British officials appear to have come to the same conclusions as several IT security vendors: the WannaCry ransomware attacks were launched by North Korea-linked hacking group Lazarus.
Security sources told the BBC on Friday that they suspect the group, which has most famously been blamed for the destructive cyber-attack against Sony Pictures Entertainment in 2014 and an $81m heist from the Bangladesh Bank last year.
The National Cyber Security Centre (NCSC), which has been leading the investigation, is likely to have based its findings on a “wider set of sources” than several private sector assessments which have come to the same conclusion, the report claimed.
That’s because it’s technically part of spy agency GCHQ, and therefore will have access to a huge surveillance and intelligence-gathering apparatus.
At the time of writing there were $134,000 in Bitcoin payments made to the addresses linked to WannaCry, but no withdrawals, according to UK firm Elliptic, which monitors illicit activity on the Bitcoin blockchain.
That could indicate that the hackers were not financially motivated in their attack, or that the campaign is under too much scrutiny now for them to transfer the funds.
At the end of May Symantec released some detailed findings claiming to support the hypothesis that Lazarus was behind WannaCry.
This includes Lazarus-linked malware – Trojan.Volgmer and two variants of the disk-wiping Backdoor.Destover – being left on victim networks in February.
However, cybersecurity thinktank the Institute for Critical Infrastructure Technology (ICIT), has warned against “premature, inconclusive and distracting attribution.”
It claimed that evidence linking the North Korean group to the attacks is circumstantial at best.
WannaCry ripped through hundreds of thousands of victims in 150 countries worldwide last month, exploiting a Windows SMB vulnerability by leveraging a pair of NSA exploits.
The NHS was one early victim organization heavily impacted, with scores of Trusts forced to cancel patient appointments as IT systems were taken offline.