24 May 2017
Symantec, a leading cybersecurity firm and creator of, among other products, the popular Norton antivirus software, has announced that it’s highly likely that the perpetrators of the recent WannaCry cyberattack is a hacking group from North Korea known as Lazarus.
In case you haven’t kept up with any news in the last week or so, WannaCry was a ransomware outbreak that infected about 300,000 computers worldwide. It caused the shutdown of healthcare networks in the UK and a leading telecommunications company in Spain. It also hit schools, banks, private computers and more.
WannaCry is a type of ransomware, a certain type of malware that locks files on an infected computer until the victim pays a ransom, usually in Bitcoin, an anonymous digital currency.
The extensive reach of the attack can be attributed to a flaw in the Microsoft Windows operating system. That vulnerability is one that had been used by the NSA and was leaked by another hacker group called the Shadow Brokers, who are suspected to be Russian.
Why does Symantec think a North Korean hacker group is behind the attack? Some of the same code was used in other cyberattacks from the same group, including an earlier version of WannaCry. Code can be like fingerprints when it comes to cyberforensics. That’s not all, though. There’s also a link to the Sony hack from a few years ago. Some of the computers that had file-destroying tools from that attack used the same internet connection. Other file-destroying attacks and malware that are known to have been deployed by Lazarus also used the same connection.
When confronted with this accusation, a statement from North Korea said it was a “despicable smear campaign.” They obviously denied the report.
Lazarus is not the official name of the hacker group. It’s a name given by cybersecurity companies to the group behind the Sony attack. As a general rule, Symantec doesn’t go so far as to assign hacking campaigns to governments, but they also don’t go against the commonly-accepted idea that Lazarus works for the North Korean government.
That said, the WannaCry attack seems to point to Lazarus not working solely for the North Korean government. Given several factors, this recent attack seems to back that up. The code in the ransomware wasn’t very sophisticated and it asked for payment in Bitcoins, which would not normally be a goal of the North Korean government.
Why would Lazarus have sent out a massive ransomware attack? It could have been a splinter group, contractors, or hackers who are simply no longer employed by North Korea directly. One way or another, it the general consensus is that the group was just trying to make a few extra bucks. Either way, while Lazarus is a hacker group from North Korea and they’ve done work on behalf of the government, this doesn’t appear to have been a state-sponsored attack.
Symantec is not alone in believing Lazarus was behind the WannaCry attack. The Shadow Brokers, the previously-mentioned hacker group who released NSA information that was exploited to spread the malware, also backed up the idea that Lazarus was behind the attack, though some think that’s just to take some heat of off their own group.
Kaspersky, another renowned cybersecurity firm, said that there are similarities in the code that could point to Lazarus as being the culprit, but don’t think the evidence is conclusive.
Others point out the fact that the Korean used in Korean versions of the ransom note does not read like a native speaker. The counterargument to that, though, is that hackers usually try to dirty up language usage to make it more difficult to nail down the source.