WannaCry Attackers Have Links To North Korea's Lazarus Group
Cybersecurity researchers at Symantec say they’ve found linkes between the WannaCry Ransomware attackers was likely carried out by a hacking group with ties to North Korea.
In a blog post, Symantec said the “Tools and infrastructure used in the WannaCry ransomware attacks have strong links to Lazarus, the group that was responsible for the destructive attacks on Sony Pictures and the theft of $81 million from the Bangladesh Central Bank.”
- Following the first WannaCry attack in February, three pieces of malware linked to Lazarus were discovered on the victim’s network: Trojan.Volgmer and two variants of Backdoor.Destover, the disk-wiping tool used in the Sony Pictures attacks.
- Trojan.Alphanc, which was used to spread WannaCry in the March and April attacks, is a modified version of Backdoor.Duuzer, which has previously been linked to Lazarus.
- Trojan.Bravonc used the same IP addresses for command and control as Backdoor.Duuzer and Backdoor.Destover, both of which have been linked to Lazarus.
- Backdoor.Bravonc has similar code obfuscation as WannaCry and Infostealer.Fakepude (which has been linked to Lazarus).
- There is shared code between WannaCry and Backdoor.Contopee, which has previously been linked to Lazarus.
Symantec discovered that the WannaCry attackers used some of the same hacking tools that were previousky used in other Lazarus Group attacks. There are also, the group reported, “a number of links between WannaCry itself and Lazarus.”
The WannaCry ransomware, for example, shares some code with a piece of malware that has previously been linked to Lazarus.
Symantec also found that the WannaCry attackers used some of the same network infrastructure as the Lazarus Group. “There are a number of crossovers seen in the C&C servers used in the WannaCry campaigns and by other known Lazarus tools.”
Beginning a week ago Friday, the WannaCry virus infected thousands of computers around the world, threatening to destroy users’ data unless a ransom was paid in bitcoin. Ultimately, the group received less than $100,000, and most of the data were destroyed.