THE INSTITUDE FOR CRITICAL INFRASTRUCTURE TECHNOLOGY (ICIT) has blasted Symantec's claims that North Korea was beind the WannaCry ransomware as "premature, inconclusive and distracting".
"The recent speculation concerning WannaCry attributes the malware to the Lazarus Group, not to North Korea, and even those connections are premature and not wholly convincing," warned James Scott, a senior fellow at the ICIT.
"Lazarus itself has never been definitively proven to be a North Korean state-sponsored advanced persistent threat; in fact, an abundance of evidence suggests that the Lazarus Group may be a sophisticated, well-resourced, and expansive cyber-criminal and occasional cyber-mercenary collective."
Indeed, the speed with which the ransomware took hold - raising its profile and, therefore, victims' reluctance to pay-up, as well as piquing the interest of law enforcement worldwide - combined with a series of coding shortcomings that made it easy to defeat, indicate that WannaCry wasn't the work of the most technically accomplished of malware writers.
Scott continued: "Circumstantial similarities between malware variants and command-and-control infrastructure led to the recent attribution of WannaCry to Lazarus despite a sharp difference in the level of sophistication of the malware and threat actors, glaring differences in the target demographics, and severe variations in the operational procedures of the actors.
"At best, WannaCry either borrowed heavily from outdated Lazarus code and failed to change elements, such as calls to command and control servers, or WannaCry was a side campaign of a minuscule subcontractor or group within the massive cyber-criminal Lazarus advanced persistent threat," Scott suggests.
Scott also criticised Symantec's methodology, which only monitored a "small number of targeted WannaCry 1.0 attacks in February, March and April 2017" and, on the basis of this, claim that the attacks in May were "nearly identical", except with the addition of an exploit spilled from the US National Security Agency (NSA), called EternalBlue, and the removal of some code from a 2015 Lazarus Group sample.
In addition, Scott claims that while Symantec highlighted some of the tools used in WannaCry associated with Lazarus, it ignored other tools used that weren't. In other words, Scott accused Symantec of being selective in what it chose to highlight in its research.
"It is important to note that while malware used in past Lazarus campaigns was discovered on systems infected with the WannaCry malware, it is uncharacteristic of the Lazarus Group to leave identifying tools on victim systems or more recently, to not deploy a destructive wiper component when finished exfiltrating valuable data," wrote Scott.
Kaspersky, noted Scott, has in the past pointed out that Lazarus tends to be "silent and sophisticated", to deploy persistent backdoors and to learn about their targets before they launch their attacks. They are also known for deploying ‘wipers' into their malware to destroy data and for minimising the re-use of tools - operating a factory-style conveyor belt of different or always-evolving malware.
"Lazarus exhibits strict organization at all stages of operation. On a few rare occasions, Lazarus has re-used tools due to the size and scale of the Group hindering immediate communication and constant awareness of all active initiatives… WannaCry's shoddy configuration and meagre profiteering does not align with the sophistication and targeting profile of the Lazarus Group," concluded Scott.
The WannaCry ransomware was launched on the morning of Friday 12 May. It affected more than 230,000 PCs around the world, including systems running in 20 per cent of NHS trusts in the UK, self-propagating using the EternalBlue SMB networking exploit. µ
Turns out some companies had fixed it before it came to light
There's still a timeline for Timeline but not this time
'Lack of significant enhancements' is causing lacklustre sales
How SD-WAN can fuel your businesses' digital transformation