Link involves version of software used in latest attack and uploaded to archive
Employees watch an electronic board to monitor possible ransomware cyberattacks at the Korea Internet and Security Agency in Seoul, South Korea. Photo: Yonhap/European Pressphoto Agency
Cybersecurity researchers identified a digital clue connecting the global ransomware assault to previous cyberattacks by a group linked to North Korea.
The link involves a version of the software used in the latest attack, known as WannaCry, that was detected earlier this year and uploaded to an archive for security researchers.
Neel Mehta, a security researcher at Alphabet Inc.’s GOOGL 0.43% Google unit, on Monday pointed out similarities between that earlier WannaCry variant and code used in a series of attacks that security specialists have attributed to the Lazarus group. Security experts say that hacking group carried out a series of multimillion-dollar online banking thefts as well as the 2014 cyberattacks on Sony Entertainment—attacks they believe North Korea orchestrated.
A Google spokesman had no comment on the findings. Mr. Mehta didn’t immediately respond to a request for further comment. The North Korean mission to the United Nations couldn’t be reached for comment.
The findings don’t necessarily demonstrate that Lazarus or North Korea was involved in the WannaCry attack, researchers said. The culprits in the latest attack, who haven’t been identified, could have copied the code in question, for example.
“Similarities of code are only one component of what goes into attribution,” said Robert M. Lee, chief executive of cybersecurity company Dragos Inc.
“We have looked into the Lazarus theory. At this time, the similarities we see between malware linked to that group and WannaCry are not unique enough to be strongly suggestive of a common operator. However, we are continuing to investigate all possible attribution scenarios,” said John Miller, manager of analysis at FireEye Inc.