Researchers identify similarities between global cyber attack and North Korean hacks

Cybersecurity researchers have found evidence possibly linking the WannaCry ransomware to the prolific North Korean cybergang known as Lazarus Group.

The cyber attack over the weekend infected more than 300,000 computers worldwide but infection rates have slowed, according to a top US official.

In the first clues of the origin of the massive ransomware attacks, Google researcher Neel Mehta posted computer code that showed similarities between the WannaCry malware and a vast hacking effort widely attributed to Pyongyang.

Taking the lead, Kaspersky and Symantec both noted on Monday that technical details within the early version of the WannaCry code are similar to code used in a 2015 backdoor created by the government-linked North Korean hackers, who were implicated in the 2014 attack on Sony Pictures and an $81 million (€73.57 million) heist on a Bangladeshi bank in 2016. 

Kaspersky is among the research teams to have been studying Lazarus Group for years, and in April it published a detailed “under the hood” report exposing the group’s modus operandi.

“This level of sophistication is something that is not generally found in the cybercriminal world. It’s something that requires strict organisation and control at all stages of operation. That’s why we think that Lazarus is not just another advanced persistent threat actor,” Kaspersky said, which also found attacks originating from IP addresses in North Korea.

Israeli-based security firm Intezer Labs also said it agreed with the North Korea attribution.

However, both Symantec and Kaspersky said it was too early to tell whether North Korea was involved in the attacks.

The attacks are among the fastest-spreading extortion campaigns on record.