There is a serious indications that North Korea hackers might be behind the attack. Google security researcher Neel Meht says WannaCry appears to have code similar to work done by Lazarus Group hackers, linked to North Korea. The same group was blamed for the 2016 hack of a Bangladeshi bank and the 2014 Sony hack.Just recently I published an article to enable people know how secure their country is in terms of cyber attacks.
This Ransomware attack is the world’s biggest ransomware attack to date, WannaCry went viral over the weekend, hitting targets in 150 countries and infecting over 230,000 computers at its peak. The spread slowed down on Monday, but not before new malware variations emerged.
Responsible for the massive outbreak was a worm component abusing the NSA-linked EternalBlue exploit to target a vulnerability in Windows’ Server Message Block (SMB). Microsoft addressed the flaw in its March 2017 security updates (the MS17-010 patch), and also issued an emergency patch for unsupported platforms over the weekend.
Last Monday, Google researcher Neel Mehta issued a cryptic tweet containing only a set of characters. They referred to two portions of code in a pair of malware samples, along with the hashtag #WannaCryptAttribution.
9c7c7149387a1c79679a87dd1ba755bc @ 0x402560, 0x40F598
ac21c8ad899727137c4b94458d7aa8d8 @ 0x10004ba0, 0x10012AA4#WannaCryptAttribution
— Neel Mehta (@neelmehta) May 15, 2017
Cyber Researchers immediately followed Mehta’s clue to an important clue: It indicated that an early version of WannaCry—one that first surfaced in February—shared some code with a backdoor program known as Contopee. The latter has been used by a group known as Lazarus, a hacker cabal increasingly believed to operate under the North Korean government’s control.
“There’s no doubt this function is shared across these two programs,” says Matt Suiche, a Dubai-based security researcher and the founder of the security firm Comae Technologies. “WannaCry and this [program] attributed to Lazarus are sharing code that’s unique. This group might be behind WannaCry also.”
Do you the Lazarus Hacking Group?
Lazarus Group is a cybercrime group made up of an unknown number of individuals. While not much is known about the Lazarus Group, researchers have attributed many cyber attacks to them over the last decade. The earliest known attack that the group is responsible for is known as “Operation Troy”, which took place from 2009–2012. This was a cyber-espionage campaign that utilized unsophisticated DDoS techniques to target the South Korean government in Seoul. They are also responsible for attacks in 2011 and 2013.
It is possible that they were also behind a 2007 attack targeting South Korea, but that still isn’t certain.A notable attack that the group is known for is the 2014 attack on Sony Pictures. The Sony attack used more sophisticated techniques and highlighted how advanced the group has become over time. The most recent attack attributed to the group is recent 2016 bank heist which included an attack on the Bangladesh Bank, successfully stealing US$81 million.
Who Sponsors them?
It is not clear who is really behind the group, but media reports have suggested the group has links to North Korea. Kaspersky Lab reported in 2017 that Lazarus tended to concentrate on spying and infiltration cyber attacks whereas a sub-group within their organisation, which Kaspersky called Bluenoroff, specialised in financial cyber attacks. Kaspersky found multiple attacks worldwide and a direct link (IP address) between Bluenoroff and North Korea.
However, Kaspersky also acknowledged that the repetition of the code could be a “false flag” meant to mislead investigators and pin the attack on North Korea. After all, the WannaCry authors cribbed techniques from the NSA as well. The ransomware leverages an NSA exploit known as EternalBlue that a hacker group known as Shadow Brokers made public last month.
Whats on their CV?
Under the name “Operation Blockbuster”, a coalition of security companies, led by Novetta,was able to analyze malware samples found in different cyber-security incidents. Using that data, the team was able to analyze the methods used by the hackers. They linked the Lazarus Group to a number of attacks through a pattern of code re-usage.
The earliest possible attack that can be attributed to the Lazarus Group took place in 2007. This attack was named “Operation Flame” and utilized first generation malware against the South Korean government. According to some researchers, the activity present in this attack can be linked to later attacks such as “Operation 1Mission,” Operation Troy,” and the DarkSeoul attacks in 2013.
The next incident took place on July 4, 2009 and sparked the beginning of “Operation Troy.” This attack utilized the Mydoom and Dozer malware to launch a large-scale, but quite unsophisticated, DDoS attack against US and South Korean websites. The volley of attacks struck about three dozen websites and placed the text “Memory of Independence Day” in the Master Boot Record.
As time goes on, the attacks from the group get more sophisticated. Their techniques and tools become better developed and are more effective. In March 2011, “Ten Days of Rain” began. This attack targeted South Korean media, financial, and critical infrastructure. It consisted of more sophisticated DDoS attacks that originated from compromised computers within South Korea.
The attacks continue with DarkSeoul on March 20, 2013. This was a wiper attack that targeted three South Korean broadcast companies, financial institutes, and an ISP. At the time, two other groups, NewRomanic Cyber Army Team and WhoIs Team, took credit for that attack but researchers now know that the Lazarus Group was behind it.
If North Korea have a hand in this global pandemic then, I believe they want to prove a point, but don’t forget that sooner than enough they should prepare for series of attacks from other serious sources I prefer to hold silent.Now the game have just began lets see how he battle unfolds.