The WannaCry ransomware that attacked computers in 150 countries has lines of code that are identical to work by hackers known as the Lazarus Group, according to security experts. The Lazarus hackers have been linked to North Korea, raising suspicions that the nation could be responsible for the attack.
The connection was made by Google security researcher Neel Mehta, who pointed out similarities between WannaCry and malware used by Lazarus, the group that has been blamed for the Sony Pictures hack of 2014 and for stealing millions of dollars from a Bangladeshi bank in 2016.
After Mehta highlighted the elements in the code, other researchers confirmed similarities that early versions of WannaCry — also called WannaCrypt, Wana Decryptor or WCry — shared with malware tools used by Lazarus.
While the revelation stands as the most substantial public details about the cyberattack’s origin, it’s not seen as enough to assign blame — at least in part because it’s common to copy code. But similarities in lines of malware have been traced to earlier Lazarus attacks at least as far back as 2013, when South Korean media companies were targeted. Those patterns were highlighted last year, when hackers used malware to go after banks.
“If validated, this means the latest iteration of WannaCry would in fact be the first nation-state powered ransomware,” Dubai-based security researcher Matt Suiche writes. “This would also mean that a foreign hostile nation would have leveraged lost offensive capabilities from [NSA hackers] Equation Group to create global chaos.”
The identity of whoever deployed the attack has remained a mystery, but it’s widely known that the WannaCry “exploit” used to take control of vulnerable Windows computers was stolen from the National Security Agency. A rogue group published the malware online in April. After it was used, Microsoft President and Chief Legal Officer Brad Smith called out the U.S. government for “stockpiling” vulnerabilities.
The WannaCry attack made headlines on Friday after locking computers in the U.K.’s health system and Spain’s largest telecom. There were no signs that the attack sought to single out the U.S. or South Korea, despite its emergence at a time of high tensions on the Korean Peninsula.
“At least 12 South Korean companies have been hit by the WannaCry computer virus,” NPR’s Lauren Frayer reports from Seoul. “It has disrupted ads for a local theater chain, and bus schedules in a small city south of the capital Seoul. But South Korea doesn’t appear to be hurt any more than other countries.”
Security firm Symantec says it has “identified the presence of tools exclusively used by Lazarus on machines also infected with earlier versions of WannaCry,” which could have been used to help spread the worm to vulnerable computers. The company adds that the shared code is based on “a specific sequence of 75 ciphers, which to date have only been seen across Lazarus tools.”
Malware researcher Paul Burbage of Flashpoint, a business risk intelligence company, tells NPR’s Martin Kaste that so far, he hasn’t seen a solid connection between the ransomware and North Korea.
“We compared the code samples between WannaCry and previous [Democratic People’s Republic of Korea] activity, but the only similarities are public libraries,” Burbage says. “Perhaps Symantec has more to go on than us at this point, but we are not seeing a DPRK link with the WannaCry worm campaign at this point.”
The WannaCry cyberattack has hit more than 300,000 computers, White House homeland security adviser Tom Bossert said Monday. He also said that while U.S. investigators don’t know who is responsible for WannaCry, there are clues to follow.