Researchers Investigate Possible Connection Between WannaCry and North Korean Hacker Group
Google, Kaspersky Lab and Symantec all have found common code in the WannaCry malware and that of the nation-state hackers behind the mega breach of Sony.
Newly discovered clues in the still-spreading massive ransomware worm WannaCry reveal some common threads between code used in the attacks with that of a nation-state attack group thought to be out of North Korea, the so-called Lazarus Group.
The WannaCry ransomware worm wriggling its way worldwide through vulnerable Windows systems across various industry sectors, meanwhile, appears to have slowed dramatically in the wake of two kill-switch mechanisms employed by security researchers.
Security researchers say the possible link between WannaCry and the Lazarus Group is traced back to a February 2017 WannaCry cryptor sample that very closely resembles a malware sample from the Lazarus Group two years before. Lazarus Group has been credited with the massive 2014 breach of Sony Pictures.
Speculation of a possible North Korea connection went live today after Google researcher Neel Mehta posted a cryptic tweet showing similar code elements of the two pieces of malware, with the hashtag #WannaCryptAttribution, and researcher Matthiu Suiche then tweeted a screenshot of the two code families, saying, “Similitude between #WannaCry and Contopee from Lazarus Group ! thx @neelmehta – Is DPRK behind #WannaCry ?”
Sean Sullivan, senior security advisor at F-Secure, says that he had a gut feeling about North Korea’s involvement, even before seeing Suiche’s tweet. He says the “indiscriminate vectors used” by the attackers made him wonder about North Korea’s possible involvement, but he doesn’t have any intel at this point to confirm it.
After the intriguing tweets, Kaspersky Lab late today posted a blog outlining the similarities between the WannaCry and Lazarus Group code. They confirmed that the February ransomware variant is a precursor to the WannaCry attacks this month. “It shares the same the list file extension targets for encryption but, in the May 2017 versions, more extensions were added,” they wrote.
“Neel Mehta’s discovery is the most significant clue to date regarding the origins of Wannacry,” Kaspersky researchers wrote. But they say more research is necessary to more definitively connect any dots.
“We believe this might hold the key to solve some of the mysteries around this attack,” the researchers said.
Symantec, too, today said it found what it describes as clues that “loosely tie” WannaCry and Lazarus attackers. The common code from both groups that Google’s Mehta initially revealed is a form of SSL, according to Symantec only seen in Lazarus Group tools and in the WannaCry variants. Symantec also said they found tools only used by Lazarus on victim machines that were hit with earlier versions of WannaCry that didn’t come with the SMB worm capabilities.
Darien Huss, senior security research engineer with Proofpoint, studied the code snippets posted by Google and Kaspersky Lab, and says he corroborates their findings. He also found the two code samples have other overlapping functions as well. Huss initially didn’t believe the attacks were from a nation-state.
“I remember thinking this attack was not sophisticated whatsoever,” he says. “They stole an exploit that was leaked and already had been ported to Metasploit” and then they also botched the kill-switch option by not obtaining the domain for it. “But it could have been their goal to look unsophisticated,” he says.
Meanwhile, the US mostly has dodged the bullet with WannaCry thanks to a kill-switch function in the malware that a researcher inadvertently triggered, sinkholing much of the attack and preventing more spread. Federal Express so far is the only US company publicly revealed as a victim of WannaCry.
As of this posting, the worm has hit more than 100 countries – some reports say 150 – and infected anywhere from 130,000 to 200,000 machines.
The WannaCry attackers may be victims of their own success. Researchers from Kaspersky Lab say the attackers ultimately may not get to cash in on the paid ransom in bitcoin, which currently sits in three digital wallets with some $54,000 as of this posting. Proofpoint’s latest count is closer to $65,000.
“We believe it’s unlikely the attackers will be able to do anything with the bitcoins, considering the current high level of interest in this story. Even though the wallet owners are anonymous, the transactions are visible to everybody and can be tracked,” Kaspersky said in its blog. “Once the bitcoins reach a payment point, where the attackers use them to purchase something in the real world, that payment can be tracked to shipment details, services, or other IPs, effectively, increasing the chances of getting caught.”
Monetary gain wasn’t likely the motivation, anyway, if it was North Korea behind the attacks, notes Darien Huss, senior security research engineer with Proofpoint. “Monetary gain doesn’t make a lot of sense because they chose to charge people bitcoin, which is not anonymous currency. It’s easy to track exchange of bitcoin” versus other digital currency, he says.
Phish or Watering Hole?
No one yet has confirmed just how the WannaCry attacks initially infected their victims. While most ransomware attacks began with a phishing email, some researchers investigating WannaCry have raised doubts over the past couple of days over whether the attacks used phishing at all.
IBM X-Force late today said after analyzing more than 500 million spam emails, they aren’t convinced WannaCry victims were infected via email or attachments. The researchers there today said they are working with victim clients and law enforcement to determine the initial attack vector.
“I don’t think there is a phishing angle” to the attack, says Proofpoint’s Huss. “With the number of eyes on this, if there was phishing, we probably would have found it already.”
A watering hole is a possible initial attack vector, but more difficult to find without a full-packet capture recording of such an attack, he says.
WannaCry is a modular piece of malware that exploits MS17-010, a flaw in Windows SMB that Microsoft patched in March, after Shadowbrokers dumped online a zero-day exploit it had pilfered from the NSA’s toolkit. The attacks, which first were spotted on May 12, led Microsoft to take the rare action of issuing emergency patches for operating systems it no longer maintains: Windows XP, Windows Server 2003, and Windows 8, all of which were vulnerable to the attack as well. Windows 10 is immune to the attacks.
The WannaCry attackers amped up the SMB exploit with the worm capabilities that allow it to self-propagate among vulnerable systems. It also uses a backdoor called DoublePulsar. It employs strong RSA 2048-bit encryption, and contains a loader that writes a file to victim machine disk, as well as the ransomware DLL that encrypts the files and then spreads the malware in worm-mode.
The attackers demanded ransom fees between $300 to $600 to relinquish the hijacked data. Meanwhile, researchers are reporting new variants appearing, so the threat is far from over, experts say. There are at least two confirmed variants that are now sinkholed by researchers.
Applying the Windows SMB patch of course is the key defense here, but organizations also should ensure their SMB protocol is not exposed to the public Internet (port 445), and that they have proper offline backups of their data.