The 'WannaCry' strain of ransomware that has infected hundreds of thousands of victims across 150 countries may be linked to North Korea, researchers have found. One well-known hacking team, dubbed "Lazarus Group", was specifically name-checked.
The coding similarities were first uncovered by Neel Mehta, a security researcher at Google, who dug up links between WannaCry and strain of malware called "Contopee" - previously referenced during the probe into the massive Bangladesh Bank heist last year.
Cybersecurity firm Kaspersky Lab, which previously revealed Lazarus Group was involved with the 2015 Sony Pictures hack, said on 15 May that investigators must now "investigate these similarities and attempt to discover more facts about the origin of WannaCry."
"Looking back to the Bangladesh attack, in the early days, there were very few facts linking them to the Lazarus group," a blog post read.
The researchers continued:"In time, more evidence appeared and allowed us, and others, to links them together with high confidence. Further research can be crucial to connecting the dots.
"We believe this might hold the key to solve some of the mysteries around this attack.
"One thing is for sure — Neel Mehta's discovery is the most significant clue to date regarding the origins of Wannacry."
The shared code appears to be between an February 2017 version of the ransomware and Lazarus Group malware from two years ago, experts said.
"The [February] sample appears to be a very early variant of the WannaCry encryptor. We believe a theory a false flag although possible, is improbable," Kaspersky experts concluded. The ransomware in question was used to lock down computer systems until money is paid to the hackers.
Matthieu Suiche, a prominent researcher and founder of United Arab Emirates (UAE)-based cybersecurity firm Comae Technologies, also confirmed the find via Twitter. "There is no doubt functions are 100% the same," Suiche claimed after analysing the malware.
"Both share similar code, one function is 100% identical," he stated in another update, also linking to Lazarus Group research by Symantec, a US cybersecurity firm.
In May 2016, Symantec detailed how Contopee was one of three pieces of malware being used in targeted attacks against the financial sector in South-East Asia. The computer software was allegedly used by North Korean hackers to manipulate financial networks.
Rick Ledgett, the deputy director of the US National Security Agency (NSA) said in April that evidence linking North Korea to the Bangladesh banking operation was strong. "If that's true, then that says to me that the North Koreans are robbing banks," he said, as reported by Reuters.
The regime in North Korea has denied orchestrating the cyberattacks, which resulted in the successful theft of roughly $81m. In this most recent case, however, attribution remains far from certain. "Attribution can be faked," Suiche noted, adding: "But if true this is a major provocation."
While the shared code suggests an overlap with Lazarus Group malware, much more research will need to be conducted before a full picture of the situation emerges.
In a blog post on 16 May, Suiche, who was the first person to highlight the full theory on Twitter, elaborated: "The attribution to Lazarus Group would make sense regarding their narrative which in the past was dominated by infiltrating financial institutions in the goal of stealing money.
"If validated, this means the latest iteration of WannaCry would in fact be the first nation state powered ransomware. This would also mean that a foreign hostile nation would have leveraged lost offensive capabilities from Equation Group to create global chaos."
In a statement to IBTimes UK, Symantec said: "Over the weekend, we began investigating connections of WannaCry to known groups we are monitoring.
"We discovered that earlier versions of WannaCry in April and early May that weren't widely distributed unlike the recent outbreak were found on systems shortly after being compromised with known Lazarus tools.
"However, we have not yet been able to confirm the Lazarus tools deployed WannaCry on these systems. In addition, we found code in WannaCry used in SSL routines that historically was unique to Lazarus tools. While these connections exist, they so far only represent weak connections.
"We are continuing to investigate for stronger connections."
'Havoc and embarrassment'
Responding to the news on Twitter, Claudio Guarnieri, a senior technologist at Amnesty International and researcher at Citizen Lab, said the discovery of linked malware was "huge if true."
He tweeted: "That could explain the general sloppiness and lack of a decryption process, if the intent is to quickly cause havoc and embarrassment. That said, we need to be cautious. We definitely need more data points before being confident about this connection."
WannaCry was responsible for a major incident on 12 May (Friday) after it quickly infected organisations across the world, including the UK health service. It was effective due to the fact it was based on an NSA exploit leaked earlier in the year by a group called 'Shadow Brokers'.
Law enforcements around the globe are now scrambling to investigate the computer meltdowns. Organisations, meanwhile, are rushing to patch systems before a new variant of the notorious ransomware is able to infect machines running outdated software.
This article was updated to add additional context from Matthieu Suiche.