As experts point to North Korea as the creator of WannaCry ransomware that shut down UK hospitals earlier this month, one sceptical note still sounds.
Cyber security vendors including Symantec have linked WannaCry to the Lazarus Group, allegedly a group of North Korean hackers, but a think tank has called for caution amid the finger-pointing.
“To be abundantly clear, the recent speculation concerning WannaCry attributes the malware to the Lazarus Group, not to North Korea, and even those connections are premature and not wholly convincing,” wrote James Scott, a senior fellow at the Instiutute for Critical Infrastructure Technology (ICIT).
He added: “Lazarus itself has never been definitively proven to be a North Korean state-sponsored advanced persistent threat.”
The comments follow multiple vendors blaming North Korea for initiating the ransomware, which locked files and demanding Bitcoin payments to release them at 16 NHS organisations, among other targets, though the NHS initially found no evidence of personal data being compromised.
“From all that we see, the technical evidence points to the fact that this is Lazarus,” Symantec investigator Eric Chien told the New York Times on Monday.
The publication referred to “digital crumbs” that the cyber security firm had traced to previous attacks widely attributed to North Korea, like the Sony Pictures hack in late 2014.
Symantec also found similar tools and computer code in the WannaCry attack to previous hacks on South Korean targets.
But ICIT claimed the Lazarus Group was a “cyber-mercenary” outfit, and Scott said of the similarity between the malware tools used in WannaCry and previous attacks: “These claims should not be seen as overly definitive despite their presentation because Lazarus was known for borrowing code from other malware and because it remains possible that outdated Lazarus malware was captured by the WannaCry threat actors and occasionally used as a template for their less sophisticated malware development.”
He added: “At best, WannaCry either borrowed heavily from outdated Lazarus code and failed to change elements, such as calls to C2 servers, or WannaCry was a side campaign of a minuscule subcontractor or group within the massive cybercriminal Lazarus APT.”