It’s difficult to pin down who, exactly, is behind the WannaCry ransomware attack which kicked off last week.
But multiple security researchers think a suspected North Korean state-sponsored hacking group might be to blame.
They found code similarities between an early version of WannaCry from February, and malicious tools used by a hacking group known as Lazarus.
Lazarus’ link to North Korea isn’t definite, but security researchers have linked the two in previous attacks. The group is also thought to have been responsible for the Sony hack in 2014. It was also implicated in the theft of $81 million (£62 million) from a Bangladeshi bank in 2016.
The trail starts with a cryptic tweet from Neel Mehta, a security researcher at Google:
9c7c7149387a1c79679a87dd1ba755bc @ 0x402560, 0x40F598
ac21c8ad899727137c4b94458d7aa8d8 @ 0x10004ba0, 0x10012AA4#WannaCryptAttribution
— Neel Mehta (@neelmehta) May 15, 2017
Neel is referring to the two code samples here, but doesn’t go any further. One code sample is from the early version of WannaCry, and the other from the malicious software used by Lazarus, called Contopee.
Security firms Kaspersky and Symantec then analysed the two samples, and found that part of the WannaCry code had actually been copied from Contopee. Another researcher, Comae Technologies’ Matthieu Suiche, corroborated the findings. That suggests Lazarus borrowed code for WannaCry from its own, existing tools.
The link isn’t definite. As Symantec’s researchers wrote: “While these findings do not indicate a definite link between Lazarus and WannaCry, we believe that there are sufficient connections to warrant further investigation.”
Kaspersky’s researchers said this was the most “significant” clue to date about WannaCry’s origins.
Both firms said researchers would need to look at other early versions of WannaCry. And both said this could all be a “false flag” designed to mislead law enforcement trying to track down the culprits. It’s entirely possible some other hacking group found and copied code from Lazarus’ tools.
Symantec said in a statement to Motherboard: “We discovered that earlier versions of WannaCry in April and early May that weren’t widely distributed, unlike the recent outbreak, were found on systems shortly after being compromised with known Lazarus tools.
“However, we have not yet been able to confirm the Lazarus tools deployed WannaCry on these systems. In addition, we found code in WannaCry used in SSL routines that historically was unique to Lazarus tools. While these connections exist, they so far only represent weak connections. We are continuing to investigate for stronger connections.”
So far, the attacker behind WannaCry has made more than $49,000 (£37,900). The ransomware — malicious software which encrypts data on a PC, then demands payment for decryption — has infected hundreds of thousands of PCs across at least 150 countries globally.