Security firm Symantec has found the infrastructure and tools used in the WannaCry attack have strong connections to the hacking group Lazurus — responsible for the massive hack on Sony Pictures and the theft of $81 million from Bangladesh Central Bank.
Symantec researchers analyzed the two major variants of WannaCry, which date back to February. These variants leverage several smaller attacks through April. These earlier versions were nearly identical to the strain used in the massive May 12 WannaCry attack.
Two other security firms — Kaspersky Labs and BAE Systems — found connections between WannaCry and the Lazarus Group’s malware. Google Security researcher Neel Mehta first tweeted the connection between the code of both malware variants on May 15.
The commonalities in the tools, infrastructure and techniques proves it’s highly likely Lazarus is connected to the WannaCry attacks, Symantec Security Response Technical Director Vikram Thakur said.
“Any overlap is from a technology perspective,” Thakur said. “It’s not speculative.”
However, cybersecurity think tank ICIT this week called Symantec’s report as “premature, inconclusive and distracting.”
One of the issues ICIT Senior Fellow James Scott took was the “sharp difference in the level of sophistication of the malware and threat actors, glaring differences in the target demographics and severe variations in the operational procedures of the actors.”
“At best, WannaCry either borrowed heavily from outdated Lazarus code and failed to change elements, such as calls to C2 servers, or WannaCry was a side campaign of a minuscule subcontractor or group within the massive cybercriminal Lazarus APT,” wrote Scott.
The Lazarus Group is known to target the military, financial organizations, media and manufacturers — not healthcare. Scott said that these recent attacks don’t bear the same hallmarks and only “two-thirds of the Lazarus samples had one or more PE resources with Korean locale or Language.”
But Symantec is standing by its claim that parts of WannaCry’s malware variants evolved from the old Lazarus tools.
While it’s not uncommon for hackers to borrow code from other successful ransomware variants, Thakur said that there are few prevalent cases of the specific Lazarus code in the wild. The presence of the code, infrastructure and techniques in WannaCry are uniquely attributed to Lazarus.
“From a technical perspective, there is very little doubt left in our mind,” Thakur said. “This is the only conclusion we could make.”
Thakur stressed that Symantec cannot say it’s definitely the Lazarus group acting through these attacks or that one member of the group acted alone.
“Any conclusions made about the attackers’ identity and motivation would be speculative,” he said. “We also do not have information that perpetrates North Korea launching the WannaCry attack. The technical evidence does not allow us to determine if the attack was carried out by an individual or a nation state.”