Symantec increasingly confident ransomware attack linked to North Korea

Researchers at Symantec are increasingly confident that a recent massive ransomware outbreak is linked to a known North Korean state hacking group.

“Analysis of these early WannaCry attacks by Symantec’s Security Response team revealed substantial commonalities in the tools, techniques, and infrastructure used by the attackers and those seen in previous Lazarus attacks, making it highly likely that Lazarus was behind the spread of WannaCry,” Symantec wrote in a blog posted Monday evening.

WannaCry, also known as Wcry, WannaCrypt0r and other names, infected hundreds of thousands of computers across the world starting a week ago Friday. The version that ran rampant used an automated system to infect new networks that utilized what appear to be stolen National Security Agency hacking tools. 

{mosads}But earlier versions of the ransomware — ones deployed before the leak of the stolen hacking tools — appear to have been deployed to networks by hand. Symantec was able to determine that hacking tools used by the Lazarus Group, the same group that hacked Sony pictures, were likely used to install early versions of WannaCry. 

The antivirus firm had already announced finding a suite of hacking tools used by the Lazarus Group on computers infected by the first known version of WannaCry in February. The blog post fills out some of the details. The attack used two variants of the malware known as Destover, which was used in the Sony Attacks, and one of Volgmer, used in attacks against South Korean targets. 

A second version of the ransomware, released in March and April, used two other types of malware to do the installation — Alphanc and Bravonc. Symantec found these tools in five separate WannaCry attacks and was able to determine that WannaCry began installation within minutes of Alphanc being installed.

Alphanc and Bravonc both use command-and-control infrastructure that the Lazarus Group has used in the past, including servers at internet addresses distinct to the group. 

“The core similarity leaves very little doubt. The only thing that we don’t know is whether this was a sanctioned campaign or Lazarus Group members trying to make money on the side,” Vikram Thakur, technical director at Symantec, told The Hill.

Another link between Lazarus and WannaCry had been discovered earlier. A researcher at Google and researchers at Kaspersky Lab found that identical computer code had been used to design Lazarus tools and WannaCry. There are, however, other reasons the same code might appear in more than one program, including hackers taking a shortcut in designing their own wares. 

Symantec found other coding overlaps, including a unique, quirky implementation of the SSL encryption suite and a similar style method of making the computer code hard to analyze, a process known as obfuscation.

The overlapping code, said Thakur, has not been seen outside of Lazarus Group attacks, meaning it was likely not available in a coding repository used by malware coders to cut and paste reusable code.

Alphanc overlapped so significantly with the Duuzer tool used by Lazarus that the Symantec blog said it might be the latest “evolution” of the tool.

“Unfortunately, with the attacks coming to an end, we won’t be able to get more data from them to be even more sure about who was behind it and why,” said Thakur.

— This story was updated on May 23.