North Korea APT and WannaCry linked by multiple independent researchers

News by Bradley Barth

If North Korea is behind the 11 May WannaCry attack, it would be the first known time a nation-state sponsored and perpetrated a ransomware attack.

Analysis of the WanaCrypt0r 2.0 ransomware that bedeviled enterprises across the globe this past weekend has turned up apparent links to the alleged North Korean hacking institution known as the Lazarus Group.

In a blog update on Monday, Symantec Corporation reported that its researchers found hacking tools that are "exclusively used by Lazarus" on machines infected with early versions of WanaCrypt0r, aka WannaCry.

Symantec theorises, but has not confirmed, that the WannaCry perpetrators may have initially spread the ransomware by leveraging these Lazarus tools, rather than via the Microsoft exploit EternalBlue, which was not yet publicly known.

Additionally, Google security researcher Neel Mehta on Monday tweeted two excerpts of WannaCry code, along with the hashtag "#WannaCryptAttribution". According to Symantec, these pieces of code are also found in known Lazarus tools, including the backdoor trojan Contopee and the Brambul worm, which tries to get remote network access using hard-coded usernames and passwords.

Symantec identified the code as a form of Secure Sockets Layer (SSL) security protocol that "uses a specific sequence of 75 ciphers, which to date have only been seen across Lazarus tools and WannaCry variants."

In a Securelist blog post, Kaspersky Lab specifically links the shared code to both a very early WannaCry cryptor sample from February 2017 and a Lazarus APT group sample from February 2015. "Neel Mehta's discovery is the most significant clue to date regarding the origins of Wannacry," the blog post reads.

Matthieu Suiche, founder of Comae Technologies, claimed in his own blog post to be the first researcher, or among the very first, to accurately interpret Mehta's tweet and make the North Korean connection.

"The attribution to Lazarus Group would make sense regarding their narrative, which in the past was dominated by infiltrating financial institutions in the goal of stealing money," Suiche stated in his blog. "If validated, this means the latest iteration of WannaCry would in fact be the first [known] nation-state powered ransomware." As a secondary motive, the culprits may also be looking to "create political mayhem."

If attribution is confirmed, it would likely cause embarrassment to the US because the tools used to spread WannaCry in the attack that began last Friday were developed by the National Security Agency (NSA), before they were stolen and leaked online.

Lazarus Group has been named the culprit in several other high-profile cyber-attacks in recent years, including the abuse of the SWIFT financial messaging system to steal $US81 million (£63m) from the Bangladesh central bank, the breach of Sony Pictures, and the DarkSeoul cyber campaign that attacked South Korean TV stations and a banking institution.

"We believe Lazarus is not just 'yet another APT actor',” Kaspersky warned in its blog. "The scale of the Lazarus operations is shocking... Lazarus is operating a malware factory that produces new samples via multiple independent conveyors."

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews