AS THE WANNACRY ransomware epidemic wreaked havoc across the globe over the past three days, cybersecurity researchers and victims alike have asked themselves what cybercriminal group would paralyze so many critical systems for such relatively small profit? Some researchers are now starting to point to the first, still-tenuous hint of a familiar suspect: North Korea.
On Monday, Google researcher Neel Mehta issued a cryptic tweet containing only a set of characters. They referred to two portions of code in a pair of malware samples, along with the hashtag #WannaCryptAttribution. Researchers immediately followed Mehta’s signposts to an important clue: An early version of WannaCry—one that first surfaced in February—shared some code with a backdoor program known as Contopee. The latter has been used by a group known as Lazarus, a hacker cabal increasingly believed to operate under the North Korean government’s control.
“There’s no doubt this function is shared across these two programs,” says Matt Suiche, a Dubai-based security researcher and the founder of the security firm Comae Technologies. “WannaCry and this [program] attributed to Lazarus are sharing code that’s unique. This group might be behind WannaCry also.”
According to Suiche, that chunk of commands represents an encoding algorithm. But the code’s function isn’t nearly as interesting as its Lazarus provenance. The group rose to notoriety following a series of high-profile attacks, including the devastating hack of Sony Pictures in late 2014, that were identified by US intelligence agencies as a North Korean government operation. More recently, researchers believe that Lazarus compromised the SWIFT banking system, netting tens of millions of dollars from Bangladeshi and Vietnamese banks. Security firm Symantec first identified Contopee as one of the tools used in those intrusions.
Researchers at the security firm Kaspersky last month presented new evidence tying those attacks together, pointing to North Korea as the culprit. On Monday, Kaspersky followed up on Mehta’s tweet with a blog post analyzing the similarities in the two code samples. But while they noted the shared code in the Lazarus malware and the early version of the WannaCry, they stopped short of definitively stating that the ransomware stemmed from state-sponsored North Korean actors.
“For now, more research is required into older versions of Wannacry,” the company wrote. “We believe this might hold the key to solve some of the mysteries around this attack.”
In its blog post, Kaspersky acknowledged that the repetition of the code could be a “false flag” meant to mislead investigators and pin the attack on North Korea. After all, the WannaCry authors cribbed techniques from the NSA as well. The ransomware leverages an NSA exploit known as EternalBlue that a hacker group known as Shadow Brokers made public last month.
Kaspersky called that false flag scenario “possible” but “improbable.” After all, the hackers didn’t copy the NSA code verbatim but, rather, lifted it from the public hacking tool Metasploit. The Lazarus code, by contrast, looks far more like a reuse of unique code by a single group out of convenience. “This case is different,” Kaspersky researcher Costin Raiu wrote to WIRED. “It shows that an early version of WannaCry was built with custom/proprietary source code used in a family of Lazarus backdoors and nowhere else.”