Symantec says 'highly likely' North Korean hacking group behind ransomware attacks

Todd Singleton
May 25, 2017

In its blog post, Symantec noted: "The incorporation of EternalBlue transformed WannaCry from a unsafe threat that could only be used in a limited number of targeted attacks to one of the most virulent strains of malware seen in recent years".

Security companies have given the name Lazarus to the group behind the hacking of Sony attack and others.

As experts point to North Korea as the creator of WannaCry ransomware that shut down NHS hospitals earlier this month, one sceptical note still sounds.

The discovery of a small number of earlier WannaCry attacks has provided compelling evidence of a link to the Lazarus group. And the Google researcher Neel Mehta also found similarities between WannaCry and Lazarus code. After the first WannaCry attack in February occurred, Symantec discovered three pieces of malware in the victim's network: Trojan.Volgmer along with two variants of Backdoor.Destover, disk-wiping software used in the Sony Pictures hack.

As time goes on we may find more evidence that tells us who started the WannaCry attack, or perhaps we get lucky and somebody comes forward and claims ownership. The executable computer code for EternalBlue was posted online by a mysterious group known as the Shadow Brokers in mid-April.

For example, during the attacks against Sony, a malware family called Backdoor.Destover was deployed. When a machine is infected with WannaCry, a prompt will appear on the locked computer screen asking for a payment to unlock the device.

"If validated, this means the latest iteration of WannaCry would in fact be the first nation state powered ransomware".

Geely to acquire Malaysia's Proton
That company issued a notice to the local stock exchange Tuesday night saying its shares would be suspended Wednesday pending an announcement.

Trump embraces Israel, but Russian ties still trail him
Embassy from Tel Aviv to Jerusalem while campaigning for president previous year . "He was very moved", Rabinowitz said. Trump met with a large array of Israeli officials, including the president of the country, Reuven Ruvi Rivlin.

Ex-CIA Chief Was Concerned About Trump, Russia
Brennan also said he believes the Russians would have continued to try to further "bloody" Clinton had she won. He added that he was concerned about Russia's efforts to recruit USA persons.

"They made obvious operational mistakes". "In the case of WannaCry, we saw some of those mistakes".

With WannaCry, Thakur said, Lazarus Group members could have been moonlighting to make extra money, or they could have left government service, or they could have been contractors without direct obligations to serve only the government.

The security researchers, however, also said despite having strong links to North Korean hackers, the WannaCry ransomware attack is not likely to be a government-backed campaign, because of the flaws in the malware's code and demands for ransom in Bitcoin.

While pointing out that the "attribution to North Korea is premature and likely false", the researcher at the Institute for Critical Infrastructure Technology (ICIT) believes that this could very well be the work of script kiddies - hackers who borrow malicious scripts from other attacks to execute one on their own.

Attribution in cyberspace is a notoriously hard thing to nail down. The most recent cyberattacks were super-powered by leaked NSA cyberweapons.

Symantec's findings have been shared with government officials, said Bill Wright, Symantec's government affairs and senior policy counsel.

In November 2014, for just one example, Sony Pictures Entertainment became the target of the biggest cyberattack in U.S. corporate history just before its release of the critically panned racial-caricature comedy "The Interview", which takes North Korea as its setting. This earlier version was nearly identical to the version used in May 2017, with the only difference the method of propagation.

Other reports by Free-Prsite

Discuss This Article