Symantec bolstered the amount of evidence it has gathered that ties the code and tools used by the cyber-gang known as Lazarus to the WannaCry/WanaCrypt0r ransomware attacks, but it is distancing itself from the idea the attack was backed by any one nation.
The conclusion being drawn by Symantec is that despite the Lazarus group's reported connection to North Korea, Symantec does not believe the gang is working at the behest of a nation state in the case of WannaCry and this attack is most likely being conducted by someone who has or has had access to its code. The company stated this even though it was able to pull together several new technical clues to link Lazarus to WannaCry the fact that WannaCry is pushing ransomware is a strong indicator it is criminal, and not, state sponsored in nature.
“It is highly unusual to find code associated to nation-state actors within attacks believed to be conducted by cyber-criminals. For this reason, we assess WannaCry to not be the work performed at the behest of a nation state,” Vikram Thakur, technical director at Symantec, told SC Media.
Thakur added, Symantec's leading plausible theory is someone currently or formerly associated with the Lazarus group reused existing code on their own accord for monetary gain.
“We have no evidence someone swiped the code. In addition, we have links the WannaCry attacks also used the same command and control infrastructure. We only can confirm the WannaCry attacks were done by the Lazarus group, but that does not mean it was done at the behest of a nation state (or not done so). We cannot determine that from the technical evidence,” Thakur said.
This statement agrees with SC Media's Dr Peter Stephenson who concluded that early reports tying WannaCry to North Korea due to the Lazarus code were premature at best, and most likely inaccurate.
“I counter the prevailing hype that the campaign easily is attributable to North Korea with reliable intelligence that I have that points to Russian involvement. No, not a state-sponsored attack. This intel points to individual actors with limited skills stitching together a Frankenstein's Monster of weaponised ransomware from body parts stolen from NSA and some underground resources,” Peterson wrote in a 22 May blog.
Symantec's Security Response Team made public some of the new technical details on 22 May that has the company now strongly linking WannaCry to the Lazarus group code and tools. This is an upgrade from an earlier report when the cyber-security firm claimed only a possible link between the ransomware attack and Lazarus.
Symantec found the first instance of WannaCry being used in the wild was on 10 February when a single initial compromise spread to more than 100 computers within two minutes. The only good news is the attacker left behind several clues that builds upon some earlier evidence linking WannaCry to North Korean-connected Lazarus group.
“The attackers left behind several tools on the victim's network that provided substantial evidence into how WannaCry spread. Two files, mks.exe and hptasks.exe (see Appendix C: Indicators of Compromise), were found on one affected computer. The file mks.exe is a variant of Mimikatz (Hacktool.Mimikatz), a password-dumping tool that is widely used in targeted attacks. The latter file, hptasks.exe, was used to then copy and execute WannaCry on other network computers using the passwords stolen by mks.exe,” Symantec reported.
Further strengthening the case is that in addition to hptasks.exe and mks.exe, five other pieces of malware were found on the victim's network. Three of which are connected to the Sony Pictures hack and cyber-attacks on South Korea. Lazarus is considered to have been behind both attacks.
Additional preliminary attacks that took place in April and March also lead back to the Lazarus code. Two backdoors used during this period, Trojan.Alphanc and Trojan.Bravonc, share a connection with the Destover wiping tool used in the Sony attack.
There are additional links beyond the tools used to spread the ransomware that Symantec believes helps make the case for the connection.
“The ransomware shares some code with Backdoor.Contopee, malware that has previously been linked to Lazarus. One variant of Contopee uses a custom SSL implementation, with an identical cipher suite, which is also used by WannaCry,” the report stated, adding WannaCry also uses similar code obfuscation to Infostealer.Fakepude, malware that has previously been linked to Lazarus.