SECURITY OUTFIT Symantic has claimed that it's "highly likely" that North Korea was behind the WannaCry ransomware attack that infected more than 300,000 computers worldwide, and affected as many as one-fifth of NHS hospital trusts in the UK.
In a blog post analysing the code behind the attack, Symantec said that there are strong links between the code used in the WannaCry attacks and malware tools used in attacks against Sony Pictures in 2014 and the $81m cyber-heist perpetrated against Bangladesh Bank last year.
The WannaCry 2.0 ransomware attacks earlier this month used almost exactly the same code as the WannaCry 1.0 attacks between February and April this year, which gained barely any traction, with the only difference the method of propagation.
WannaCry 2.0 made use of a Microsoft SMB networking protocol exploit that, for years, had been used by the US National Security Agency, until it was by the Shadow Brokers hacking group earlier this year.
Symantec linked the WannaCry outbreak to what it calls 'Lazarus'.
"Analysis of these early WannaCry attacks by Symantec's Security Response Team revealed substantial commonalities in the tools, techniques, and infrastructure used by the attackers and those seen in previous Lazarus attacks, making it highly likely that Lazarus was behind the spread of WannaCry.
"Despite the links to Lazarus, the WannaCry attacks do not bear the hallmarks of a nation-state campaign but are more typical of a cybercrime campaign. These earlier versions of WannaCry used stolen credentials to spread across infected networks, rather than leveraging the leaked EternalBlue exploit that caused WannaCry to spread quickly across the globe," claimed Symantec.
The company linked a number of types of malware to Lazarus/North Korea:
- Trojan.Volgmer, and two variants of Backdoor.Destover, the disk-wiping tool used in the Sony Pictures attacks;
- Trojan Alphanc, which was used to spread WannaCry 1.0, which is a modified version of Backdoor.Duuzer;
- Trojan Bravonc, which uses similar code obfuscation to WannaCry and Infostealer.Fakepude; and
- The shared code between WannaCry and Backdoor.Contopee.
However, analysis of the code left behind from WannaCry 1.0 has helped to link WannaCry 2.0 with the North Korean Lazarus group, according to Symantec.
"These earlier attacks involved significant use of tools, code, and infrastructures previously associated with the Lazarus group, while the means of propagation through backdoors and stolen credentials is consistent with earlier Lazarus attacks.
"The leak of the EternalBlue exploit was what allowed the attackers to turn WannaCry into a far more potent threat than it would have been had they still been relying on their own tools, since it bypassed many of the steps the attackers previously had to take, removing both the need to steal credentials and copy it from computer to computer."
Links between WannaCry and North Korea was first made last week by Google security researcher Neel Mehta. µ
Home, Home on the strange
Team Red is prepping Navi for the budget GPU arena
Early-adopters beta be careful
China back in your hands