The widespread ransomware attack known as WannaCry that hit hundreds of thousands of computer systems in countries around the world Friday shares code with malware attributed to a group of North Korean hackers, security researchers said Monday.
The malware that WannaCry shares is a backdoor trojan known as Contopee. The malicious software has been used by the North Korea-connected hacking collective Lazarus Group to attack a number of targets, including financial institutions in Southeast Asia.
Lazarus Group has been associated with a number of significant attacks in recent years, including an $81 million heist of funds from a bank in Bangladesh, a 2013 attack on South Korean television stations and banks, and the 2014 attack on Sony Pictures that resulted in the leak of confidential information and unreleased films.
While the shared code may help eventually determine the source of the WannaCry attack, it is not an official attribution since code can be used, reused and rewritten to be utilized within other programs — a technique that can be used to make use of a certain feature or even create a false attribution.
Focal Point CEO Yong-Gon Chon told International Business Times attribution is extremely difficult and often not a straight-forward process, but a rush for information can lead some to jump to conclusions that may not be accurate, as he and his firm found in a recent case where a cyberattack on Ukrainian artillery attributed to Russia.
“If you’re working for law enforcement or intel agencies, you can do that kind of analysis for internal consumption,” Chon said. “But when you publish material like that in the media, you’re no longer just an intel analyst. You become a forensic examiner in the court of public opinion.”
He warned that attribution in a media environment that is desperate for information can be a “marketing and publicity thing. Identifying malicious nation-state or criminal activity is very much a spectacle in the media.”
Chon also warned it can be easy for attribution to be given because it’s the simplest possible solution, even if the evidence isn’t totally there.
“You see this when you go to the doctor’s office,” he said. “If the doctor sees five patients in the same day that have the flu and you have similar symptoms, they have a tendency to say you have the flu. That doesn’t absolve the doctor of executing the right protocols to do their diagnosis appropriately.”
During a White House briefing on Monday, Homeland Security Adviser Tom Bossert said attribution is “something that we are working on quite seriously” but sometimes it eludes investigators. “Attribution can be difficult here,” he said.
Kaspersky Lab researchers suggested further information is needed about older versions of WannaCry before any sort of definite attribution can be made. “We believe this might hold the key to solve some of the mysteries around this attack,” the firm said in a blog post, noting Mehta’s discovery “is the most significant clue to date regarding the origins of Wannacry.”