Symantec says 'highly likely' North Korean hacking group behind ransomware attacks

Todd Singleton
May 25, 2017

In its blog post, Symantec noted: "The incorporation of EternalBlue transformed WannaCry from a unsafe threat that could only be used in a limited number of targeted attacks to one of the most virulent strains of malware seen in recent years".

Security companies have given the name Lazarus to the group behind the hacking of Sony attack and others.

As experts point to North Korea as the creator of WannaCry ransomware that shut down NHS hospitals earlier this month, one sceptical note still sounds.

The discovery of a small number of earlier WannaCry attacks has provided compelling evidence of a link to the Lazarus group. And the Google researcher Neel Mehta also found similarities between WannaCry and Lazarus code. After the first WannaCry attack in February occurred, Symantec discovered three pieces of malware in the victim's network: Trojan.Volgmer along with two variants of Backdoor.Destover, disk-wiping software used in the Sony Pictures hack.

As time goes on we may find more evidence that tells us who started the WannaCry attack, or perhaps we get lucky and somebody comes forward and claims ownership. The executable computer code for EternalBlue was posted online by a mysterious group known as the Shadow Brokers in mid-April.

For example, during the attacks against Sony, a malware family called Backdoor.Destover was deployed. When a machine is infected with WannaCry, a prompt will appear on the locked computer screen asking for a payment to unlock the device.

"If validated, this means the latest iteration of WannaCry would in fact be the first nation state powered ransomware".

Experience sees Real through Atletico cauldron and into final
The duo played alongside each other at Sevilla before becoming rivals when Alves moved to Real's great adversaries Barcelona. The furthest an English side progressed in the Champions League this season was Leicester, who reached the quarter-finals.

5 killed, 286 held in Bahrain raid on Shiite cleric's town
Activists shared photographs and videos showing youths throwing stones and climbing on an armoured personnel carrier. Activists and rights groups warned Mr Trump's embrace of Bahrain only will fuel the crackdown.

Trump asked DNI, NSA to deny evidence of Russia collusion
It's possible Coats himself doesn't even know what's going on with the Russian Federation investigation. But that does not mean he has full visibility into the Federal Bureau of Investigation probe.

"They made obvious operational mistakes". "In the case of WannaCry, we saw some of those mistakes".

With WannaCry, Thakur said, Lazarus Group members could have been moonlighting to make extra money, or they could have left government service, or they could have been contractors without direct obligations to serve only the government.

The security researchers, however, also said despite having strong links to North Korean hackers, the WannaCry ransomware attack is not likely to be a government-backed campaign, because of the flaws in the malware's code and demands for ransom in Bitcoin.

While pointing out that the "attribution to North Korea is premature and likely false", the researcher at the Institute for Critical Infrastructure Technology (ICIT) believes that this could very well be the work of script kiddies - hackers who borrow malicious scripts from other attacks to execute one on their own.

Attribution in cyberspace is a notoriously hard thing to nail down. The most recent cyberattacks were super-powered by leaked NSA cyberweapons.

Symantec's findings have been shared with government officials, said Bill Wright, Symantec's government affairs and senior policy counsel.

In November 2014, for just one example, Sony Pictures Entertainment became the target of the biggest cyberattack in U.S. corporate history just before its release of the critically panned racial-caricature comedy "The Interview", which takes North Korea as its setting. This earlier version was nearly identical to the version used in May 2017, with the only difference the method of propagation.

Other reports by Free-Prsite

Discuss This Article