North Korea behind ‘WannaCry’ global cyber attack : Security firms


Railway stations, mail delivery, gas stations, hospitals, office buildings, shopping malls and government services also were reportedly affected.Advertisement

Previously discovered code fingerprints already tied Lazarus Group to the highly destructive hack that caused hard drives in South Korea to self-destruct in 2013, wiped nearly a terabyte’s worth of data from Sony Pictures in 2014, and siphoned nearly $1 billion from the Bangladesh Central Bank past year by compromising the SWIFT network used to transfer funds. The official declined to comment on intelligence-related matters.
Symantec, another security company, said in an emailed statement that it has also found unconfirmed links between WannaCry and Lazarus. It discovered early versions of WannaCry on systems that had been compromised by the Lazarus group’s tools.
Ryan Kalember, senior vice-president at Proofpoint Inc., which helped stop its spread, said the version without a kill switch could spread. “From an attribution point of view a ransomware would subscribe to the narrative of Lazarus Group, which is stealing money like we saw with multiple financial institutions with fraudulent SWIFT transactions – having a nation-state powered ransomware leveraging crypto currency would be a first”.
According to Russian cybersecurity firm Kaspersky, Mehta’s post referred to a similarity between “a WannaCry cryptor sample from February 2017” and “a Lazarus APT (Advanced Persistent Threat) group sample from February 2015”.
“Further research can be crucial to connecting the dots”, its experts wrote.
Previously, Kaspersky Lab explained that the attack occurred through the “known network vulnerability of Microsoft Security Bulletin MS17-010”.
A North Korean hacking group is suspected to be behind the massive “ransomware” cyberattack that hit countless countries and computers across the globe over the past few days.
The cybersecurity firm, however, also said that code similarities are not enough to come to conclusions about WannaCry’s origin as it could possibly be a false flag operation.
But while there were thousands of additional infections there, the expected second-wave outbreak largely failed to materialize, in part because security researchers had already defanged it.
The attackers take over the IT systems and encrypt the files, meaning users can not access them. Even worse is the idea that if the original software was on NSA computers, did North Korea gain access to NSA data?
It is believed to be the first time ransomware has been used on such a large scale in the UK. But Microsoft’s security patch released in March should protect USA networks for those who install it.
Rousseau says the malware code indicates there are at least two different parties responsible for it because there are two pieces of the attack that are coded differently. PSA Group, Fiat Chrysler, Volkswagen, Daimler, Toyota and Honda said their plants were unaffected.
Multiple government agencies are committed to tracking down the perpetrators. And it is very hard to do.
As of 1400 GMT, the total value of funds paid into anonymous bitcoin wallets the hackers are using stood at just $55,169, from 209 payments, according to calculations made by Reuters using publicly available data.
Prof Alan Woodward, a security expert, pointed out to me that the text demanding the ransom uses what reads like machine-translated English, with a Chinese segment apparently written by a native speaker.
In contrast, Russia-based firm Kaspersky Lab took a more cautious tone. Security researchers and government agencies have advised businesses not to pay the ransom.
“The thing most interesting was a conversation that mentioned the specific Windows exploit”, Paulo Shakarian, cofounder and CEO of CYR3CON, told CNNTech. If so, that would suggest different hackers had targeted the same system, making the evidence more circumstantial.
North Korea has a history of computer criminality.

The HSE’s chief information officer Richard Corbridge said the 20 machines in the three hospitals were quickly isolated from networks today before the virus infecting them spread, and that the machines were replaced and the systems put back online.