Clues point to possible North Korean involvement in massive cyberattack
By ELLEN NAKASHIMA, CRAIG TIMBERG AND BRIAN MURPHY | The Washington Post | Published: May 16, 2017
Security researchers have found digital clues in the malware used in last weekend's global ransomware attack that might indicate North Korea is involved, although they caution the evidence is not conclusive.
An early version of the "WannaCry" ransomware that affected more than 150 countries and major businesses and organizations shares a portion of its code with a tool from a hacker group known as Lazarus, which researches think is linked to the North Korean government.
"This implies there is a common source for that code, which could mean that North Korean actors wrote Wannacry or they both used the same third-party code," said John Bambenek, threat research manager at Fidelis Cybersecurity.
White House homeland security adviser Thomas Bossert said Monday that investigators were still working to determine who was behind the attack, which infects computers with a virus that encrypted data and is accompanied by a demand that victims pay a ransom to decrypt it. "That's the attribution that we're after right now," he said at a White House briefing. "It will be very satisfying for me and for all of our viewers, I think, that if we find them that we bring them to justice. ... I don't want to say we have no clues. ... The best and the brightest are working on that."
Several security researchers studying "WannaCry" on Monday found evidence of possible connections to, for instance, the crippling hack on Sony Pictures Entertainment in 2014 attributed by the U.S. government to North Korea. That hack occurred in the weeks before Sony released a satiric movie about a plot to kill North Korean leader Kim Jong Un.
A Google security researcher tweeted a small bit of computer code Monday afternoon that highlighted similarities between that attack and an earlier version of "WannaCry." The attack was first reported Friday and has hobbled hundreds of thousands of computers by encrypting data on the machines. The hackers offer to unlock the data for bitcoin payments of $300.
Software company Symantec, maker of popular security software, published a blog post also pointing to the possible connections, writing, "While these findings do not indicate a definite link between Lazarus and WannaCry, we believe that there are sufficient connections to warrant further investigation."
Kaspersky Lab, a Russian cybersecurity firm, also pointed to similar links, writing, "We believe this might hold the key to solve some of the mysteries around this attack."
However, Bambenek cautioned that the links are circumstantial. "It could be a freak coincidence," he said. "The code in question is not a large portion of the overall Wannacry malware so it's plausible that the attackers got it from somewhere else."
The irony, he noted, is that the ransomware attack was enabled by a leak of National Security Agency hacking tools. "The similar could be true here - that this stuff leaked out from North Korea, but it just hasn't been found yet," he said.
Global markets appeared to largely avoid problems Monday amid worries of digital chaos in the wake of the attack.
The spread of the WannaCry virus has slowed as new cyberdefenses have been put in place, but the malware still found its way into hundreds of thousands more computers while businesses and governments assessed the damage and planned their next moves.
Few problems were reported on stock exchanges and other financial systems Monday. Asian stock markets rose, probably on news of higher oil prices and a new Chinese government spending plan - sending some exchanges to two-year highs.
In Europe, stock markets were generally flat, but no serious hacker-linked disruptions were reported in early trading. Wall Street exchanges closed slightly higher. Among the hot stocks were firms selling online protection services.
In Japan, the government's Computer Emergency Response Team said as many as 2,000 computers at 600 companies were affected by the ransomware, and the government set up a new crisis management office to deal with cyberterrorism.
China's state-run Xinhua News Agency reported that the virus infiltrated a range of networks, including railway operations, mail delivery, hospitals and government offices.
In France, automaker Renault said one of its plants was closed Monday as a "preventive step" while engineers looked at the fallout from the cyberattack.
The virus has mainly infiltrated systems in Europe - particularly Britain's health-care network on Friday - but financial exchanges were closely watched in the first full trading day since the malware surfaced.
Some eight to 10 U.S. entities, including a few in the health-care sector, reported possible Wannacry infections to the Department of Homeland Security, a U.S. official said. But none reported that they had data encrypted or that they suffered significant disruptions.
Bossert said Monday that the situation was "under control" at the moment in the United States.
"We are continuing to monitor the situation around clock . . . bringing all the capabilities of the U.S. government to bear," he said, adding that as of Monday, no federal systems were affected.
While factories, hospitals and schools were disrupted in China by the attack, the spread of the virus appeared to be slowing. State media said 29,000 institutions had been hit, along with hundreds of thousands of devices.
"The growth rate of infected institutions on Monday has slowed significantly compared to the previous two days," said Chinese Internet security company Qihoo 360, according to Reuters. "Previous concerns of a wide-scale infection of domestic institutions did not eventuate."
South Korea reported that just five companies were affected, including the country's largest movie chain. In response, the Korea Internet and Security Agency in Seoul raised its warning level to 3, or "cautious," on a scale of 1 to 5.
In the South Korean city of Asan, an electronic panel meant to show bus arrival times instead displayed a message demanding bitcoin payment. The CGV movie chain, South Korea's largest, said that about 50 of its theater complexes were attacked by the ransomware but that films were still running as scheduled.
Researchers discovered a "kill switch" on the virus that stopped its spread from computer to computer, potentially saving tens of thousands of machines from further infection. There were fears, however, that new versions of the worm, without this vulnerability, could eventually be released.
The worm took advantage of a vulnerability in Microsoft's Windows operating system. Although the flaw has been patched by the company, not all users had applied the update.
The vulnerability exploited by the ransomware is believed to have been first identified by the U.S. National Security Agency and later leaked online.
The ransomware program, which is spread through email, encrypts computer files and then demands the bitcoin equivalent $300 to unlock them.
The attack hobbled operations at Russia's Interior Ministry, Spanish telecommunications giant Telefónica and Britain's National Health Service.
Speaking at a news conference after an economic conference in China, Russian President Vladi¬mir Putin told journalists that Russia "had nothing to do" with the WannaCry virus.
"With regard to the source of these threats, then I believe that Microsoft has spoken directly about this," Putin said. "They said that the first sources of this virus were the United States intelligence agencies. Russia has absolutely nothing to do with this."
The Washington Post's Anna Fifield in Tokyo and Andrew Roth in Moscow contributed to this report.