In fresh analysis of the WannaCry ransomware attack which impacted more than 150 countries earlier this month, cybersecurity sleuths at US firm Symantec now believe it is "highly likely" that a North Korean hacking team known as "Lazarus Group" was involved.
In a blog post this week (22 May), the researchers detailed their probe into previous versions of WannaCry – a form of malware which locks down computers until a ransom is paid to the hackers. The most recent cyberattacks were super-powered by leaked NSA cyberweapons.
"Analysis of these early WannaCry attacks [...] revealed substantial commonalities in the tools, techniques, and infrastructure used by the attackers and those seen in previous Lazarus attacks, making it highly likely that Lazarus was behind the spread of WannaCry," the blog post read.
The Lazarus Group has long been linked to the reclusive North Korea regime, however its true scope and level of financial resources remain unclear.
With the use of malware analysis, experts have linked the hacking team to cyberattacks against Sony Pictures and the Bangladesh Central Bank.
In this instance, however, Symantec said the WannaCry attacks "do not bear the hallmarks of a nation-state campaign but are more typical of a cybercrime campaign."
Symantec said before the widespread global ransomware attacks on 12 May an earlier version was spotted between February and April 2017. The first case of WannaCry in-the-wild was on 10 February this year. Within two minutes of infection it spread to more than 100 computers.
Later, on 27 March, analysis revealed at least five more organisations had been infected by the ransomware. Two different malware strains recorded in this case – Alphanc and Bravonc – have both previously been linked to Lazarus Group activity in the past.
Two months later, the big event took place. This time, the ransomware had incorporated leaked NSA cyberweapons published online by a group known as The Shadow Brokers. Using two vulnerabilities in Microsoft Windows it spread through unpatched machines at an unprecedented rate.
In its blog post, Symantec noted: "The incorporation of EternalBlue transformed WannaCry from a dangerous threat that could only be used in a limited number of targeted attacks to one of the most virulent strains of malware seen in recent years.
"The small number of Bitcoin wallets used by first version of WannaCry, and its limited spread, indicates that this was not a tool that was shared across cybercrime groups. This provides further evidence that both versions of WannaCry were operated by a single group."
It was a researcher called Matthieu Suiche who was among the first to make the connection with North Korean hackers. On 16 May, he released his research which leading cybersecurity firms – including Russia's Kaspersky Lab – immediately followed.
He wrote: "The attribution to Lazarus Group would make sense regarding their narrative which in the past was dominated by infiltrating financial institutions in the goal of stealing money.
"If validated, this means the latest iteration of WannaCry would in fact be the first nation state powered ransomware. This would also mean that a foreign hostile nation would have leveraged lost offensive capabilities [...] to create global chaos."