More Clues Linking WannaCry to North Korea

Cybersecurity researchers at Symantec and FireEye have uncovered more evidence tying this month’s WannaCry global ransomware attacks to North Korea, according to Bloomberg.

The cyberattack that infected hundreds of thousands of computers worldwide was “highly likely“ to have originated with Lazarus, a hacking group linked to the reclusive state, Symantec said. The software used was virtually identical to versions employed in attacks earlier this year attributed to the same agency, the company said in a report.

FireEye agreed WannaCry shared unique code with malware previously linked to North Korea. “The shared code likely means that, at a minimum, WannaCry operators share software development resources with North Korean espionage operators,“ Ben Read, a FireEye analyst, said in an emailed statement. North Korean diplomats and official media have denied in recent days that the country played any role in the attacks.

Last week, a Google researcher posted on Twitter that an early version of WannaCry shared some of the same programming code as malicious software used by Lazarus, the alleged North Korean government hackers behind an attack on Sony in 2014 and the theft of $81 million from a Bangladeshi central bank account at the New York Fed last year.

Other researchers have speculated that if the perpetrators were indeed North Korean, their intent may have been to cause a widespread internet outage to coincide with a scheduled missile test. “Despite the links to Lazarus, the WannaCry attacks do not bear the hallmarks of a nation-state campaign but are more typical of a cybercrime campaign,“ Symantec wrote in its report.