North Korea ‘linked’ to global WannaCry cyberattacks by shared malware code

Pictured: North Korean leader Kim Jong UnReuters

The ‘WannaCry’ strain of ransomware that has infected hundreds of thousands of victims across 150 countries may be linked to North Korea, researchers have found. One well-known hacking team, dubbed “Lazarus Group”, was specifically name-checked.

The coding similarities were first uncovered by Neel Mehta, a security researcher at Google, who dug up links between WannaCry and strain of malware called “Contopee” – previously referenced during the probe into the massive Bangladesh Bank heist last year.

Cybersecurity firm Kaspersky Lab, which previously revealed Lazarus Group was involved with the 2015 Sony Pictures hack, said on 15 May that investigators must now “investigate these similarities and attempt to discover more facts about the origin of WannaCry.”

“Looking back to the Bangladesh attack, in the early days, there were very few facts linking them to the Lazarus group,” a blog post read.

The researchers continued:”In time, more evidence appeared and allowed us, and others, to links them together with high confidence. Further research can be crucial to connecting the dots.

“We believe this might hold the key to solve some of the mysteries around this attack.

“One thing is for sure — Neel Mehta’s discovery is the most significant clue to date regarding the origins of Wannacry.”
The shared code appears to be between an February 2017 version of the ransomware and Lazarus Group malware from two years ago, experts said.
“The [February] sample appears to be a very early variant of the WannaCry encryptor. We believe a theory a false flag although possible, is improbable,” Kaspersky experts concluded. The ransomware in question was used to lock down computer systems until money is paid to the hackers.
Matthieu Suiche, a prominent researcher and founder of United Arab Emirates (UAE)-based cybersecurity firm Comae Technologies, also confirmed the find via Twitter. “There is no doubt functions are 100% the same,” Suiche claimed after analysing the malware.
“Both share similar code, one function is 100% identical,” he stated in another update, also linking to Lazarus Group research by Symantec, a US cybersecurity firm.

Similitude between and Contopee from Lazarus Group ! thx @neelmehta – Is DPRK behind ?

In May 2016, Symantec detailed how Contopee was one of three pieces of malware being used in targeted attacks against the financial sector in South-East Asia. The computer software was allegedly used by North Korean hackers to manipulate financial networks.
 Rick Ledgett, the deputy director of the US National Security Agency (NSA) said in April that evidence linking North Korea to the Bangladesh banking operation was strong. “If that’s true, then that says to me that the North Koreans are robbing banks,” he said, as reported by Reuters.
The regime in North Korea has denied orchestrating the cyberattacks, which resulted in the successful theft of roughly $81m. In this most recent case, however, attribution remains far from certain. “Attribution can be faked,” Suiche noted, adding: “But if true this is a major provocation.”
While the shared code suggests an overlap with Lazarus Group malware, much more research will need to be conducted before a full picture of the situation emerges.

Shared code between an early, Feb 2017 Wannacry cryptor and a Lazarus group backdoor from 2015 found by @neelmehta from Google.

In a statement to IBTimes UK, Symantec said: “Over the weekend, we began investigating connections of WannaCry to known groups we are monitoring.

“We discovered that earlier versions of WannaCry in April and early May that weren’t widely distributed unlike the recent outbreak were found on systems shortly after being compromised with known Lazarus tools.

“However, we have not yet been able to confirm the Lazarus tools deployed WannaCry on these systems. In addition, we found code in WannaCry used in SSL routines that historically was unique to Lazarus tools. While these connections exist, they so far only represent weak connections.

“We are continuing to investigate for stronger connections.”

I heard ya’ll like overlaps– another Lazarus sample with same WannaCrypt Overlap: 409c6a19705ccbd3185d5d0656c7811d @ 0x4018C0 from Oct 2014

‘Havoc and embarrassment’

Responding to the news on Twitter, Claudio Guarnieri, a senior technologist at Amnesty International and researcher at Citizen Lab, said the discovery of linked malware was “huge if true.”

He tweeted: “That could explain the general sloppiness and lack of a decryption process, if the intent is to quickly cause havoc and embarrassment. That said, we need to be cautious. We definitely need more data points before being confident about this connection.”

WannaCry was responsible for a major incident on 12 May (Friday) after it quickly infected organisations across the world, including the UK health service. It was effective due to the fact it was based on an NSA exploit leaked earlier in the year by a group called ‘Shadow Brokers’.

Law enforcements around the globe are now scrambling to investigate the computer meltdowns. Organisations, meanwhile, are rushing to patch systems before a new variant of the notorious ransomware is able to infect machines running outdated software. – IBTimes

Share this:

Arts & Entertainment

Arts & Entertainment

Damian Marley’s deep love for Africa

24th May 2017 Staff Reporter 0

Damian Marley’s 2010 collaboration album with Nas, Distant Relatives is littered with references to Africa’s rich cultural background. During the recording of the album Marley and Nas dug through archives of African music in search […]

Arts & Entertainment

James Bond’s Roger Moore dies at 89

23rd May 2017 Staff Reporter 0

James Bond actor Roger Moore has died, aged 89. His family confirmed the news via his Twitter account, issuing a statement that explained the British star had passed away in Switzerland following a “short but […]