WannaCrypt 'may be the work of North Korea' theory floated

Lazarus rising again... or not

By John Leyden


Security researchers are exploring the theory that the WannaCrypt ransomware might be the work of an infamous North Korean government-backed hacking crew.

The crumb-trail-sniffing began on Monday after Neel Mehta, a security researcher from Google, posted an artefact on Twitter potentially pointing at a connection between the WannaCrypt ransomware attacks and malware previously attributed to the infamous Lazarus hacking group. Lazarus is the prime suspect between attacks against Sony Pictures in 2014 and the Central Bank of Bangladesh cyber heist in 2016, among others.

The Google researcher noted that the WannaCrypt malware sample surfaced in February 2017, two months before last week's devastating attacks affected organisation worldwide. Kaspersky Lab researchers subsequently confirmed clear code similarities between the malware sample highlighted by the Google researcher and the malware samples used by the Lazarus group in 2015 attacks.

More specifically the finding points to shared code between an early version of the crypto sub-component of an early version of WannaCrypt and a Lazarus group backdoor from 2015, as noted by Kaspersky Lab's Costin Raiu.

These similarities might be a deliberate attempt at deception aimed at throwing suspicion onto innocent patsies and away from the real perps (i.e. a false flag operation). However, an analysis of the February sample and comparison to WannaCrypt samples used in recent attacks shows that the code to the Lazarus group was removed from the WannaCrypt malware used in the attacks that started last Friday.

It's all rather suspect – even though what's been uncovered so far falls well short of proof of a connection between the WannaCrypt ransomware and the Lazarus Group. Kaspersky Lab is careful to add this caveat in a blog post about its investigation thus far into the curious case of the hospital-hobbling computer malware.

Other security researchers at Symantec and South Korea Hauri Labs have likewise tentatively concluded that North Korea might be involved in creating the WannaCrypt ransomware. "It is similar to North Korea's backdoor malicious codes," Simon Choi, a senior researcher with Hauri, told Reuters.

Symantec told Motherboard: "We discovered that earlier versions of WannaCry[pt] in April and early May that weren't widely distributed, unlike the recent outbreak, were found on systems shortly after being compromised with known Lazarus tools. However, we have not yet been able to confirm the Lazarus tools deployed WannaCry[pt] on these systems. In addition, we found code in WannaCry[pt] used in SSL routines that historically was unique to Lazarus tools. While these connections exist, they so far only represent weak connections."

The Shadow Brokers hacking group leaked the exploits harnessed, quite possibly by third parties, as a means to deliver WannaCrypt. Shadow Brokers are likely Russian, those in the know (including former NSA contractor Edward Snowden) suggest.

WannaCrypt spread like wildfire last week to infect systems and disrupt operations at 47 NHS Trusts, Russia's interior ministry and thousands of Chinese institutions, among others. Russia was one of the most heavily infected countries, possibly because of a reliance by business on obsolete or unlatched versions of Windows.

Moscow-based computer forensics and incident response firm Group-IB offers a number of reasons why it's unlikely that Russian hackers were behind the WannaCrypt attack.

Firstly, the list of sensitive data doesn’t include .1cd format of "1C:Enterprise", the most popular accounting / inventory management software in Russia, which are typically targeted by ransomware developed by Russian hackers. Secondly, Russian hackers would almost certainly be staring down the barrel at the prospect of a long spell in prison for pulling off a cybercrime scheme that hit Russian government systems especially hard.

"The consequences of the attack in Russia are too damaging, and the risk that sooner or later they will be tracked, found, and prosecuted is too high," Group-IB argues. "Especially taking into consideration the fact that cyberattacks on critical infrastructure are under special attention of the Russian authorities." ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Cisco can now sniff out malware inside encrypted traffic

This is Switchzilla’s kit-plus-cloud plan in action

Cash-machine-draining €1bn cybercrime kingpin suspect cuffed by plod

Bod accused of masterminding malware attacks on banks around the world

Russian malware harvesting Telegram Desktop creds, chats

Python programmer may have outed himself on YouTube

Brit police forces spend peanuts on cybercrime training

£1.3m over three years? Get with the times, plod

Advanced VPNFilter malware menacing routers worldwide

Cisco's Talos team says 500k already pwned and leaking data

Fancy Bear still Putin out new modules for VPNFilter malware

Talos turns up obfuscation, lateral attacks, and proxies

Cisco patches yet another Data Centre Network Manager vuln

Good news is that it was just a proof of concept... we hope

Cisco sneaks hardcoded secret root backdoor into vid surveillance kit

Who watches the watchers? Anybody who has the login

Cisco loses focus over TelePresence blurry videoconferencing bug

You had one job, Precision 40

Malware targeting cash machines fetches top dollar on dark web

Demand massively outstrips supply, researchers find