Cybersecurity researchers who haven’t caught a break since the WCry ransomware breakout found patterns in the malware code that were also present in three separate major cyber-attacks. The patterns indicate that the attack came from a hacker group that was likely sponsored by North Korea.
The report by Ars Technica showed a tweet from Google’s security researcher, Neel Mehta, referencing identical code found in a WCry sample juxtaposed against a 2015 backdoor called Cantopee. The malicious backdoor pointed at a hacking team called the Lazarus Group, who have been associated with highly-destructive cyber-attack episodes since 2011.
Lazarus Group cyber-attacks
In 2013, the hacking group caused hard drives of banks and network broadcasters in South Korea to self-destruct. 2014 saw the same group wiping almost 1TB worth of data from Sony Pictures. US$1 billion was transferred out of the Bangladesh Central Bank last year through a compromised SWIFT network.
Other cybersecurity researchers, such as the team at Kaspersky Lab’s Global Research & Analysis, also came to the same conclusion after analyzing the WCry ransomware. However, the Kaspersky Labs team also cautioned that it’s still too early to point fingers, despite damning evidence (sharing the same list file extensions, identical parts of the malicious code, etc.).
State-sponsored?
Ars Technica also observed that WCry was “unusual” since kill-switches in malware are likely to be found in state-sponsored cyber-attackers (you can read more about WCry here). Kaspersky reports from these two years also found ties between North Korea and the Lazarus Group, and it also coincided with U.S. intelligence findings during the Sony Pictures cyber-attack investigation.
Source: Ars Technica
Our articles may contain affiliate links. If you buy through these links, we may earn a small commission.