In the wake of Friday’s global cyberattack that disrupted around 300,000 computer systems in more than 150 nations, cybersecurity experts speculated that uncovering the perpetrator could take months of investigation. While this might still be true, a group of cybersecurity researchers has confirmed the first piece of legitimate evidence linking the ransomware to North Korean hackers. On Monday, researchers from two cybersecurity providers—the American software company Symantec and the Russian-based Kaspersky Lab—revealed that some of the code used in the ransomware, known as WannaCry, was nearly identical to code used by the Lazarus Group, a North Korean hacking operation.
The connection was first hinted at on Twitter by Neel Mehta, a Google security researcher. While the link is mostly speculative, researchers say the code is exclusive to North Korean hackers, who used an extremely similar version for three of the most prominent cyberattacks in recent history: the 2014 hack of Sony Pictures Entertainment, the 2016 hack of Bangladesh Central Bank, and a February hack of several Polish banks. Still, both the Kaspersky Lab and Symantec—which has previously identified hacks carried out by the United States, Israel, and North Korea—said they would need to investigate further before confirming North Korea’s involvement.
“At this time, all we have is a temporal link,” Eric Chien, an investigator at Symantec, told The New York Times. But Kurt Baumgartner, a researcher at the Kaspersky Lab, insisted to Reuters that it was “the best clue we have seen to date as to the origins of WannaCry.” Meanwhile, a third cybersecurity firm, FireEye, Inc., told Reuters the similarities were not unique enough to suggest a correlation.
There are many reasons for cybersecurity experts to be skeptical of the link to North Korea. For one, hackers have a tendency to steal or modify each other’s codes, and might also be inclined to trick investigators by introducing a “false flag.” Some experts also speculate that not one, but two, sources were responsible for the attack, since certain parts were coded differently. Amanda Rousseau, a malware researcher at the security firm Endgame, affirmed this theory to CNN, while also introducing the idea that the perpetrator was an inexperienced hacker, since the ransomware was relatively easy to reverse engineer.
Another obstacle to identifying the culprit is the lack of a clear motivation. Previous hacks attributed to the Lazarus Group have resulted in much larger thefts, with the organization garnering $81 million in the Bangladesh heist alone. As a result, some cybersecurity experts believe that Friday’s hackers were looking to inflict widespread damage rather than pocket a large sum. And yet, the potential link to the Lazarus Group cannot be discounted. While he admits that attribution is difficult to pinpoint, Matt Suiche, a Dubai-based security researcher, told Wired it “would be a lot of trouble” for hackers “to write ransomware, target everyone in the world, and then make a fake attribution to North Korea.”
If North Korea is ultimately found responsible, the repercussions could be grave. “It could very well be considered an act of terrorism depending on who is behind the attack,” Michael Daly, the Chief Technology Officer at Raytheon Cybersecurity and Special Missions, said in an emailed statement. On Monday, President Trump’s Homeland Security Adviser, Thomas Bossert, said that both foreign nations and cyber criminals were considered suspects. “I don’t want to say we have no clues,” Bossert told White House reporters. “But I stand assured that the best and brightest are working on this hack.”