not enough to be strongly suggestive of a common operator.”
The connection was first hinted by Google security researcher Neal Mehta, who posted a cryptic tweet containing only a set of characters. They referred to two portions of code in a pair of malware samples, suggesting potential evidence linking North Korea to the ransomware attack.
The cyberattack, which has crippled around 300,000 computer systems in more than 150 nations since Friday, came amid international condemnation against North Korea’s test-firing of a new type of ballistic missile on Sunday, which Pyongyang said is capable of carrying a nuclear warhead.
Noting that the attack coincided with North Korea’s missile launch, South Korean security experts suggested that the communist regime might have used the attack as an opportunity to demonstrate their capability to defy international pressure against its nuclear ambitions.
“I think there was political motive for North Korea to demonstrate their willingness in time for the establishment of a new government (in South Korea),” said Im Chong-in, professor at Graduate School of Information Security at Seoul-based Korea University. “North Korea is quite likely to use ransomware to secure foreign currency.”
Security Researcher Choi agreed with the idea, saying that North Korea had manufactured ransomware since last August and the cyberattack served as a “perfect opportunity” for the regime to show off their cyber and military capability.