Researchers Identify Clue Connecting Ransomware Assault to Group Tied to North Korea – Robert McMillanUpdated May 15, 2017 9:57 p.m. ET


Link involves version of software used in latest attack and uploaded to archive

Employees watch an electronic board to monitor possible ransomware cyberattacks at the Korea Internet and Security Agency in Seoul, South Korea. Photo: Yonhap/European Pressphoto Agency

By

Robert McMillan

Cybersecurity researchers identified a digital clue connecting the global ransomware assault to previous cyberattacks by a group linked to North Korea.

The link involves a version of the software used in the latest attack, known as WannaCry, that was detected earlier this year and uploaded to an archive for security researchers.

Neel Mehta, a security researcher at Alphabet Inc.’s GOOGL 0.43% Google unit, on Monday pointed out similarities between that earlier WannaCry variant and code used in a series of attacks that security specialists have attributed to the Lazarus group. Security experts say that hacking group carried out a series of multimillion-dollar online banking thefts as well as the 2014 cyberattacks on Sony Entertainment—attacks they believe North Korea orchestrated.

Representatives from three major cybersecurity firms— Symantec Corp. SYMC 3.19% , Kaspersky Lab ZAO and Comae Technologies—later on Monday said they found the same the link.

A Google spokesman had no comment on the findings. Mr. Mehta didn’t immediately respond to a request for further comment. The North Korean mission to the United Nations couldn’t be reached for comment.

The findings don’t necessarily demonstrate that Lazarus or North Korea was involved in the WannaCry attack, researchers said. The culprits in the latest attack, who haven’t been identified, could have copied the code in question, for example.

“Similarities of code are only one component of what goes into attribution,” said Robert M. Lee, chief executive of cybersecurity company Dragos Inc.

“We have looked into the Lazarus theory. At this time, the similarities we see between malware linked to that group and WannaCry are not unique enough to be strongly suggestive of a common operator. However, we are continuing to investigate all possible attribution scenarios,” said John Miller, manager of analysis at FireEye Inc.

Article continues:

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s