Indian-origin Google researcher links ransomware attack to N.Korea

As the world struggles to identify the cybercriminals behind the global ransowmware attack that hit 150 countries over the weekend, Neel Mehta, an Indian-origin security researcher working with Google, has claimed on Twitter that the hackers may have links to North Korea.

According to Mehta's discovery, the "Lazarus Group" that works on behalf of North Koreans may be behind the attack as the hacking group has, in the past, used the same coding and tools as were used in "WannaCrypt" -- the software used in the current hacking into the Microsoft operating software, the BBC reported on Tuesday.

Mehta, a University of British Columbia graduate who earlier worked with IBM Internet Security Systems, posted "codes" on Twitter, potentially pointing at a connection between the "WannaCrypt" ransomware attacks and the malware attributed to the infamous "Lazarus Group", responsible for a series of devastating attacks against government organisations, media and financial institutions.

"Our researchers analysed this information, identified and confirmed clear code similarities between the malware sample highlighted by the Google researcher and the malware samples used by the 'Lazarus Group' in 2015 attacks," Altaf Halde, Managing Director of Kaspersky Lab (South Asia), told IANS.

"Neel Mehta's discovery is the most significant clue to date regarding the origins of WannaCrypt," Kaspersky Lab added.

In 2014, Mehta uncovered the "Heartbleed" security bug that left millions of websites, online stores and social networks with a major security hole in place, exposing user information and financial information to hackers.

"Lazarus Group", that according to Mehta is based in China, was responsible for a major hack on Sony Pictures in 2014 and another on a Bangladeshi bank in 2016.

Kaspersky Lab, however, noted that a lot more information was needed about earlier versions of "WannaCrypt" before any firm conclusion could be reached.

"We believe it's important that other researchers around the world investigate these similarities and attempt to discover more facts about the origin of 'WannaCrypt'," the cyber security company added.

Though North Korea has never admitted any involvement in the Sony Pictures hack, security researchers and the US government are confident in the theory and neither can rule out the possibility of a false flag.

"Although this similarity alone doesn't allow proof of a strong connection between the 'WannaCrypt' ransomware and the 'Lazarus Group', it can potentially lead to new ones which would shed light on the 'WannaCrypt' origin which to the moment remains a mystery," Halde noted.

There are possibilities that skilled hackers might have simply made the hack look like it had origins in North Korea by using similar techniques.

Kaspersky noted that false flags within "WannaCrypt" were "possible" but "improbable", as the shared code was removed from later versions.

There is another possibility that "Lazarus Group" may be working independently and without the instructions from North Korea, the report added.

Meanwhile, the White House said on Monday that less than $70,000 has been paid in the ransomware attack globally.

"We are not aware of payments that have led to any data recovery," White House Homeland Security adviser Tom Bossert said at a daily briefing.

Specially, no US federal systems are affected, he said.

--IANS

qd/na/dg