Cyber security firm Symantec has said it was “highly likely” a hacking group affiliated with North Korea was behind the WannaCry cyber attack this month that infected more than 300,000 computers worldwide and disrupted hospitals, banks and schools across the globe.
Symantec researchers said they had found multiple instances of code that had been used both in the North Korea-linked group’s previous activity and in early versions of WannaCry. The same Internet connection was also used to install an early version of WannaCry on two computers and to communicate with a tool that destroyed files at Sony Pictures Entertainment in 2014, an attack attributed to North Korea by the US Government. North Korea has routinely denied any such role.
Lazarus is the name many security companies have given to the hacking group behind the Sony attack and others. By custom, Symantec does not attribute cyber campaigns directly to governments, but its researchers did not dispute the common belief that Lazarus works for North Korea. In a blog post, Symantec listed numerous links between Lazarus and software the group had left behind after launching an earlier, less virulent, version of the malware in February. One was a variant of software used to wipe disks during the Sony Pictures attack, while another tool used the same internet addresses as two other pieces of malware linked to Lazarus.
At the same time, flaws in the WannaCry code, its wide spread, and its demands for payment in the electronic bitcoin before files are decrypted suggest that the hackers were not working for North Korean government objectives, said Vikram Thakur, Symantec’s security response technical director. “Our confidence is very high that this is the work of people associated with the Lazarus Group, because they had to have source code access,” Thakur said in an interview. But he added: “We don’t think that this is an operation run by a nation-state.”
With WannaCry, Thakur said, Lazarus Group members could have been moonlighting to make extra money, or they could have left government service, or they could have been contractors without direct obligations to serve only the government. “The intelligence community will probably take away from this that there is a possibility of splinters in the Lazarus Group, or members who are interested in filling their own pockets,” said Thakur. Lazarus has also been linked to attacks on banks using their SWIFT messaging network. Last year, hackers stole $81m from Bangladesh’s central bank. Symantec said malware used in that attack was linked to Lazarus.