Cyber security experts admit the technical evidence linking North Korea to the global WannaCry "ransomware" cyber attack is somewhat tenuous, but Pyongyang has the advanced cyber capabilities and the motive to compensate for lost revenue due to economic sanctions, to be considered a likely suspect.
Since Friday, the WannaCry software virus has infected more than 300,000 computers in 150 countries, paralyzing factories, banks, government agencies, hospitals and transportation systems across the globe.
On Monday analysts with the cyber security firms Symantec and Kaspersky Lab said some code in an earlier version of the WannaCry software had also appeared in programs used by the Lazarus Group, which has been identified by some industry experts as a North Korea-run hacking operation.
“Right now we've uncovered a couple of what we would call weak indicators or weak links between WannaCry and this group that's been previously known as Lazarus. Lazarus was behind the attacks on Sony and the Bangladesh banks for example. But these indicators are not enough to definitively say it's Lazarus at all," said Symantec Researcher Eric Chien.
Symantec has linked the Lazarus group to a number of cyber attacks on banks in Asia dating back years, including the digital theft of $81 million from Bangladesh's central bank last year.
The U.S. government blamed North Korea for the hack on Sony Pictures Entertainment that leaked damaging personal information after Pyongyang threatened “merciless countermeasures” if the studio released a dark comedy movie that portrayed the assassination of Kim Jong Un. And South Korea had accused the North of attempting to breach the cyber security of its banks, broadcasters and power plants on numerous occasions.
Pyongyang is believed to have thousands of highly trained computer experts working for a cyber warfare unit called Bureau 121, which is part of the General Bureau of Reconnaissance, an elite spy agency run by the military. There have been reports the Lazarus group is affiliated with Bureau 121. Some alleged North Korean-related cyber attacks have also been traced back to a hotel in Shenyang, China near the Korean border.
“Mostly they hack directly, but they hack other countries first and transfer (the data), so various other countries are found when we trace back, but a specific IP address located in Pyongyang can be found in the end,” said Choi Sang-myung, a senior director of the cyber security firm Hauri Inc. in Seoul.
It is not clear if the purpose of the WannaCry malware is to extort payments or to cause widespread damage.
The WannaCry hackers have demanded ransoms from users, starting at $300 to end the cyber attack, or they threatened to destroy all data on infected computers. So far the perpetrators have raised less than $70,000 according to Tom Bossert, a homeland security adviser for U.S. President Donald Trump.
The countries most affected by WannaCry to date are Russia, Taiwan, Ukraine and India, according to Czech security firm Avast.
Suffering under increased economic sanctions for its nuclear and ballistic missile programs, it would not be surprising for North Korea to attempt to make up for lost revenue through illicit cyber theft and extortion. But the WannaCry ransomware is more advanced than anything North Korean hackers have used in the past.
“Previous ransomwares required people to click an attachment in an email or access a specific website to get infected, but this time (computers) can be infected without getting an email or access to a website, just by connecting an Internet cable,” said Choi.
FireEye Inc., another large cyber security firm, said it was also investigating but cautious about drawing a link to North Korea.
In addition to past alleged cyber attacks, North Korea had also been accused of counterfeiting $100 bills which were known as “superdollars” or “supernotes” because the fakes were nearly flawless.
Youmi Kim contributed to this report in Seoul