In the wake of the massive WannaCry ransomware cyberattack, which has now spread to 150 countries, everyone has one common question in mind – who was behind the huge global mayhem?
According to some cybersecurity experts, the source for the notorious WannaCry ransomware could be North Korea as they have spotted code similarities between the virus and other malicious software tools attributed to hackers from the reclusive nation.
The WannaCry ransomware attack has been linked to the infamous Lazarus Group, which was behind the devastating hacks on Sony Pictures in 2014 and a Bangladeshi bank in 2016. The hackers group is believed to have worked out of China, but on behalf of Pyongyang.
The speculation over a North Korean connection arose on Monday after a Google security researcher named Neel Mehta discovered similarities between code found within WannaCry and other malware tools believed to have been developed by the Lazarus Group.
9c7c7149387a1c79679a87dd1ba755bc @ 0x402560, 0x40F598
ac21c8ad899727137c4b94458d7aa8d8 @ 0x10004ba0, 0x10012AA4#WannaCryptAttribution— Neel Mehta (@neelmehta) May 15, 2017
Although it was a cryptic message containing what looked like a set of random figures and letters, the tweet immediately drawn attention of cybersecurity experts.
According to Russian cybersecurity firm Kaspersky, Mehta's post referred to a similarity between "a WannaCry cryptor sample from February 2017" and "a Lazarus APT (Advanced Persistent Threat) group sample from February 2015."
Shared code between an early, Feb 2017 Wannacry cryptor and a Lazarus group backdoor from 2015 found by @neelmehta from Google. pic.twitter.com/hmRhCSusbR
— Costin Raiu (@craiu) May 15, 2017
The cybersecurity firm, however, also said that code similarities are not enough to come to conclusions about WannaCry's origin as it could possibly be a false flag operation.
"For now, more research is required into older versions of Wannacry. We believe this might hold the key to solve some of the mysteries around this attack. One thing is for sure — Neel Mehta's discovery is the most significant clue to date regarding the origins of Wannacry," Kaspersky said in a blog post.
The cybersecurity firm also said there was little doubt that the February 2017 code, referred by Mehta in his post, "was compiled by the same people, or by people with access to the same source code" as the latest spree of ransomware attacks.
Therefore, "it's important that other researchers around the world investigate these similarities and attempt to discover more facts about the origin of Wannacry," according to Kaspersky.
Another researcher, Matthieu Suiche from Comae Technologies, also took to Twitter to confirm the same similarity. However, he also said that it's too early to blame North Korea for the cyberattack, based on these assumptions.
Similitude between #WannaCry and Contopee from Lazarus Group ! thx @neelmehta - Is DPRK behind #WannaCry ? pic.twitter.com/uJ7TVeATC5
— Matthieu Suiche (@msuiche) May 15, 2017
"Attribution can always be faked, as it's only a matter of moving bytes around," Suiche said.
American cybersecurity firm Symantec also said that it found a code used in the malware that "historically was unique to Lazarus tools," but it didn't speculate on North Korea's role in the attack.
"While these connections exist, they so far only represent weak connections. We are continuing to investigate for stronger connections," Symantec said in a statement.
Here're some key facts about the WannaCry ransomware: