WannaCrypt 'may be the work of North Korea' theory floated

Lazarus rising again... or not

By John Leyden

Posted in Security, 16th May 2017 14:39 GMT

Security researchers are exploring the theory that the WannaCrypt ransomware might be the work of an infamous North Korean government-backed hacking crew.

The crumb-trail-sniffing began on Monday after Neel Mehta, a security researcher from Google, posted an artefact on Twitter potentially pointing at a connection between the WannaCrypt ransomware attacks and malware previously attributed to the infamous Lazarus hacking group. Lazarus is the prime suspect between attacks against Sony Pictures in 2014 and the Central Bank of Bangladesh cyber heist in 2016, among others.

The Google researcher noted that the WannaCrypt malware sample surfaced in February 2017, two months before last week's devastating attacks affected organisation worldwide. Kaspersky Lab researchers subsequently confirmed clear code similarities between the malware sample highlighted by the Google researcher and the malware samples used by the Lazarus group in 2015 attacks.

More specifically the finding points to shared code between an early version of the crypto sub-component of an early version of WannaCrypt and a Lazarus group backdoor from 2015, as noted by Kaspersky Lab's Costin Raiu.

These similarities might be a deliberate attempt at deception aimed at throwing suspicion onto innocent patsies and away from the real perps (i.e. a false flag operation). However, an analysis of the February sample and comparison to WannaCrypt samples used in recent attacks shows that the code to the Lazarus group was removed from the WannaCrypt malware used in the attacks that started last Friday.

It's all rather suspect – even though what's been uncovered so far falls well short of proof of a connection between the WannaCrypt ransomware and the Lazarus Group. Kaspersky Lab is careful to add this caveat in a blog post about its investigation thus far into the curious case of the hospital-hobbling computer malware.

Other security researchers at Symantec and South Korea Hauri Labs have likewise tentatively concluded that North Korea might be involved in creating the WannaCrypt ransomware. "It is similar to North Korea's backdoor malicious codes," Simon Choi, a senior researcher with Hauri, told Reuters.

Symantec told Motherboard: "We discovered that earlier versions of WannaCry[pt] in April and early May that weren't widely distributed, unlike the recent outbreak, were found on systems shortly after being compromised with known Lazarus tools. However, we have not yet been able to confirm the Lazarus tools deployed WannaCry[pt] on these systems. In addition, we found code in WannaCry[pt] used in SSL routines that historically was unique to Lazarus tools. While these connections exist, they so far only represent weak connections."

The Shadow Brokers hacking group leaked the exploits harnessed, quite possibly by third parties, as a means to deliver WannaCrypt. Shadow Brokers are likely Russian, those in the know (including former NSA contractor Edward Snowden) suggest.

WannaCrypt spread like wildfire last week to infect systems and disrupt operations at 47 NHS Trusts, Russia's interior ministry and thousands of Chinese institutions, among others. Russia was one of the most heavily infected countries, possibly because of a reliance by business on obsolete or unlatched versions of Windows.

Moscow-based computer forensics and incident response firm Group-IB offers a number of reasons why it's unlikely that Russian hackers were behind the WannaCrypt attack.

Firstly, the list of sensitive data doesn’t include .1cd format of "1C:Enterprise", the most popular accounting / inventory management software in Russia, which are typically targeted by ransomware developed by Russian hackers. Secondly, Russian hackers would almost certainly be staring down the barrel at the prospect of a long spell in prison for pulling off a cybercrime scheme that hit Russian government systems especially hard.

"The consequences of the attack in Russia are too damaging, and the risk that sooner or later they will be tracked, found, and prosecuted is too high," Group-IB argues. "Especially taking into consideration the fact that cyberattacks on critical infrastructure are under special attention of the Russian authorities." ®

Sign up to our NewsletterGet IT in your inbox daily

70 Comments

More from The Register

Cisco can now sniff out malware inside encrypted traffic

This is Switchzilla’s kit-plus-cloud plan in action

Microsoft emergency update: Malware Engine needs, erm, malware protection

Stop appreciating the irony and go install the patch now

Judges dismisses majority of Cisco's 'insane' IP defence against Arista

Switch antitrust case rumbles on

Cisco's 'encrypted traffic fingerprinting' turned into a product

Borg's boxen can now figure out if there's malware lurking in encrypted traffic

Another week, another Cisco-security-kit-needs-a-patch story

Probing last week's ASA and Firepower flaws found another DDOS to deter

Cisco to release patches for Meltdown, Spectre CPU vulns, just in case

Switchzilla is investigating a whole bunch of products

Poison ping pong prompts patch from Cisco

Switchzilla has fixes for appliances, voice portal, Nexus switch OS

Downloaded CCleaner lately? Oo, awks... it was stuffed with malware

OK, OK, well the 2.27 million victims were not Reg readers

Cisco throws everything it has at containers, hybrid cloud

Container Platform hooks Kubernetes to all the Borg's bits

Cisco's WebEx Chrome plugin will execute evil code, install malware via secret 'magic URL'

Updated Just get rid of it