While initially, we thought this would be a silly and unsubstantiated discovery, the number of security firms claiming they've identified and confirmed connections between the WannaCry ransomware and malware used by the Lazarus Group has now gone up to three.
These somewhat crazy rumors started on Monday when Google security researcher Neel Mehta tweeted the MD5 hashes of two malware samples.
9c7c7149387a1c79679a87dd1ba755bc @ 0x402560, 0x40F598— Neel Mehta (@neelmehta) May 15, 2017
ac21c8ad899727137c4b94458d7aa8d8 @ 0x10004ba0, 0x10012AA4#WannaCryptAttribution
The hashes were for a sample of the WannaCry ransomware (early beta, released in February 2017) and the Contopee backdoor, previously attributed to the Lazarus Group.
If the name sounds familiar it's because this is the codename given to a group of hackers responsible for the Sony hack, the SWIFT bank attacks, and the hacks of various other financial institutions across the world. Experts believe the group is based on North Korea and associated with the official government, mainly because of its historical focus on attacking South Korean organizations and state agencies.
Two days later after Mehta's tweet, security firms such as Kaspersky Lab, Symantec, and BAE Systems, have now put their full backing into claims that there might be a connection between North Korea's Lazarus Group and the WannaCry outbreak.
These companies make these connections based on some very skimpy claims, so they should not be taken as universal or conclusive proof that North Korea developed and released WannaCry.
According to the three companies, here are on what they base their claims on:
Some of these similarities are just ridiculous, as there is plenty of malware authors that write their code in C++, compile in Visual Studio 6.0, and use leet speak.
On the other hand, the code overlap between the Contopee and WannaCry samples is quite interesting.
"The implementation of this [random buffer generator] function is very unique," says Sergei Shevchenko and Adrian Nish, BAE Systems experts, "- it cannot be found in any legitimate software."
Symantec takes this explanation further.
"Symantec has determined that this shared code is a form of SSL. This SSL implementation uses a specific sequence of 75 ciphers which to date have only been seen across Lazarus tool," the company explains, also revealing they found a similar SSL implementation in the Brambul backdoor, another of Lazarus Group's hacking tools.
Not really. The Contopee and Brambul samples have been discovered and analyzed years before, in 2015. It is not unheard of for malware authors to grab code from other malware samples when piecing together new tools. This actually happens more often than most people think.
If you're worried someone will trace your malware, just wait ten minutes. Inevitably someone will attribute it to a nation state.— Matthew Green (@matthew_d_green) May 16, 2017
The WannaCry ransomware — also known as WCry, WanaCrypt0r, WannaCrypt, or Wana Decrypt0r — looks like the work of an unsophisticated group, which also explains why we've seen at least three to four versions in the past three months without the SMB self-spreading component.
All clues point to the fact the group was slowly building their ransomware up until they added the SMB self-spreading worm component, at which point the authors couldn't contain it anymore, and the ransomware spread to over 215,000 computers worldwide.
Most experts believe WannaCry was an in-dev ransomware at the moment it broke into an outbreak, on Friday, because current samples aren't even obfuscated and have a bug that prevents WannaCry from using unique Bitcoin addresses for each victim.
#WannaCry has code to provide unique bitcoin address for each victim but defaults to hardcoded addresses as a result of race condition bug— Security Response (@threatintel) May 16, 2017
On the other hand, we can't exclude WannaCry being the work of North Korean hackers. Symantec has gone on record saying they've found other Lazarus Group malware on computers that were previously infected with earlier versions of the WannaCry ransomware (without the SMB module).
In recent months, it has become a trend for cyber-espionage outfits to deploy ransomware on the computers they've compromised, as a way to disguise their presence.
Cyber-espionage groups operate on the presumption that hacked victims would see the ransom notes and restore from backups or reinstall their OS from scratch, deleting logs and other evidence of their presence along the way.
For example, cyber-espionage-grade malware such as KillDisk and Shamoon have recently added ransomware modules that they deploy after stealing data from their targets, as a way to disguise a hack's true purpose.
Either way, for the time being, the theory that North Korea created and deployed WannaCry as a way to wreak havoc across the world still stands, as absurd as it sounds.
This looks more and more like an op designed to create political turmoil. https://t.co/dsiqZS345l— Stefan Esser (@i0n1c) May 15, 2017
More details, and even wild theories, will surface in the following weeks or months, as security firms break apart each line of code in the WannaCry ransomware.