Top security researchers believe there’s a connection between North Korean-affiliated cybercriminals and the global WannaCry ransomware hack.
Google security researcher Neel Mehta pointed out in a Monday afternoon tweet that code used in WannaCry bore similarities to code used by the Lazarus Group, a cadre of cybercriminals believed to be responsible for the 2014 Sony hack and a recent $81 million heist of the Bangladeshi central bank.
Hours after Mehta’s tweet, leading cybersecurity firms Kaspersky Lab and Symantec both confirmed the similarities.
The WannaCry hack, which surfaced on Friday, allows hackers to encrypt the data on infected machines, which it then holds hostage for about $300 in bitcoin. One researcher found a “kill switch” for WannaCry over the weekend that has helped control the damage, but the ransomware creators have already released a new variant without the fix.
In early April, Kaspersky Lab said that it had found a “direct connection” between an IP address in North Korea and Lazarus, and that it was the most promising clue yet in the investigation of WannaCry. The company wrote in a Monday blog post that its researchers “strongly believe” in a link between Lazarus and the WannaCry hack, and that it is “important that other researchers around the world investigate these similarities.”
Symantec, another security company, said in an emailed statement that it has also found unconfirmed links between WannaCry and Lazarus.
“While these connections exist, they so far only represent weak connections. We are continuing to investigate for stronger connections,” the company said.
The WannaCry hack has infected more than 300,000 devices in over 150 countries since last Friday, White House Homeland Security Adviser Tom Bossert told reporters on Monday. However, less than $70,000 has actually been recovered by the hackers, according to Bossert, which some experts take as a sign that WannaCry was designed to inflict pain rather than to enrich its creators.
“With the NSA bashing over WCry & how easy it is to disable the ransomware, one might conjecture it was created for political not $ reasons,” tweeted Don A. Bailey, founder of the information security firm Lab Mouse Security.