Researchers Identify Clue Connecting Ransomware Assault to Group Tied to North Korea

Cybersecurity researchers identified a digital clue connecting the global ransomware assault to previous cyberattacks by a group linked to North Korea.

The link involves a version of the software used in the latest attack, known as WannaCry, that was detected earlier this year and uploaded to an archive for security researchers.

Neel Mehta, a security researcher at Alphabet Inc.'s Google unit, on Monday pointed out similarities between that earlier WannaCry variant and code used in a series of attacks that security specialists have attributed to the Lazarus group. Security experts say that hacking group carried out a series of multimillion-dollar online banking thefts as well as the 2014 cyberattacks on Sony Entertainment -- attacks they believe North Korea orchestrated.

Representatives from three major cybersecurity firms -- Symantec Corp., Kaspersky Lab ZAO and Comae Technologies -- later on Monday said they found the same the link.

A Google spokesman had no comment on the findings. Mr. Mehat didn't immediately respond to a request for further comment. The North Korean mission to the United Nations couldn't be reached for comment.

The findings don't necessarily demonstrate that Lazarus or North Korea was involved in the WannaCry attack, researchers said. The culprits in the latest attack, who haven't been identified, could have copied the code in question, for example.

"Similarities of code are only one component of what goes into attribution," said Rob Lee, chief executive of cybersecurity company Dragos Inc.

"We have looked into the Lazarus theory. At this time, the similarities we see between malware linked to that group and WannaCry are not unique enough to be strongly suggestive of a common operator. However, we are continuing to investigate all possible attribution scenarios," said John Miller, manager of analysis at FireEye Inc.

The Lazarus-linked code was eventually removed from the WannaCry ransomware and isn't part of the software that infected more than 200,000 computers world-wide over the past few days, security experts said.

The connection found in the old version lies in software that both programs use to securely connect to other systems over the internet, said Kurt Baumgartner, a Kaspersky Lab researcher. The earlier WannaCry version and the Lazarus software appear to have been built by someone with access to the same source code, which is used by software developers to write their programs, but not generally accessible to others.

"We certainly need a lot more data at this point, but it's a very interesting find," Mr. Baumgartner said.

The WannaCry code that's been linked to Lazarus was uploaded into a code analysis database called VirusTotal in February. It was likely a test version of the code, developed months before the ransomware software began infecting hundreds of thousands of machines world-wide, Mr. Baumgartner said.

It was found on a small number of systems, some of which were also infected with other tools used by the Lazarus group, said Vikram Thakur, a technical director at Symantec.

--Jonathan Cheng contributed to this article.

Write to Robert McMillan at Robert.Mcmillan@wsj.com

Cybersecurity researchers identified a digital clue connecting the global ransomware assault to previous cyberattacks by a group linked to North Korea.

The link involves a version of the software used in the latest attack, known as WannaCry, that was detected earlier this year and uploaded to an archive for security researchers.

Neel Mehta, a security researcher at Alphabet Inc.'s Google unit, on Monday pointed out similarities between that earlier WannaCry variant and code used in a series of attacks that security specialists have attributed to the Lazarus group. Security experts say that hacking group carried out a series of multimillion-dollar online banking thefts as well as the 2014 cyberattacks on Sony Entertainment -- attacks they believe North Korea orchestrated.

Representatives from three major cybersecurity firms -- Symantec Corp., Kaspersky Lab ZAO and Comae Technologies -- later on Monday said they found the same the link.

A Google spokesman had no comment on the findings. Mr. Mehta didn't immediately respond to a request for further comment. The North Korean mission to the United Nations couldn't be reached for comment.

The findings don't necessarily demonstrate that Lazarus or North Korea was involved in the WannaCry attack, researchers said. The culprits in the latest attack, who haven't been identified, could have copied the code in question, for example.

"Similarities of code are only one component of what goes into attribution," said Robert M. Lee, chief executive of cybersecurity company Dragos Inc.

"We have looked into the Lazarus theory. At this time, the similarities we see between malware linked to that group and WannaCry are not unique enough to be strongly suggestive of a common operator. However, we are continuing to investigate all possible attribution scenarios," said John Miller, manager of analysis at FireEye Inc.

The Lazarus-linked code was eventually removed from the WannaCry ransomware and isn't part of the software that infected more than 200,000 computers world-wide over the past few days, security experts said.

The connection found in the old version lies in software that both programs use to securely connect to other systems over the internet, said Kurt Baumgartner, a Kaspersky Lab researcher. The earlier WannaCry version and the Lazarus software appear to have been built by someone with access to the same source code, which is used by software developers to write their programs, but not generally accessible to others.

"We certainly need a lot more data at this point, but it's a very interesting find," Mr. Baumgartner said.

The WannaCry code that's been linked to Lazarus was uploaded into a code analysis database called VirusTotal in February. It was likely a test version of the code, developed months before the ransomware software began infecting hundreds of thousands of machines world-wide, Mr. Baumgartner said.

It was found on a small number of systems, some of which were also infected with other tools used by the Lazarus group, said Vikram Thakur, a technical director at Symantec.

--Jonathan Cheng contributed to this article.

Write to Robert McMillan at Robert.Mcmillan@wsj.com

(END) Dow Jones Newswires

May 15, 2017 22:12 ET (02:12 GMT)