UPDATE May 19, 2017: This story has been updated to include some new perspectives that cast doubt on the North Korea-WannaCry connection.
UPDATE May 22, 2017: This story has been updated to include a comment from a North Korean official.
Analysis of the WanaCrypt0r 2.0 ransomware that bedeviled enterprises across the globe earlier this month has turned up apparent links to the alleged North Korean hacking institution known as the Lazarus Group. But some researchers have cautioned that it is premature to link North Korea to the attacks.
In May 15 a blog update, Symantec Corporation reported that its researchers found hacking tools that are “exclusively used by Lazarus” on machines infected with early versions of WanaCrypt0r, aka WannaCry. Symantec theorizes, but has not confirmed, that the WannaCry perpetrators may have initially spread the ransomware by leveraging these Lazarus tools, rather than via the Microsoft exploit EternalBlue, which was not yet publicly known.
Additionally, Google security researcher Neel Mehta on Monday tweeted two excerpts of WannaCry code, along with the hashtag “#WannaCryptAttribution”. According to Symantec, these pieces of code are also found in known Lazarus tools, including the backdoor trojan Contopee and the Brambul worm, which tries to get remote network access using hard-coded usernames and passwords.
Symantec identified the code as a form of Secure Sockets Layer (SSL) security protocol that “uses a specific sequence of 75 ciphers, which to date have only been seen across Lazarus tools and WannaCry variants.”
In a Securelist blog post, Kaspersky Lab specifically links the shared code to both a very early WannaCry cryptor sample from February 2017 and a Lazarus APT group sample from February 2015. “Neel Mehta’s discovery is the most significant clue to date regarding the origins of Wannacry,” the blog post reads.
Whether this clue turns out to be a red herring remains to be seen. Attribution is a very difficult task, and skeptics have pointed out that it is common for malware developers to borrow code from external sources, even APTs. They also noted that the attack seemed out of character and amateurish by North Korean standards, and that two of the hardest hit countries were Russia and China, North Korea’s strongest allies.
In a blog post on Thursday, the intelligence team at Cybereason outlined why it believes North Korea is unlikely behind the attack: “If this was a currency generation ploy, they wouldn’t have removed their own code from a working variant. North Korean actors generally do not worry about code artifacts,” the blog post states. Moreover, “If the goal was currency generation, the financial support infrastructure would have been more robust and they would have worked harder to make the payment mechanism more user-friendly. They certainly wouldn’t have let the rumor spread that paying had no effect on the files.”
Finally, Cybereason theorized that in order to control the spread of the worm, North Korea likely would have employed the “kill switch” domain that ultimately stopped the ransomware’s propagation after a young UK-based researcher registered it.
North Korea’s deputy ambassador to the U.N. Kim In Ryong denied his country’s involvement in the cyberattack.”Whenever something strange happens, it is the stereotypical way of the United States and hostile forces to kick off a noisy anti-[Democratic People’s Republic of Korea] campaign,” he said at a May 19 press conference, according to various reports, including one from The Hill.
Still, the discovered Lazarus code was enough to pique the interest of many in the infosec community. Matthieu Suiche, founder of Comae Technologies, claimed in his own blog post to be the first researcher, or among the very first, to accurately interpret Mehta’s tweet and make the North Korean connection.
“The attribution to Lazarus Group would make sense regarding their narrative, which in the past was dominated by infiltrating financial institutions in the goal of stealing money,” Suiche states in his blog. “If validated, this means the latest iteration of WannaCry would in fact be the first [known] nation-state powered ransomware.” As a secondary motive, the culprits may also be looking to “create political mayhem,” Suiche continues.
If attribution is confirmed, it would likely cause embarrassment to the U.S. because the tools used to spread Wanna Cry in the attack that began last Friday allegedly were developed by the National Security Agency (NSA), before they were stolen and leaked online.
Lazarus Group has been named the culprit in several other high-profile cyberattacks in recent years, including the abuse of the SWIFT financial messaging system to steal $81 million from the Bangladesh central bank, the breach of Sony Pictures, and the DarkSeoul cyber campaign that attacked South Korean TV stations and a banking institution.
“We believe Lazarus is not just ‘yet another APT actor,’ Kaspersky warns in its blog. “The scale of the Lazarus operations is shocking… Lazarus is operating a malware factory that produces new samples via multiple independent conveyors.”