Global ransomware attack is similar to North Korean-orchestrated hacks, expert says


WannaCry, the computer worm that's been infecting PCs running on Microsoft Windows servers in 150 countries, resembles earlier cyberattacks linked to North Korea, a South Korean cybersecurity expert told Reuters on Tuesday.

Simon Choi, a senior researcher at South Korea's Huari Labs who advises South Korean police and intelligence officials, said WannaCry's code "is similar to North Korea's backdoor malicious codes."

WannaCry borrows code from attacks orchestrated by the Lazarus Group, a shadowy hacker collective believed to be responsible for the Sony Pictures Entertainment hack in 2014, the Bangladesh central bank hack in 2016 and the Polish bank hacks in February. All of those hacks have been linked to North Korea, the New York Times reported.

The similarities between WannaCry and previous Lazarus Group attacks were first uncovered by Google security researcher Neel Mehta, according to NPR.

Researchers at U.S.-based security firm Symantec also found possible links between Lazarus and WannaCry. "Symantec identified the presence of tools exclusively used by Lazarus on machines also infected with earlier versions of WannaCry," Symantec wrote in a blog post. "The Lazarus tools could potentially have been used as method of propagating WannaCry, but this is unconfirmed."

But other researchers cautioned against blaming the attack on North Korea without more evidence, Reuters reported. "The similarities we see between malware linked to that group and WannaCry are not unique enough to be strongly suggestive of a common operator," cybersecurity researcher John Miller said.

WannaCry uses two exploits, both believed to have been created by the National Security Agency, to encrypt data on infected machines and "ransom" it back to the machines' owners. "Whoever it is, it looks very much like they are taking advantage of the NSA's tools," Becky Pinkard, a vice president at cybersecurity firm Digital Shadows, told the Financial Times.

So far, the attack has affected machines belonging to the United Kingdom's National Health Service, Spain's Telefónica, FedEx and others.