A Google researcher named Neel Mehta has discovered a common bit of code shared by the WannaCry attack and an older program known as Contopee. The earlier program was used by Lazarus, a hacking group believed to be tied to the North Korean government. Andy Greenberg writes at WIRED that the evidence is still thin, but the connection is a starting point.
“There’s no doubt this function is shared across these two programs,” says Matt Suiche, a Dubai-based security researcher and the founder of the security firm Comae Technologies. “WannaCry and this [program] attributed to Lazarus are sharing code that’s unique. This group might be behind WannaCry also.”
According to Suiche, that chunk of commands represents an encoding algorithm. But the code’s function isn’t nearly as interesting as its Lazarus provenance. The group rose to notoriety following a series of high-profile attacks, including the devastating hack of Sony Pictures in late 2014, that were identified by US intelligence agencies as a North Korean government operation. More recently, researchers believe that Lazarus compromised the SWIFT banking system, netting tens of millions of dollars from Bangladeshi and Vietnamese banks. Security firm Symantec first identified Contopee as one of the tools used in those intrusions.
Researchers at the security firm Kaspersky last month presented new evidence tying those attacks together, pointing to North Korea as the culprit. On Monday, Kaspersky followed up on Mehta’s tweet with a blog post analyzing the similarities in the two code samples. But while they noted the shared code in the Lazarus malware and the early version of the WannaCry, they stopped short of definitively stating that the ransomware stemmed from state-sponsored North Korean actors.
Read more here.