North Korea is the likely culprit behind the WannaCry cyber attack that managed to infect 300,000 computers worldwide. That comes care of cyber security firm Symantec, which confirms its researchers found multiple links between early versions of WannaCry and the code in previous outings by the North Korea-backed hacking group.
Symantec’s investigation also found that the same Internet connection that was used to install an early version of WannaCry on two computers was used in the North Korea-backed hack of Sony.
North Korea denies involvement in both the Sony hack and the WannaCry outbreak, calling the rumors of its involvement “a dirty and despicable smear campaign.”
The Lazarus hacking group is currently thought to be behind both WannaCry and the Sony attack — Symantec, as a matter of policy, does not directly name governments as behind hacks, but has confirmed that North Korea is an official sponsor of Lazarus.
That said — Symantec also notes that the spread, coding flaws and demands for bitcoin ransoms may be indications that this hack was not carried out at the behest of North Korean government officials and was more an independent fundraising operation.
“Our confidence is very high that this is the work of people associated with the Lazarus Group, because they had to have source code access. We don’t think that this is an operation run by a nation-state,” said Vikram Thakur, Symantec’s security response technical director.
Lazarus Group may have left government service, or they might just be free agent cybercrime contractors without direct obligations to serve only the government, Thakur noted.
Cybersecurity company Kaspersky seems to agree with Symantec that there are several similarities between WannaCry and malware from earlier attacks perpetrated by Lazarus.
But in an interview last week, its Asia research director, Vitaly Kamluk, said it was not conclusive evidence.
“It’s unusual,” he said.
Beau Woods, deputy director of the Cyber Statecraft Initiative at the Atlantic Council, on the other hand, thinks a Lazarus connection is unlikely — since the Korean language used in some versions of the WannaCry ransom note seemed to be non-native.
“The intelligence community will probably take away from this that there is a possibility of splinters in the Lazarus Group, or members who are interested in filling their own pockets, and that could help,” Thakur said.
Lazarus has also been linked to attacks on banks using their SWIFT messaging network.