North Korea-linked hackers 'highly likely' behind WannaCry: Symantec

SAN FRANCISCO (Reuters) - Cybersecurity firm Symantec Corp. said on Monday it was "highly likely" a hacking group affiliated with North Korea was behind the WannaCry cyber-attack this month that infected more than 300,000 computers worldwide and disrupted operations at hospitals, banks and schools across the globe.

Lazarus has been linked to the hack on Sony Pictures, for which the US government blamed North Korea, and a wave of attacks on banks around the world, including a major theft from Bangladesh's central bank.

While this isn't a smoking gun, as cybercriminals and state-sponsored groups steal and rework each other's code, it's strong evidence North Korea is involved somehow.

Symantec said before the widespread global ransomware attacks on 12 May an earlier version was spotted between February and April 2017. And the Google researcher Neel Mehta also found similarities between WannaCry and Lazarus code.

Trojan.Bravonc used the same IP addresses for command and control as Backdoor.Duuzer and Backdoor.Destover, both of which have been linked to Lazarus.

Symantec's researchers have uncovered a potential link between the WannaCry ransomware worm, that hit systems just over a week ago, and code used by the Lazarus Group, the hackers that attacked Sony in 2015 and $81M theft from the Bangladesh Central Bank and are believed to be based in North Korea.

Updated: U.S. cybersecurity firm FireEye also published a research blog post Tuesday offering what it described as additional evidence connecting WannaCry to the Lazarus Group.

Cyber security vendors including Symantec have linked WannaCry to the Lazarus Group, allegedly a group of North Korean hackers, but a think tank has called for caution amid the finger-pointing. Additional fingerprints linked Lazarus Group to hacks that wiped nearly a terabyte's worth of data from Sony Pictures and siphoned a reported $81 million from the Bangladesh Central Bank previous year.

"It is ridiculous", Kim In-Ryong, North Korea's deputy ambassador to the United Nations, told reports on Friday, suggesting the US and South Korea were behind the allegation.

In those attacks, the group is believed to have worked on behalf of North Korea's government.

Duzzer, which has previously been linked to Lazarus as well.

Two different backdoors were used to deploy WannaCry in these attacks: Trojan.Alphanc and Trojan.Bravonc. The attacks, collectively, are "more typical of a cyber crime campaign".

An email from the chair of the panel of experts said the attack is not the first attempt to compromise a device belonging to the group in charge of monitoring sanctions on North Korea. If a successful connection is made to a remote computer, and there is no file with a.res extension in either the Admin$, or C$\Windows folders, then hptasks.exe will copy the files listed in Table 2 onto the remote computer.

In addition, Scott claims that while Symantec highlighted some of the tools used in WannaCry associated with Lazarus, it ignored other tools used that weren't.

  • Zachary Reyes