Symantec this week doubled down on its theory that the epic WannaCry ransomware worm was the handiwork of hackers out of North Korea, but some security experts dismiss any connection to the DPRK.
WannaCry, which infected some 230,000 machines in 150 countries yet generated only about $110,000 in ransom since its launch on May 12, according to data from Trend Micro, was more of a loud wakeup call about the potential for a ransomware epidemic than it was a massive event. Though hospitals in the UK were the initial high-profile victims of the attacks and nations such as Russia suffered the brunt of the infections, overall, WannaCry's rapid-fire worm ultimately fizzled.
Attribution, especially with nation-state actors, is always a dicey practice: these attackers tend to be masters of disguise and false flags. But North Korea's nation-state cyber operations became a possible suspect in WannaCry early last week when famed Google researcher Neel Mehta, and then Kaspersky Lab, Symantec, and BAE, voiced strong suspicions of a link to the infamous North Korean Lazarus Group after spotting the conspicuous use of Lazarus code in WannaCry.
Researchers from Symantec now say they have more evidence that the North Korean Lazarus Group launched WannaCry, but with the caveat that the attack campaign was not a North Korea government-sponsored campaign. Other security firms, including Kaspersky Lab, still point at ties with the Lazarus Group, which was behind the massive 2014 breach of Sony Pictures. FireEye has "moderate confidence" that the attackers behind WannaCry are North Korean, notes John Hultquist, manager of the cybersecurity analysis team at FireEye.
Researchers traced a link between WannaCry and the Lazarus Group back to a February 2017 WannaCry cryptor sample that very closely resembles a malware sample from the Lazarus Group two years before.
Vikram Thakur, principal researcher manager at Symantec, says researchers at his firm studied further the technical crumbs from that earlier, non-worm outbreak of WannaCry as well as the recent worm-spread attack; they found enough overlap between the tools and code used to tie together the attack groups. "There's a decent amount of code overlap we see that can't be duplicated by copycats. It would require someone with access to the original source code, along with the Lazarus tools," Thakur says.
But the attackers didn't run WannaCry like a full-blown nation-state campaign, according to Symantec. "We don't believe WannaCry was the work of a nation-state," Thakur says. WannaCry didn't target the usual nation-state victims, nor did it operate as smoothly and effectively as a nation-state attack.
"They had buggy code on May 12," which was fixed 13 hours later, he says, and they weren't targeting intellectual property nor did they have a sustainable or effective monetization channel.
So how could it both be the Lazarus Group yet not the North Korean government? The attackers could have been a rogue element of the Lazarus Group trying to make some money, for example, or a defector from the group that still had access to the source code, Thakur suggests. North Korea's Lazarus hacking group has not targeted regular Internet users in the past: "They've gone after organizations, or intellectual property," he says. "That's the reason that the likelihood of it being a nation-state attack is very, very low."
Symantec points to three pieces of malware discovered on WannaCry victim machines that are linked to Lazarus: Trojan.Volgmer and two variants of Backdoor.Destover, the disk-wiping tool used in the Sony Pictures attacks. The big "'a-ha' moment," Thakur says, was connecting the dots between the malware used to plant WannaCry.
"We had a tool responsible for putting WannaCry on the machine, and that tool had similarities with Lazarus," the so-called Alphanc Trojan used to spread WannaCry in the March and April attacks, he notes. It's also a morphed version of a Lazarus tool calledBackdoor.Duuzer.
Another Trojan, Bravonc, uses the same IP addresses for its command-and-control as Duuzer and Destover, and has common code obfuscation methods as WannaCry and another Lazarus tool. Symantec also found shared code in WannaCry and a Lazarus backdoor called Contopee.
Even with Symantec's newly discovered clues, not all security firms are sold on the North Korea connection. Mike Oppenheim, global research lead with IBM X-Force IRIS, says while they're is indeed code overlap between WannaCry and the Lazarus Group's backdoor malware, that's not enough to confirm a connection right now. "More evidence beyond this single piece of data will be required before attribution is possible," he says. "The Lazarus Group malware has been widely discussed and publicized in recent years and it is possible that whoever is responsible for WannaCry had access to the same source code."
Ross Rustici, senior manager of intelligence research at Cybereason and an East Asia expert, says a more likely scenario is a wanna-be cybercriminal behind WannaCry. "It's plausible you had an aspiring cybercriminal start pulling at tools, and came across the Lazarus SMB worm" used in the Sony attack, he says. "They propagated the worm with the code, but didn't think through the implications of what that would do."
He doesn't believe it's North Korea because news of the ransomware attacks overshadowed North Korea's missile launch that following weekend. "That's out of cycle from a messaging standpoint," Rustici says. And a splinter group or rogue actor in North Korea would be taking a huge risk of physical harm because the nation keeps close tabs on its cyber program and people, according to Rustici.
"WannaCry was sloppy" and used poor coding infrastructure, he says. "The way they decrypted was amateurish and it doesn't have the hallmarks and tactics of professional hackers."
The problem with attribution is that it requires more than malware connections, says John Bambenek, manager of threat intelligence systems for Fidelis Cybersecurity. "It could be DPRK, or it could be Shadow Brokers, or a close associate, who wants to make it look like them. They were good enough to steal the Equation Group tools; surely they can mix in some Lazarus tools just for fun," he says.
WannaCry for a Long Time
WannaCry is the gift that keeps on giving: like any mass malware epidemic, infected machines will remain so for months and possibly years. The payload-less Conficker worm from 2008 is a prime example of how old malware dies hard: it's still spreading and living on Windows machines around the globe.
The attackers behind WannaCry have been spotted trying to resurrect it, and copycats and new variants are exploding. Security firm Trustlook has identified 386 different malware samples that contain the WannaCry ransomware.
The good news, of course, is that it was nowhere near as destructive as it could have been, and it served as a wakeup call for organizations worldwide. More than 95% of all of the infected machines were running Windows 7, according to Kaspersky Lab data.
Meantime, while some researchers drill down into the code to find clues of the attackers, other security experts maintain that it's more about the cleanup and lessons learned from WannaCry than who unleashed it.
"It's going to be an enigma for a long time," Cybereason's Rustici says. "We're not likely to have really solid answers in attribution near-term that's a smoking gun. It's going to stay a mystery for a while."