Security experts are investigating the possibility of a connection between the recent spate of WannaCry ransomware attacks and the notorious Lazarus Group, which has been linked to North Korea.
Google researcher Neel Mehta posted an intriguing message to Twitter yesterday: a string of numbers and letters followed by #WannaCryptAttribution.
Kaspersky Lab then confirmed in a blog post that the tweet in question is of two samples with shared code: a WannaCry cryptor sample from February 2017 which looks like a very early variant and a Lazarus Group sample from February 2015.
The Russian AV firm said it “strongly” believes the authors responsible for the February 2017 code sample are the same as, or had access to the same source code as, those who compiled the May WannaCry encryptor used to devastating effect over the past few days.
So what of the similarities between the WannaCry and Lazarus code samples?
“According to Kaspersky Lab researchers, the similarity of course could be a false flag operation,” the firm said in a statement.
“However, the analysis of the February sample and comparison to WannaCry samples used in recent attacks shows that the code which points at the Lazarus group was removed from the WannaCry malware used in the attacks started last Friday. This can be an attempt to cover traces conducted by orchestrators of the WannaCry campaign.”
The similarities found between the two samples aren’t enough to claim attribution on their own, but they could lead to new connections which do help establish this, Kaspersky Lab concluded.
Symantec confirmed to Infosecurity Magazine that it is also investigating the new information.
Aside from the code similarities, it claimed to have identified the presence of tools used exclusively by Lazarus Group on machines infected with earlier versions of WannaCry.
“These earlier variants of WannaCry did not have the ability to spread via SMB. The Lazarus tools could potentially have been used as method of propagating WannaCry, but this is unconfirmed”, the firm added.
A report issued in April by Kaspersky Lab appeared to confirm a strong link between Lazarus and North Korea thanks to a C&C server used by the group in Europe which connected back to an IP range in the hermit state.
Lazarus Group has been blamed for a range of financially motivated attacks including the $80m raid on Bangladesh Bank as well as the destructive data theft attack on Sony Pictures Entertainment.
Although this similarity alone doesn't allow proof of a strong connection between the WannaCry ransomware and the Lazarus Group, it can potentially lead to new ones which would shed light on the WannaCry origin which to the moment remains a mystery.