THE HACKERSs behind the NHS crippling WannaCry assault may have been Chinese and not North Korean like some of us assumed that they were.
We say some of us, it was mostly Symantec and Kaspersky, although they didn't really commit themselves to the finger pointing.
Security firm FlashPoint carried out a linguistic analysis of the ransom demand and found that it appears to have been written in Chinese before being translated into Korean and changed into English. That is some sneaky work, but these are hackers that we are talking about. FlashPoint has no time for Lazarus Group talk, which is what everyone else is banging on about.
"As of this writing, a number of researchers have linked the activity to the suspected North Korean-affiliated "Lazarus Group" due to similarities in the code and the infrastructure. Flashpoint analysts conducted similar analyses, but also included a linguistic and cultural review of the 28 ransom notes found within the WannaCry malware to determine the native tongue of the author(s)," it explains.
"Flashpoint analysed each of the notes individually for content, accuracy, and style, and then compared results".
Some of the notes appeared to be written direct by a Chinese speaker though, and FlashPoint found a clue that they might not be the brightest bulb in the box.
"A number of unique characteristics in the note indicate it was written by a fluent Chinese speaker," it added.
"Analysis revealed that nearly all of the ransom notes were translated using Google Translate and that only three, the English version and the Chinese versions (Simplified and Traditional), are likely to have been written by a human instead of machine translated. Though the English note appears to be written by someone with a strong command of English, a glaring grammatical error in the note suggest the speaker is non-native or perhaps poorly educated".
However, the firm is only quite convinced that it is correct here, much like Kaspersky was only half behind its claims that it was the North Korean Lazarus mob.
"Flashpoint assesses with moderate confidence that the Chinese ransom note served as the original source for the English version. The relative familiarity found in the Chinese text compared to the others suggests the authors were fluent in the language—perhaps comfortable enough to use the language to write the initial note," it added.
"Given these facts, it is possible that Chinese is the author(s)' native tongue, though other languages cannot be ruled out. It is also possible that the malware author(s)' intentionally used a machine translation of their native tongue to mask their identity. It is worth noting that characteristics marking the Chinese note as authentic are subtle.
"It is thus possible, though unlikely, that they were intentionally included to mislead." µ
Turns out some companies had fixed it before it came to light
There's still a timeline for Timeline but not this time
'Lack of significant enhancements' is causing lacklustre sales
How SD-WAN can fuel your businesses' digital transformation