1. Skip to content
  2. Skip to main menu
  3. Skip to more DW sites

As cyberattacks slow, potential N. Korea links

May 16, 2017

Cybersecurity experts have detected similarities between the ransomware used in the recent global attacks and earlier code from a North Korean hacking ring. However, they have warned that the clues could be misleading.

A projection of cyber code on a hooded man
Image: Reuters/K. Pempel

As the computer infection rate from last week's "WannaCry" ransomware virus slowed on Monday, defying predictions of a second surge, researchers from various technology and cybersecurity firms confirmed indications that could potentially trace the attack to the North Korean-based Lazarus group.

Read more: What is ransomware?

Google researcher Neel Mehta was the first to publicize the similar sections of code shared by the "WannaCry" malware that infected around 300,000 computers across 150 countries and a previous hacking operation allegedly undertaken by Lazarus in 2015.  

Other security labs quickly followed up on the Google cybersecurity researcher's findings. The Israeli-based cybersecurity firm Intezer Labs expressed its conviction that the "WannaCry" attack could be traced to Lazarus, though they did not expand on the proof behind their certainty.

In contrast, Russia-based firm Kaspersky Lab took a more cautious tone.

Costin Raiu, Kaspersky's director of global research and analysis, tweeted screenshots of the overlapping sections of code found by Mehta and also published a link to an analysis of the similarities on the lab's official blog, Securelist.

In its analysis, Kaspersky called Mehta's discovery "the most significant clue to date" in relation to uncovering the origins of the ransomware. But the firm simultaneously called for global investigations to "discover more facts about the origin of 'WannaCry.'"

 "Further research can be crucial to connecting the dots," its experts wrote.

Hackers often lift code from other operations, meaning that similar or even small identical sections of code do not necessarily indicate shared origins.

"The similarities we see between malware linked to that group and 'WannaCry' are not unique enough to be strongly suggestive of a common operator," John Miller, a researcher at FireEye cybersecurity firm, pointed out.

The Lazarus hackers have been traced to various cyberattacks including the theft of $81 million from the Bangladesh central bank in 2016 and a 2014 attack on Sony Pictures.

Read more: North Korea's murky links to international cybercrime

Ransomware cyberattack threatens organizations worldwide

Victim of its own success

Officials around the world breathed a sigh of relief on Monday as a fresh wave of attacks failed to appear.

Though the ransomware crippled systems across the globe on Friday, notably including Britain's National Health Service and Germany's Deutsche Bahn, Asian authorities feared the time difference would mean computers that had been at rest on Friday at the time of the attack would be restarted on Monday to wall of lockout messages. However, a crippling system wipeout did not materialize. 

Ironically, part of the reason for its soft second wind was the virus' widespread success: "WannaCry" was one of the fastest-spreading viruses on record. 

A patient appointment letter from a London NHS hospital, next to a virus and spyware warning message
Britain's National Health Service lost access to patient files due to 'WannaCry'Image: picture-alliance/empics/Yui Mok

"The malware became too successful," said Mikko Hypponen, chief researcher at the Finnish security firm F-Secure.

"When you are a cybercriminal gang and your mission is to make money, you don't want to infect 200,000 work stations. You don't want to end up on the covers of magazines. There will be no shortage of investigation."

The "WannaCry" malware virus functioned by encrypting user data, effectively barring access and demanding a ransom of between $300 and $600 in the digital currency bitcoin. Thus far, the attackers only have obtained about $70,000 for their efforts.

The virus stemmed from a flaw discovered by the US National Security Agency that was later leaked online. The attack led to recrimination between the United States and Russia, while US technology firms also criticized the US government for failing to share valuable information in order to further internet security developments.

cmb/cmk (AFP, Reuters, AP)