Forensics experts investigating the destructive “WannaCry” computer attack may have made a breakthrough in the hunt for the perpetrator. A clue uncovered in an earlier version of the malware suggests it was created by a cyber gang known to security geeks as the “Lazarus Group” and to the rest of us as the Democratic People’s Republic of Korea.
If the tentative link between North Korea and WannaCry is borne out, it would mean the country was responsible for the most broadly destructive online attack in 10 years. WannaCry ripped through 160,000 computers in at least 74 countries, crippling some hospitals, utilities, businesses, and government agencies in an online extortion scheme. The self-spreading internet worm stalled out only when a U.K.-based malware researcher found a way to trigger a “kill switch” embedded in the code.
The ransom scheme could even create trouble between North Korea and China, one of the DPRK’s few allies. China was hit hard in the attack, with tens of thousands of companies and organizations hobbled by WannaCry in a matter of hours.
Google security researcher Neel Mehta was first to cautiously connect the DPRK to the WannaCry attack. In a cryptic tweet Monday, Mehta referenced two seemingly different breeds of computer attack code. One was an early version of the WannaCry code that was found in the wild last February. The other was the “Contopee” backdoor program previously used in the Lazarus Group’s attacks on Asian financial institutions.
Mehta drew attention to a section of code that, upon inspection, turned out to be nearly identical in each program. Such commonalities are considered a key metric in determining that a common actor is behind two hacks, and other researchers quickly affirmed the importance of the find. “For now, more research is required into older versions of WannaCry,” wrote analysts at Kaspersky Lab. “We believe this might hold the key to solve some of the mysteries around this attack. One thing is for sure—Neel Mehta’s discovery is the most significant clue to date regarding the origins of WannaCry.”
Security giant Symantec says it has been thinking along similar lines. Over the weekend the company discovered that early versions of WannaCry—used before the NSA code was added—had a way of turning up on victim computers right after a confirmed Lazarus Group attack. “However, we have not yet been able to confirm the Lazarus tools deployed WannaCry on these systems,” wrote Vikram Thakur, technical director at Symantec, in a statement. “In addition, we found code in WannaCry… that historically was unique to Lazarus tools.”
Since cutting their teeth on Sony’s computers in 2014, the DPRK’s hackers have been linked to string of ambitious online bank heists, the largest being the electronic theft of $81 million from Bangladesh Bank in 2016. A target list leaked in one of the bank hacks shows the group targeting close 100 financial institutions in 31 countries in a single campaign. It’s believed that Kim Jong Un maintains an army of 5,000 full-time hackers that he’s now using to boost the coffers of his deliberately isolated nation.
Amateur and professional cyber sleuths spent the weekend poring over clues in the attack, drawing inconclusive but tantalizing results. Could the Windows machine identifier “BAYEGANSRV” leaked in the code refer to the small village of Bayegan in Iran’s Fars province, or perhaps an oil and gas company in Istanbul with the same name? Then there’s the hotmail address belonging to a travel agent in Thailand—was her account hacked, or is she being deliberately set up? And what about this mysterious string deep in the malware: Smile465666SA?
The bungled elements of the attack stick out. It had a kill-switch that was easily activated by a white hat, for one. And while the ransomware was aces at spreading ferociously and encrypting innocent victims’ files into oblivion, it lacked an automated back end to receive ransom payments and dispense file-saving decyption keys. Without that feature—which is commonplace in mainstream ransomware—victims who paid $300 to $600 in bitcoin had to wait for hours or days for the attacker to get back to them, until eventually the hacker stopped responding altogether, presumably overcome by sheer scale.
“They didn’t even really get the whole ransom collection part right,” said Ryan Kalember, senior vice president at Proofpoint. Like many, Kalember has come to suspect that the malware wasn’t unleashed on to the internet but rather escaped there on its own. “My instinct is it was released accidently or prematurely,” he said. “Either that or they’re very unsophisticated actors.”
But WannaCry’s mix of grand ambition and missed details would also be consistent with North Korea’s hackers. The Lazarus Group’s theft of $81 million from the Bangladesh Bank wasn’t the capstone of a successful operation, it was the consolation prize for a botched one. The group was attempting to steal nearly $1 billion but was undone by a sloppy spelling mistake on one of the wire transfer orders.
Similarly, by not delivering on the value proposition of a ransom scheme, WannaCry offered its victims little reason to play the game. So far, WannaCry has brought in just over $61,000 in ransom money for an attack that likely inflicted damage in the hundreds of millions.