British security officials believe last month’s WannaCry ransomware attack that infected hundreds of thousands of computers around the world was likely carried out by hackers in North Korea, BBC reported.
Security experts reportedly believe Britain’s National Cyber Security Center (NCSC), which has headed up the international investigation into the attack, has pinned the attack on a North Korea-connected hacking collective known as Lazarus Group.
British intelligence has been heavily involved in investigating WannaCry after National Health Service (NHS) hospitals throughout England were hit by the cyberattack. The hospitals were unable to access their computer systems and were forced to divert emergency patients and
The report out of the United Kingdom comes just days after the U.S. Department of Homeland Security and FBI issued an alert attributing cyberattacks dating back to 2009 to North Korea is and warning of more.
Homeland Security and the FBI said attackers working with or inside the North Korean government have targeted the “media, aerospace, financial and critical infrastructure sectors in the United States and globally.”
The U.S. officials have started referring to the “malicious cyberactivity by the North Korean government” as Hidden Cobra. According to the alert, Hidden Cobra consists of actors who were previously known as Guardians of Peace and Lazarus Group.
British intelligence groups are the latest to draw the connection from WannaCry to North Korea’s Lazarus Group. Google security researcher Neel Mehta first noted a similarity in the code of WannaCry that matched a malware attack previously attributed to the North Korean hacking group.
The malware that WannaCry shares is a backdoor trojan known as Contopee. The malicious software has been used by Lazarus Group to attack a number of targets, including financial institutions in Southeast Asia.
Lazarus Group has been associated with a number of significant attacks in recent years, including an $81 million heist of funds from a bank in Bangladesh, a 2013 attack on South Korean television stations and banks, and the 2014 attack on Sony Pictures that resulted in the leak of confidential information and unreleased films.
While WannaCry has taken code used by Lazarus Group, a linguistic analysis of the ransom notes delivered to infected machines suggests the attackers are native Chinese speakers. U.S. security company Flashpoint found the note writing in Chinese used a Chinese-language input system instead of a translation, as many of the other notes used.
Chinese security researchers have pushed back against these claims, suggesting that hackers often add characters from different languages into their code in order to obfuscate their identity, making it difficult to determine the origin of the attack based on the characters used in the text of the malware.