Cybersecurity experts are pointing to circumstantial evidence that North Korea may be behind the global “ransomware” attack: the way the hackers took hostage computers and servers across the world was similar to previous cyberattacks attributed to North Korea.
Simon Choi, a director at South Korean anti-virus software company Hauri Inc. who has analyzed North Korean malware since 2008 and advises the government, said Tuesday that the North is no newcomer to the world of bitcoins. It has been mining the digital currency using malicious computer programs since as early as 2013, he said.
In the attack, hackers demand payment from victims in bitcoins to regain access to their encrypted computers. The malware has scrambled data at hospitals, factories, government agencies, banks and other businesses since Friday, but an expected second-wave outbreak largely failed to materialize after the weekend, in part because security researchers had already defanged it
A researcher from South Korea’s Hauri Labs said on Tuesday their own findings matched those of Symantec (SYMC.O) and Kaspersky Lab, who said on Monday that some code in an earlier version of the WannaCry software had also appeared in programs used by the Lazarus Group, identified by some researchers as a North Korea-run hacking operation.
“It is similar to North Korea’s backdoor malicious codes,” said Simon Choi, a senior researcher with Hauri who has done extensive research into North Korea’s hacking capabilities and advises South Korean police and National Intelligence Service.
Both Symantec and Kaspersky said it was too early to tell whether North Korea was involved in the attacks, based on the evidence that was published on Twitter by Google security researcher Neel Mehta.
The attacks, which slowed on Monday, are among the fastest-spreading extortion campaigns on record.
In China, foreign ministry spokeswoman Hua Chunying said she had no information to share, when asked about the origin of the attack and whether North Korea might be connected.
Several Asian countries have been affected by the malware, although the impact has not been as widespread as some had feared.
In Malaysia, cybersecurity firm LE Global Services said it identified 12 cases so far, including a large government-linked corporation, a government-linked investment firm and an insurance company. It did not name any of the entities.
“We may not see the real picture yet, as companies are not mandated to disclose security breaches to authorities in Malaysia,” said LE Global CEO Fong Choong Fook.
South Korea was mostly spared from the latest ransomware attack, partly because constant threats from the North have made the government and companies careful about always updating their software.
South Korea has been a frequent target of cyberattacks that it traced to its northern neighbor. Some high-profile attacks between 2009 and 2013 shut down government websites, banking systems and paralyzed broadcasters.
Researchers might find some additional clues in the bitcoin accounts accepting the ransom payments. There have been three accounts identified so far, and there’s no indication yet that the criminals have touched the funds.
Although bitcoin is anonymized, researchers can watch it flow from user to user. So investigators can follow the transactions until an anonymous account matches with a real person, said Steve Grobman, chief technology officer with the California security company McAfee.
But that technique is no sure bet. There are ways to convert bitcoins into cash on the sly through third parties. And even finding a real person might be no help if they’re in a jurisdiction that won’t cooperate.
Even if the perpetrators can be identified, bringing them to justice could be another matter. They might be hiding out in countries that wouldn’t be willing to extradite suspects for prosecution, said Robert Cattanach, a former U.S. Justice Department attorney and an expert on cybersecurity.
On the other hand, the WannaCry attack hit — and annoyed — many countries. Russia was among the hardest hit, and Britain among the most high-profile, and both have “some pretty good investigative capabilities,” Cattanach said.