Researchers from Symantec, a cybersecurity software company, claim that tools and infrastructure used to carry out recent WannaCry ransomware attacks show strong links to Lazarus, a group believed to be responsible for the infamous Sony Pictures hack and the $81 million theft from the Bangladesh Central Bank.
Symantec said it discovered multiple instances of code from the Sony Pictures hack in early versions of WannaCry. What's more, a similar internet connection was used to run WannaCry on two computers to use a tool that was previously used to destroy files at Sony Pictures. U.S. authorities have accused North Korea as being responsible for the Sony Pictures hack, which it has so far denied.
How Is WannaCry Linked To Lazarus?
Many security firms call the hacking group behind the Sony Pictures hack "Lazarus." Symantec detailed the similarities in a blog post. After the first WannaCry attack in February occurred, Symantec discovered three pieces of malware in the victim's network: Trojan.Volgmer along with two variants of Backdoor.Destover, disk-wiping software used in the Sony Pictures hack.
Moreover, Trojan.Alphanc, which was used to distribute the WannaCry ransomware in March and April, is actually just a modified version of Backdoor.Duuzer, which carries links to Lazarus. By extension, Trojan.Bravonc used the same IP addresses as Backdoor.Duuzer and Backdoor.Destover, both of which carry links to Lazarus.
Backdoor.Bravonc shares similar code with WannaCry and Infostealer.Fakepude — which, as you can expect, carries links to Lazarus. Between the three appears to be a shared style method, which makes the code difficult to analyze, a process called obfuscation.
Finally, WannaCry and Lazarus-linked Backdoor.Contopee contain shared code.
All these associations have rendered Symantec confident enough to declare that Lazarus might indeed be responsible for the widespread WannaCry attacks.
"Analysis of these early WannaCry attacks by Symantec's Security Response team revealed substantial commonalities in the tools, techniques, and infrastructure used by the attackers and those seen in previous Lazarus attacks, making it highly likely that Lazarus was behind the spread of WannaCry," the company said in its blog post.
Despite the ties to Lazarus, WannaCry attacks doesn't appear to be a case of a nation-state campaign, states Symantec. The attacks, collectively, are "more typical of a cyber crime campaign."
What Is WannaCry?
WannaCry, for the uninitiated, is a ransomware that infected hundreds of thousands of computers around the globe, with the bulk of reports suggesting that it hit Britain's public system quite badly, with entire wards reportedly closing and National Health Service staff being told to go home.
The version of WannaCry that spread like wildfire used an automated system to wreak havoc, itself based on EternalBlue, one of the hacking tools a hacking group called Shadow Brokers stole from the U.S. National Security Agency.
Most recently, it was reported that WannaCry hit mostly Windows 7 PCs — roughly 98 percent of all affected systems, according to Kaspersky Lab. Though Windows 10, Microsoft's most updated operating system, is widespread and not vulnerable to the ransomware, it's not as widespread as Windows 7, which a great number of systems still run.
Shadow Brokers has now also threatened to release more data dumps containing a variety of hacking tools, which should begin next month, if plans it stated push through.
If you have thoughts about WannaCry's possible ties to Lazarus, feel free to sound them off in the comments section below.