"The self-spreading 'WannaCry' internet worm, which ripped through 160,000 computers and crippled hospitals and other businesses, is now being linked to a North Korean cyber gang," reports Kevin Poulsen at Daily Beast.
Google security researcher Neel Mehta was first to cautiously connect the DPRK to the WannaCry attack. In a cryptic tweet Monday, Mehta referenced two seemingly different breeds of computer attack code. One was an early version of the WannaCry code that was found in the wild last February. The other was the "Contopee" backdoor program previously used in the Lazarus Group's attacks on Asian financial institutions.
Mehta drew attention to a section of code that, upon inspection, turned out to be nearly identical in each program. Such commonalities are considered a key metric in determining that a common actor is behind two hacks, and other researchers quickly affirmed the importance of the find. "For now, more research is required into older versions of WannaCry," wrote analysts at Kaspersky Lab. "We believe this might hold the key to solve some of the mysteries around this attack. One thing is for sure—Neel Mehta's discovery is the most significant clue to date regarding the origins of WannaCry."
Security giant Symantec says it has been thinking along similar lines. Over the weekend the company discovered that early versions of WannaCry—used before the NSA code was added—had a way of turning up on victim computers right after a confirmed Lazarus Group attack. "However, we have not yet been able to confirm the Lazarus tools deployed WannaCry on these systems," wrote Vikram Thakur, technical director at Symantec, in a statement. "In addition, we found code in WannaCry… that historically was unique to Lazarus tools."
9c7c7149387a1c79679a87dd1ba755bc @ 0x402560, 0x40F598
ac21c8ad899727137c4b94458d7aa8d8 @ 0x10004ba0, 0x10012AA4#WannaCryptAttribution
— Neel Mehta (@neelmehta) May 15, 2017