Is WannaCry the First Nation-State Ransomware?Initial Code Analysis Points to North Korea-Linked Hacking Group
As computer security analysts begin to unwind the mystery behind the global wave of WannaCry ransomware, a familiar name has surfaced: Lazarus, the nickname for a suspected elite North Korean hacking group.
See Also: Threat Briefing: Ransomware
On Monday, Google security researcher Neel Mehta wrote a wordless tweet. It contained hashes for two malware samples along with line markers where parts of their codes were identical.
The code comparison suggests that whoever created WannaCry - the ransomware that infected about 200,000 endpoints in 150 countries over the weekend - used some of the same code as the Lazarus Group. Symantec, which is tracking Lazarus, concurred. Investigators are probing for a stronger connection, but it's a tantalizing clue in an already remarkable incident (see WannaCry Ransomware Outbreak Spreads Worldwide).
"If validated, this means the latest iteration of WannaCry would in fact be the first nation-state powered ransomware," writes Matt Suiche, founder of Comae Technologies.
9c7c7149387a1c79679a87dd1ba755bc @ 0x402560, 0x40F598— Neel Mehta (@neelmehta) May 15, 2017
ac21c8ad899727137c4b94458d7aa8d8 @ 0x10004ba0, 0x10012AA4#WannaCryptAttribution
Mehta keeps a low profile, but is well known in computer security circles. In 2014, he discovered Heartbleed, an astounding vulnerability in the widely used OpenSSL cryptographic library. He offered no other commentary in his tweet other than inserting the hashtag #WannaCryptAttribution.
But his tweet spurred other researchers, including Costin Raiu at Kaspersky Lab, to begin filling in the blanks. Caution abounds: Overlapping code similarities aren't a great way to definitively attribute an attack. But Mehta's finding suddenly thrusts the ransomware pandemic into the sphere of North Korea's cyber activity.
"One thing is for sure - Neel Mehta's discovery is the most significant clue to date regarding the origins of WannaCry," Kaspersky Lab's Global Research & Analysis Team wrote in a blog post.
WannaCry infects computers using a Microsoft Windows exploit suspected to have originated inside the National Security Agency. The exploit became public through a leak last month by a rogue group calling itself the Shadows Brokers (see Hackers Reveal Apparent NSA Targeting of SWIFT Bureaus).
The attack was amplified after a self-replicating capability was added to the malware, making it a worm. It means that if just one computer was infected, WannaCry could quickly spread to other machines on a network.
On Friday, WannaCry ripped through hospitals, telecommunications and transportation companies, encrypting files on vulnerable computers without the latest patches. It demands between $300 and $600 in ransom, payable in the virtual currency bitcoin.
Mehta undertook an interesting comparison: an early version of WannaCry from February, and a backdoor used by Lazarus from February 2015. The code similarities can be seen when viewing the samples side-by-side in a Windows hex editor, which is used for viewing and editing executable files.
So what does this mean? Hackers often reuse code, and malware tools used by Lazarus have been widely analyzed. Pulling code from Lazarus and inserting it into new malware would point the blame toward North Korea, a type of diversion called a false flag.
The overlapping code was removed in later versions of WannaCry, however, indicating that maybe the mistake was noticed. But Kaspersky Lab doubts it's an attempt at deception.
"We believe [that in] theory a false flag - although possible - is improbable," the company writes.
Short on Cash, High on Cyber
North Korea has long been short of cash, due to international sanctions, but it has developed sophisticated hacking capabilities that have been harnessed for mayhem and profit. Ransomware is an attractive, thriving business that has extracted tens of millions of dollars in payments over the past few years.
"The attribution to Lazarus Group would make sense regarding their narrative, which in the past was dominated by infiltrating financial institutions in the goal of stealing money," Suiche writes.
The clues linking North Korea to Lazarus are rare IP addresses in server logs. Just a month after the devastating attacks against Sony Pictures Entertainment in November 2014, the U.S. government blamed North Korea. The FBI has said an IP address assigned to North Korea was seen in connection with the attack, according to Wired.
Lazarus Group has also been linked to the jaw-dropping financial heists last year involving SWIFT, the financial messaging system used for international wire transfers. In February 2016, Bangladesh's central bank lost $81 million from its account at the New York Federal Reserve. Only quick intervention, in part based on a spelling mistake by the attackers, prevented Lazarus from walking away with $951 million.
Last year, other banks across Southeast Asia saw attacks directed at infiltrating SWIFT, the financial messaging system used for international wire transfers. Again, Lazarus was implicated.
Then in April, Kaspersky Lab linked North Korea to a new round of SWIFT-related attacks that occurred across Europe earlier this year. While analyzing the logs of a bank that was attacked, Kaspersky found a North Korean IP address. The country has a minimal IP space of just 1,024 addresses run by one provider, Star Joint Venture (see Kaspersky Links North Korean IP Address to Lazarus) .
So far, though, the ransomware gambit hasn't paid off nearly as well as SWIFT attacks. Researchers have been closely monitoring the three bitcoin accounts listed in the ransomware notices that victims see on their computers.
One tally puts the four-day haul at just over $65,000, an almost trivial reward given that the world's foremost computer security researchers - and law enforcement - will be working hard to find suspects.