In the aftermath of a global ransomware attack, which impacted more than 300,000 computers in over 150 countries, a small, select group of security researchers announced they had found evidence suggesting a group previously linked to the North Korean government was likely behind the international cyber incident. Their theory gained new found credibility Monday when U.S. cybersecurity firm Symantec said it too discovered “strong links” between WannaCry ransomware and the so-called Lazarus Group.
Researchers originally came across WannaCry in February when it was first found on a Symantec client’s network — a full three months prior to the global outbreak. By obtaining an early sample, analysts were able to comprehensively study and identify individual components within the malware, some of which shared similarities to hacking tools used in late 2014 against Sony Pictures. The attacks against Sony Pictures have been widely attributed to hackers linked to North Korea by both private sector cybersecurity firms and the FBI, though no definitive proof has ever publicly surfaced.
Symantec also collected data on a series of other WannaCry infections in late March, which similarly carried backdoor implants built with computer code previously linked to North Korea. For example, researchers believe that at least one remote access trojan used to deploy WannaCry in recent months is an upgraded version of a capability solely controlled and originally designed by the Lazarus Group.
In addition, both the February and March WannaCry campaigns relied on a command and control infrastructure linked to older Lazarus Group operations.
“The discovery of a small number of earlier WannaCry attacks has provided compelling evidence of a link to the Lazarus group,” a blogpost by Symantec Security Response team reads. “These earlier attacks involved significant use of tools, code, and infrastructures previously associated with the Lazarus group, while the means of propagation through backdoors and stolen credentials is consistent with earlier Lazarus attacks.”
Symantec believes that early samples of WannaCry were sent by the same group responsible for the more recent outbreak.
The latest version of WannaCry released incorporated a leaked exploit known as “EternalBlue,” which leverages two known Microsoft vulnerabilities to spread the ransomware to unpatched computers connected to a shared, infected network. The executable computer code for EternalBlue was posted online by a mysterious group known as the Shadow Brokers in mid-April.
The May 12 version of WannaCry is largely the same as older samples obtained by Symantec, including that it uses a comparable password to encrypt files embedded in the dropper. When a machine is infected with WannaCry, a prompt will appear on the locked computer screen asking for a payment to unlock the device.
Between May 12 and May 15, thousands of organizations, including hospitals and commercial businesses, reported their computers were held ransom by WannaCry.
Symantec Technical Director Vikram Thakur told CyberScoop that the hackers behind WannaCry seemed to be unaware of the scale and ultimate impact that the latest version of their ransomware would have.
“They made obvious operational mistakes. We saw this previously deployed with buggy applications and the malware was itself buggy … We saw them trying to fix their errors hours after sending it out,” said Thakur. “It’s difficult for us to say, conclusively … but this leads us to believe they didn’t have any foresight here.”
Although Symantec’s research provides perhaps the most comprehensive evidence to date suggesting a link between WannaCry and North Korea, several major questions remain unanswered, including whether the Lazarus Group acted on behalf of the North Korean government.
There are two prevailing theories in this case, however, concerning the attackers’ motives, according to Thakur — admittedly neither is verifiable. The first is that a rogue, financially motivated member of the Lazarus Group launched the attack on his own with tools, infrastructure and source code typically available only to insiders. The second theory is that whoever launched the attack did so as part of a sanctioned operation to fund future hacking activities.
Attribution in cyberspace is a notoriously difficult thing to nail down. It’s not uncommon for hacking groups to reuse components of tools that other actors are known for.
Symantec’s findings have been shared with government officials, said Bill Wright, Symantec’s government affairs and senior policy counsel.
Updated: U.S. cybersecurity firm FireEye also published a research blog post Tuesday offering what it described as additional evidence connecting WannaCry to the Lazarus Group. In a statement sent to CyberScoop, analyst Ben Read said: “FireEye has found the WannaCry malware shares unique code with WHITEOUT malware that we have previously attributed to suspected North Korean actors. While we have not verified other experts’ observation of known DPRK tools being used to drop early versions of WannaCry, we have not observed other groups use the code present in both WannaCry and WHITEOUT and we do not believe it is available in open source. This indicates a connection between the two.”