Was it only a technical demonstration for hackers to showcase their skill and gain rank? Was it to cause chaos? Although the worm has left many questions unanswered in its wake, analysis of the code points to the involvement of the Chinese, Koreans and the Russians.
Symantec Corp has now confirmed that it is “highly likely” that a hacking group with close affiliations to North Korea, was behind the WannaCry cyberattack which infected nearly 300,000 computers globally and disrupted the activities of banks, hospitals, and schools worldwide.
Security researchers from Symantec found multiple instances of code which had been previously used by hacking groups close to North Korea and in early versions of the worm.
Furthermore, the internet connection that was used to install an early version of the WannaCry worm on two computers was also used to communicate with a tool to destroy files at Sony Pictures Entertainment in 2014.
In that particular attack, private companies and the U.S. government had accused North Korea of staging the attack.
North Korea has denied its role and has called reports of its involvements as “a dirty and despicable smear campaign.”
Security companies have named Lazarus as being the hacking group behind the Sony attack in 2014. Symantec’s security researchers did not dispute the belief that Lazarus was behind the attack and that the group works for North Korea.
As per Vikram Thakur, Symantec’s security response technical director, flaws in the WannaCry code suggests that the hackers were not directly working for the North Korean government in this particular instance.
“Our confidence is very high that this is the work of people associated with the Lazarus Group, because they had to have source code access,” said Thakur in an interview.
He went on to add, “We don’t think that this is an operation run by a nation-state.”
With this worm, members of the Lazarus Group members could have been moonlighting to make some extra money; there is also the possibility that have left the government’s services, or even they could be independent contractors without direct obligations to the North Korean government.
The most virulent version of the WannaCry worm spread by using a vulnerability in Microsoft’s Windows operating system.
Hackers exploited that vulnerability when another hacking group called The Shadow Brokers leaked the vulnerability that was being used by the U.S. National Security Agency.
U.S. intelligence officials believe that the members of the The Shadow Brokers are affiliated to Russia.
According to cyber security researchers from Kaspersky, several similarities are found in the code between the WannaCry malware and the earlier attack code that was used by Lazarus.
In an interview last week, Kaspersky’s Asia research director, Vitaly Kamluk, admitted that although the evidence was conclusive, it nevertheless was very coincidental.
“It’s unusual,” said Kamluk.
As per Beau Woods, deputy director of the Cyber Statecraft Initiative, the usage of the Korean language in some versions of the WannaCry ransom note indicates that it wasn’t a native speaker who wrote that, which makes the connection to Lazarus, unlikely.
Thakur however stated, hackers have deliberately obfuscated their language to make tracing them harder. It is also possible that the coding of the worm had been contracted out to another country.
It is very unlikely that WannaCry’s objective was only to create chaos.
If main objective was to earn money on the side, it would suggest an undisciplined hacking operation run by North Korea, one that could be exploited and weakened by North Korea’s foes.
China is the only country in the world which is North Korea’s ally.
“The intelligence community will probably take away from this that there is a possibility of splinters in the Lazarus Group, or members who are interested in filling their own pockets, and that could help,” said Thakur.
Last year’s $81 million heist from Bangladesh’s central bank has been linked to Lazarus.