1. Skip to content
  2. Skip to main menu
  3. Skip to more DW sites

'Highly likely' North Korea link to WannaCry

May 23, 2017

It is 'highly likely' that Lazarus hackers were responsible for this month's WannaCry cyberattack, the US anti-virus firm Symantec reports. The cell is widely believed to be connected to North Korea.

Nordkorea  WannaCry Cyberattack
Image: picture alliance/AP Photo/Y.Dong-jin

The US cybersecurity firm Symantec reports that a hacking group allegedly affiliated with North Korea perpetrated the WannaCry ransomware attack. According to Symantec, the ransomware had many of the hallmarks of other Lazarus attacks, including the 2014 strike on Sony Pictures and a multimillion-dollar theft from the Bangladesh Central Bank.

Symantec's analysis revealed "substantial commonalities in the tools, techniques, and infrastructure used by the attackers and those seen in previous Lazarus attacks, making it highly likely that Lazarus was behind the spread of WannaCry." However, Symantec allowed that "the WannaCry attacks do not bear the hallmarks of a nation-state campaign but are more typical of a cybercrime campaign."

WannaCry seized up 300,000 computers at banks, hospitals and state agencies in150 countries while hackers demanded payment in bitcoin to return control to users. Without mentioning the links between Lazarus and North Korea, Symantec reported that, prior to the global outbreak on May 12, hackers had used an earlier version of WannaCry in a small number of attacks in the previous three months.

'Dirty and despicable'

Seoul-based internet security firm Hauri, known for its vast troves of data on official hacking in North Korea, has warned of ransomware attacks since last year. Researchers in the United States, Russia and Israel - no slouches at cyberwarfare - also pointed to a potential link to North Korea. And the Google researcher Neel Mehta also found similarities between WannaCry and Lazarus code.

After South Korean cybergurus alleged that their counterparts in the north of the peninsula had ordered the attack last week, officials in Pyongyang vehemently dismissed the accusations as pure propaganda from old opponents. As recently as Monday, hours before Symantec released its assessment, North Korean officials called the earlier allegations "a dirty and despicable smear campaign."

Cybersecurity pros say North Korea has stepped up a hook-or-crook campaign to bring in hard foreign currency in the face of sanctions imposed by the United Nations to cripple the country's nuclear and missile programs.

In November 2014, for just one example, Sony Pictures Entertainment became the target of the biggest cyberattack in US corporate history just before its release of the critically panned racial-caricature comedy "The Interview," which takes North Korea as its setting. US officials blamed their North Korean counterparts for the attack, a claim denied loudly in Pyongyang even as authorities there strongly condemned the film, which features a fictional CIA plot to assassinate leader Kim Jong Un.

mkg/rt (Reuters, AFP)