Experts see North Korean hand in global ransomware attack
16 May 2017
Security researchers believe that an early version of the "WannaCry" ransomware that affected computer networks in more than 150 countries is the handiwork of the North Korean government. They have cited certain digital clues in the malware used in last week's global cyber attack that indicate possible North Korean involvement.
While experts are not willing to vouch for North Korean involvement, they point to a possible North Korea link to the 'WannaCry' malware attack. They say an early version of the "WannaCry" ransomware that affected more than 150 countries and major businesses and organisations shares a portion of its code with a tool from a hacker group known as Lazarus, which researches think is linked to the North Korean government.
A common source code could mean that North Korean actors wrote WannaCry or they used the same third-party code that was used by other hackers, they explain.
In the US, White House homeland security adviser Thomas Bossert said on Monday that investigators were still working to determine who was behind the attack, which infects computers with a virus that encrypted data and is accompanied by a demand that victims pay a ransom to decrypt it. "That's the attribution that we're after right now," he said at a White House briefing. "It will be very satisfying for me and for all of our viewers, I think, that if we find them that we bring them to justice. ... I don't want to say we have no clues. ... The best and the brightest are working on that."
Several security researchers studying "WannaCry" said they found evidence of possible connections to those like the crippling hack on Sony Pictures Entertainment in 2014 attributed by the US government to North Korea (See: US sees North Korea hand in Sony hack).
That hack occurred in the weeks before Sony released a satiric movie about a plot to kill North Korean leader Kim Jong Un.
The ransomware attack, first reported on Friday, had compromised hundreds of thousands of computers with data encrypted on the machines. The hackers offered to unlock the data for bitcoin payments of $300.
Payments, however, have not led to data recovery in cyber attack. In one case, reports said, the alleged hackers from North Korea demanded bitcoin in exchange for client information they had stolen from a South Korean shopping mall.
Software company Symantec, maker of popular security software, published a blog post also pointing to the possible connections, writing, "While these findings do not indicate a definite link between Lazarus and WannaCry, we believe that there are sufficient connections to warrant further investigation."
Kaspersky Lab, a Russian cybersecurity firm, also pointed to similar links, writing, "We believe this might hold the key to solve some of the mysteries around this attack."
US authorities, however, say the code in question is not a large portion of the overall Wannacry malware so it's plausible that the attackers got it from sources other than the National Security Agency.
While the ransomware attack was enabled by a leak of National Security Agency hacking tools, that this was done by North Korean actorshas not yet been established.
Although the spread of the WannaCry virus has slowed as new nations put up cyberdefences, the malware is still finding its way into hundreds of thousands more computers while businesses and governments assessed the damage and planned their next moves.
In Europe, stock markets were generally flat, although there were no hacker-linked disruptions in early trading. On Wall Street firms selling online protection services were hot stocks.
In Japan, the government's Computer Emergency Response Team said as many as 2,000 computers at 600 companies were affected by the ransomware, and the government set up a new crisis management office to deal with cyberterrorism.
China's state-run Xinhua News Agency reported that the virus infiltrated a range of networks, including railway operations, mail delivery, hospitals and government offices.
In France, automaker Renault said one of its plants was closed on Monday as a "preventive step" while engineers looked at the fallout from the cyberattack.
The virus has mainly infiltrated systems in Europe - particularly Britain's health-care network.
Some eight to 10 US entities, including a few in the health-care sector, reported possible Wannacry infections to the Department of Homeland Security, a US official said.
In the South Korean city of Asan, an electronic panel meant to show bus arrival times instead displayed a message demanding bitcoin payment. The CGV movie chain, South Korea's largest, said that about 50 of its theater complexes were attacked by the ransomware but that films were still running as scheduled.
Vietnam's state media said on Tuesday more than 200 computers had been affected. Taiwan Power Co said that nearly 800 of its computers were affected, although these were used for administration, not for systems involved in electricity generation.
Researchers discovered a "kill switch" on the virus that stopped its spread from computer to computer, potentially saving tens of thousands of machines from further infection.
Researchers say the new versions of the worm, without this vulnerability, could eventually be released.
While the attacks have raised global cyber security concerns, security firms are benefiting from the cyber threat as computer networks look for better cover.
Cyber security stocks spurted as investors bet governments and corporations will spend more to upgrade their defences.
Cisco Systems closed up 2.3 per cent on Monday and was the second-biggest gainer in the Dow Jones Industrial Average.