A top cybersecurity firm say it’s “highly likely” that the biggest cyberattack the world has ever seen is linked to a hacking group affiliated with North Korea.
The global ransomware attack known as WannaCry targeted hundreds of thousands of computers in around 150 countries, hitting hospitals, businesses and other organizations.
In a blog post late Monday, security researchers at Symantec said the “tools and infrastructure used in the WannaCry ransomware attacks have strong links to Lazarus,” a hacking group that has previously been tied to North Korea.
“We have high probability that these two are absolutely connected,” said Vikram Thakur, Symantec’s security response technical director.
Lazarus has been linked to the hack on Sony Pictures, for which the U.S. government blamed North Korea, and a wave of attacks on banks around the world, including a major theft from Bangladesh’s central bank.
Security researchers started to suggest possible links between WannaCry and Lazarus just days after the attack. Now, those connections are becoming clearer.
Cybersecurity company FireEye was cautious at first, but one of its analysts, Ben Read, said Tuesday he has also found WannaCry shares unique code with “malware that we have previously attributed to suspected North Korean actors.”
But here’s the puzzling thing — Symantec says that despite the links to Lazarus, “the WannaCry attacks do not bear the hallmarks of a nation-state campaign.”
Cyberattacks backed by governments “are usually impeccable, they don’t make rookie mistakes,” said Thakur. “In the case of WannaCry, we saw some of those mistakes.”
For example, early versions of WannaCry had a bug in the code that prevented victims from paying the ransom.
While it’s possible Lazarus thought they could make a lot of money with WannaCry, “they totally botched it up and got almost nothing,” Thakur said.
The ransomware has so far collected about $108,000 in ransom. Security researchers and government agencies advised businesses not to pay the ransom.
It’s more likely that WannaCry was the work of a Lazarus member who tried to make money on the side or a former member of the group, Thakur said.
The Symantec researchers dismissed the theory that WannaCry was deployed simply to cause global chaos and prove that Lazarus — and by extension North Korea — is capable of deploying a crippling attack.
“Why ask for money if you just want to prove a point? They’ve done it in the past, they destroyed computers in South Korea … just wiped the data off them,” said Thakur. “There’s no point in making half a point.”