As the WannaCry ransomware epidemic wreaked havoc across the globe over the past three days, cybersecurity researchers and victims alike have asked themselves what cybercriminal group would paralyze so many critical systems for such relatively small profit? Some researchers are now starting to point to the first, still-tenuous hint of a familiar suspect: North Korea.
On Monday, Google researcher Neel Mehta issued a cryptic tweet containing only a set of characters. They referred to two portions of code in a pair of malware samples, along with the hashtag #WannaCryptAttribution. Researchers immediately followed Mehta’s signposts to an important clue: An early version of WannaCry—one that first surfaced in February—shared some code with a backdoor program known as Contopee. The latter has been used by a group known as Lazarus, a hacker cabal increasingly believed to operate under the North Korean government’s control.
“There’s no doubt this function is shared across these two programs,” says Matt Suiche, a Dubai-based security researcher and the founder of the security firm Comae Technologies. “WannaCry and this [program] attributed to Lazarus are sharing code that’s unique. This group might be behind WannaCry also.”