An Indian-origin techie has found similarities between code found within WannaCry and other tools believed to have been created by Lazarus Group, a group of North Korean hackers, in the past.
An Indian-origin security researcher with Google has found evidence suggesting that North Korean hackers may have carried out the ‘unprecedented’ ransomware cyberattack that hit over 150 countries, including India.
Neel Mehta has published a code which a Russian security firm has termed as the ‘most significant clue to date’, BBC reported on Tuesday.
The code, published on Twitter, is exclusive to North Korean hackers, researchers said.
Researchers have said that some of the code used in Friday’s ransomware, known as WannaCry software, was nearly identical to the code used by the Lazarus Group, a group of North Korean hackers which used a similar version for the devastating hack of Sony Pictures Entertainment in 2014 and the last year’s hack of Bangladesh Central Bank.
Security experts are now cautiously linking the Lazarus Group to this latest attack after the discovery by Mehta.
Mehta has found similarities between code found within WannaCry and other tools believed to have been created by the Lazarus Group in the past, BBC reported.
Security expert Prof Alan Woodward said that time stamps within the original WannaCry code are set to UTC +9 -- China’s time zone -- and the text demanding the ransom uses what reads like machine-translated English, but a Chinese segment apparently written by a native speaker, the report said.
“As you can see it is pretty thin and all circumstantial. However, it is worth further investigation,” Woodward said.
“Neel Mehta’s discovery is the most significant clue to date regarding the origins of WannaCry,” said Russian security firm Kaspersky, but noted a lot more information is needed about earlier versions of WannaCry before any firm conclusion can be reached, it reported.
“We believe it is important that other researchers around the world investigate these similarities and attempt to discover more facts about the origin of WannaCry,” it said.
Attributing cyberattacks can be notoriously difficult -- often relying on consensus rather than confirmation, the report said.
North Korea has never admitted any involvement in the Sony Pictures hack -- and while security researchers, and the United States government, have confidence in the theory, neither can rule out the possibility of a false flag, it said.
Skilled hackers may have simply made it look like it had origins in North Korea by using similar techniques.
In the case of WannaCry, it is possible that hackers simply copied code from earlier attacks by the Lazarus Group.
“There’s a lot of ifs in there. It wouldn’t stand up in court as it is. But it’s worth looking deeper, being conscious of confirmation bias now that North Korea has been identified as a possibility,” Woodward said.
It's the strongest theory yet as to the origin of WannaCry, but there are also details that arguably point away from it being the work of North Korea.
First, China was among the countries worst hit, and not accidentally -- the hackers made sure there was a version of the ransom note written in Chinese. It seems unlikely North Korea would want to antagonise its strongest ally. Russia too was badly affected, the report said.
Second, North Korean cyber-attacks have typically been far more targeted, often with a political goal in mind.
In the case of Sony Pictures, hackers sought to prevent the release of The Interview, a film that mocked North Korean leader Kim Jong-un. WannaCry, in contrast, was wildly indiscriminate - it would infect anything and everything it could, the report said.
Finally, if the plan was simply to make money, it’s been pretty unsuccessful on that front too -- only around $60,000 (Rs 39 lakh) has been paid in ransoms, according to analysis of Bitcoin accounts being used by the criminals.
With more than 2,00,000 machines infected, it’s a terrible return, the report said.
On Friday, Europol Director Rob Wainwright said, “The global reach is unprecedented. The latest count is over 2,00,000 victims in at least 150 countries and those victims many of those will be businesses including large corporations.”
The most disruptive attacks were reported in the United Kingdom, where hospitals and clinics were forced to turn away patients after losing access to computers.
*****
No substantial impact on Indian IT system: Govt
The impact of WannaCry ransomware attack has been limited to five or six isolated instances so far and there are no reports of any substantial disruption to India’s Information Technology backbone, the government said on Tuesday.
A multi-agency monitoring team is continuously assessing the situation round the clock, IT Secretary Aruna Sundararajan said on the margins of a Broadband India Forum event.
CERT-In, the government’s cyber security arm, has maintained that apart from five or six isolated instances, there are no reports of a substantial scale to indicate that Indian systems have been hit.
“One such incident pertains to 18 computers of Andhra Pradesh Police... and apart from that, there are five other cases... one of them in Kerala where some of the panchayat computers were affected,” Sundararajan said.
All the cases reported so far involve fragmented, and isolated systems or standalone machines, she stressed.
“Since March, the government has been on high alert. We have already installed the necessary security patches as far as the key networks are concerned. We have not got any reports of widespread infection of the ransomware,” she said.
Meanwhile, cyber security firm Quick Heal Technologies said it has detected over 48,000 ransomware attack attempts in the country, with West Bengal witnessing the most incidents.
They said in a statement that they have ‘detected over 48,000 MS-17- 010 Shadow Broker exploit hits responsible for ‘WannaCry ransomware’ outbreak in India’.
“Our observation is that the attack is not focused towards any particular industry but it is widely spread across industries especially those organisations which are online and connected,” Quick Heal Technologies' managing director Sanjay Katkar said.
The Pune-based company said 60 per cent of the attempts by the malicious WannaCry ransomware were targeted at enterprises, while 40 per cent were on individual customers.
It said there have been over 700 distress calls by customers in the last few days, following the discovery of the attacks which has impacted 150 countries globally.
The top five cities impacted by the WannaCry ransomware are Kolkata followed by Delhi, Bhubaneshwar, Pune and Mumbai, while the top top five states with maximum detections are West Bengal, Maharashtra, Gujarat, NCR (Delhi), and Odisha, it said. The company claimed it ‘successfully detected’ the ransomware activity and ‘cleaned the malicious file responsible for file encryption from all the attacked systems’.
It said computers running on the desktop and server editions of the Microsoft Windows operating system are most impacted.
‘Systems which did not apply a patch update for this vulnerability were affected by the WannaCry ransomware which uses wormlike behaviour to affect vulnerable systems on the network,’ it explained.
Illustration: Kacper Pempel/Reuters
