The ransomware known as WannaCry that spread rapidly to 300,000 machines in 150 countries over the past few days shares code with malware written by a group of North Korean hackers known as the Lazarus Group.
While the shared code is important, experts warned that it’s far from proof about who created and launched the ransomware attacks.
Neel Mehta, a security researcher at Google, first pointed out the shared code on Monday on Twitter. The link was quickly echoed by numerous other experts. In addition, the cybersecurity firms Symantec and Kaspersky have independently found distinct instances of overlapping code between WannaCry and Lazarus Group.
“From a technical point of view those two functions and their references are identical,” said Matt Suiche, founder of United Arab Emirates-based cybersecurity firm Comae Technologies. “From an attribution point of view a ransomware would subscribe to the narrative of Lazarus Group, which is stealing money like we saw with multiple financial institutions with fraudulent SWIFT transactions – having a nation-state powered ransomware leveraging crypto currency would be a first.”
Contopee is a backdoor trojan used to take over a target’s computer. It’s been used by North Korea-linked hackers to attack the financial industry in South East Asia. The campaign is one facet of North Korea’s greater bank hacking operations that included an $81 million theft from Bangladesh last year. Lazarus Group has been known to utilize and target Bitcoin in their hacking operations.
Shared code is not the same as attribution. Code can be written and erased by anyone, and shared code is often reused. Recent leaks from the CIA show code reuse from different groups because it’s an obvious time saver. The same technique could potentially be used to frame another group as responsible for a hack but, despite a lot of recent speculation, there is no definitive proof.
No government official has attributed the global ransomware attack to any party, nation-state or otherwise.
Attribution and punishment is “something that we are working on quite seriously,” Homeland Security Adviser Tom Bossert said during a White House briefing on Monday.
Attribution is “something that sometimes eludes us,” he said. “Attribution can be difficult here.”
“Attribution can always be faked, as it’s only a matter of moving bytes around,” said Suiche.
“For now, more research is required into older versions of Wannacry,” Kaspersky Labs researchers wrote in a blog post on Monday. “We believe this might hold the key to solve some of the mysteries around this attack. One thing is for sure — Neel Mehta’s discovery is the most significant clue to date regarding the origins of Wannacry.”
Kaspersky Lab researcher J.A. Guerrero-Saade later found more overlapping code between the two groups. That was followed by Symantec making its own independent discovery.
“We have not yet been able to confirm the Lazarus tools deployed WannaCry on these systems,” Symantec, whose researchers have been studying Lazarus for several years, said in a statement on Monday. “In addition, we found code in WannaCry used in SSL routines that historically was unique to Lazarus tools. While these connections exist, they so far only represent weak connections. We are continuing to investigate for stronger connections.”
Chris Bing contributed to this report.
This story is developing and will be updated as more information becomes available.