Symantec pins WannaCry on North Korean Lazarus group
There have already been suggestions that the now infamous WannaCry ransomware was the work of the North Korean hacking group Lazarus. Security firm Symantec now says it is "highly likely" that Lazarus is to blame, having unearthed further evidence of the re-use of code from other attacks by the group.
But while the links to Lazarus are strong, North Korea denies that it was involved in any sort of state-sponsored attack, dismissing such claims as "a dirty and despicable smear campaign." It is thought that the group -- also responsible for attacking Sony Pictures and stealing $81 million from the Bangladesh Central Bank -- operated independently for personal gain.
Researchers at Symantec found multiple instances of code reuse from earlier versions of WannaCry and Lazarus' previous attacks. The team points to smaller-scale attacks earlier in the year which show clear links to Lazarus, as well as the reuse of code in the May attack which took the world by surprise.
Summarizing its findings, Symantec says:
Prior to the global outbreak on May 12, an earlier version of WannaCry (Ransom.Wannacry) was used in a small number of targeted attacks in February, March, and April. This earlier version was almost identical to the version used in May 2017, with the only difference the method of propagation. Analysis of these early WannaCry attacks by Symantec’s Security Response Team revealed substantial commonalities in the tools, techniques, and infrastructure used by the attackers and those seen in previous Lazarus attacks, making it highly likely that Lazarus was behind the spread of WannaCry. Despite the links to Lazarus, the WannaCry attacks do not bear the hallmarks of a nation-state campaign but are more typical of a cybercrime campaign. These earlier versions of WannaCry used stolen credentials to spread across infected networks, rather than leveraging the leaked EternalBlue exploit that caused WannaCry to spread quickly across the globe starting on May 12.
You can find out more about the similarities that have been discovered over on the Symantec website.