New York Times: More Evidence Points to North Korea in Ransomware Attack

SAN FRANCISCO — More evidence emerged Monday that North Korean hackers were behind the global ransomware attack that still holds hundreds of thousands of computers hostage.

There are now hard links connecting a group of North Korean hackers that experts call the Lazarus Group to the ransomware known as WannaCry, according to researchers at the security company Symantec.

Symantec’s researchers first pointed the finger at Lazarus last week, but on Monday said their findings were close to conclusive.

“From all that we see, the technical evidence points to the fact that this is Lazarus,” Eric Chien, an investigator at Symantec, said in an interview Monday.

Mr. Chien and his colleagues found the first known case of a WannaCry ransomware attack on a computer in February.

Within two minutes of infecting that machine, the attackers infected more than 100 computers on their victims’ computer network.

But the hackers left behind a trail of digital crumbs that Mr. Chien and his colleagues had traced to previous attacks by the Lazarus Group, which United States government officials have said works at the behest of Pyongyang.

The most conclusive evidence researchers have found is in what researchers say is the attackers’ “command-and-control” infrastructure.

The WannaCry attacks used the same command-and-control server used in the North Korean hack of Sony Pictures Entertainment in 2014, which wiped out nearly half of the company’s personal computers and servers.

Researchers also say the same tools used in previous Lazarus attacks on banks and media companies in South Korea in 2013 were used in the WannaCry ransomware episode.

Those tools have evolved, but are what researchers call “variants” of the same tools used in the other attacks.

Researchers also said they saw heavy crossover between the computer code in the earlier attacks and WannaCry. That crossover provided what Mr. Chien said was yet another “hard link.”

Other digital crumbs linking the North Korean group to WannaCry include a tool that deletes data that had been used in other Lazarus attacks. The hackers behind WannaCry also used a rare encryption method and an equally unusual technique to cover their tracks.

“We don’t see that used anywhere else,” Mr. Chien said.

In the February WannaCry attacks, Symantec’s researchers said the hackers spread from server to server the same way the Lazarus hackers had in their previous attacks.

In May, another group of hackers that call themselves the Shadow Brokers published the details of National Security Agency hacking tools that the WannaCry hackers were able to use to add muscle to their attacks. They used a leaked N.S.A. hacking tool to automatically spread from server to server, eventually infecting hundreds of thousands of machines around the world, most notably in Europe and Asia.

Some computer security experts have said it is too soon to accuse North Korea, and North Korean officials have denied involvement.

Before the latest evidence came out Monday, James Scott, a senior fellow at the Institute for Critical Infrastructure Technology, called the early attribution “shoddy” in an online post, and said the “attribution to North Korea is premature and likely false.”

Some also pointed to the small sums the attack was generating as proof that the attacks were the haphazard work of unsuccessful cybercriminals, rather than government-backed hackers.

By Monday, only 223 victims of more than 200,000 had paid ransoms, generating $109,270 to the attackers’ Bitcoin wallets, according to Dell SecureWorks. The attackers were forced to issue a reminder on victims’ computer screens to pay up.

But despite the financial letdown, the researchers say they are confident the technical evidence points to the Lazarus group.

Read more: