Researchers Identify Clue Connecting Ransomware Assault to Group Tied to North Korea

Link involves version of software used in latest attack and uploaded to archive

Employees watch an electronic board to monitor possible ransomware cyberattacks at the Korea Internet and Security Agency in Seoul, South Korea.

Employees watch an electronic board to monitor possible ransomware cyberattacks at the Korea Internet and Security Agency in Seoul, South Korea. PHOTO: YONHAP/EUROPEAN PRESSPHOTO AGENCY


Updated May 15, 2017 9:57 p.m. ET

Cybersecurity researchers identified a digital clue connecting the global ransomware assault to previous cyberattacks by a group linked to North Korea.

The link involves a version of the software used in the latest attack, known as WannaCry, that was detected earlier this year and uploaded to an archive for security researchers.

Neel Mehta, a security researcher at Alphabet Inc.’s GOOGL 0.43% Google unit, on Monday pointed out similarities between that earlier WannaCry variant and code used in a series of attacks that security specialists have attributed to the Lazarus group. Security experts say that hacking group carried out a series of multimillion-dollar online banking thefts as well as the 2014 cyberattacks on Sony Entertainment —attacks they believe North Korea orchestrated.

Representatives from three major cybersecurity firms— Symantec Corp.SYMC 3.19% , Kaspersky Lab ZAO and Comae Technologies—later on Monday said they found the same the link.

Image result for sony pictures, photos

A Google spokesman had no comment on the findings. Mr. Mehta didn’t immediately respond to a request for further comment. The North Korean mission to the United Nations couldn’t be reached for comment.

The findings don’t necessarily demonstrate that Lazarus or North Korea was involved in the WannaCry attack, researchers said. The culprits in the latest attack, who haven’t been identified, could have copied the code in question, for example.

“Similarities of code are only one component of what goes into attribution,” said Robert M. Lee, chief executive of cybersecurity company Dragos Inc.

“We have looked into the Lazarus theory. At this time, the similarities we see between malware linked to that group and WannaCry are not unique enough to be strongly suggestive of a common operator. However, we are continuing to investigate all possible attribution scenarios,” said John Miller, manager of analysis at FireEye Inc.

The Lazarus-linked code was eventually removed from the WannaCry ransomware and isn’t part of the software that infected more than 200,000 computers world-wide over the past few days, security experts said.

The connection found in the old version lies in software that both programs use to securely connect to other systems over the internet, said Kurt Baumgartner, a Kaspersky Lab researcher. The earlier WannaCry version and the Lazarus software appear to have been built by someone with access to the same source code, which is used by software developers to write their programs, but not generally accessible to others.

“We certainly need a lot more data at this point, but it’s a very interesting find,” Mr. Baumgartner said.

The WannaCry code that’s been linked to Lazarus was uploaded into a code analysis database called VirusTotal in February. It was likely a test version of the code, developed months before the ransomware software began infecting hundreds of thousands of machines world-wide, Mr. Baumgartner said.

It was found on a small number of systems, some of which were also infected with other tools used by the Lazarus group, said Vikram Thakur, a technical director at Symantec.

Write to Robert McMillan at


 Image result for NSA, photos


Tags: , , , , , , , , , , , , , , , ,

One Response to “Researchers Identify Clue Connecting Ransomware Assault to Group Tied to North Korea”

  1. daveyone1 Says:

    Reblogged this on World Peace Forum.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: