Cyber security researchers tracking the global cyberattack tonight say the trail could lead back to North Korea.
Analysts from Google and and at least three major cybersecurity firms have pointed to a piece of code that appeared in both an earlier version of the WannaCry virus and the 2016 attack on international banks attributed to the North Korea-linked hackers Lazarus Group.
“There is a link,” said John Bambenek of Fidelis Cybersecurity. “We are really drilling down on what it means but there is part of the code that is shared between WannaCry and a known DPRK hacking tool.”
It could be someone else using the code, researchers say, and there’s still no official attribution, but according to Bambenek, it’s “a solid lead” in the investigation.
North Korea has a history of computer criminality. The Lazarus Group has been accused of launching attacks against South Korean institutions in 2013, Sony Pictures Entertainment in 2014, and the SWIFT financial system in 2016.
“We’ve seen them steal money,” said John Carlin, a former assistant attorney general for national security and an ABC News contributor. “We’ve seen them steal information. We’ve seen them destroy information. They may not be the most capable country in the world, but they certainly have capabilities in this space.
According to Ryan Kalember, senior vice president of cybersecurity at Proofpoint, a second and a third wave of WannaCry ransomware attacks both failed over the weekend, one variant using a modified “kill switch” and another variant with no “kill switch” at all. The first variant was quickly identified and stopped, while the second variant failed to “properly deploy.”
Kalember warned, however, that the threat is still serious.
“It remains critical that all organizations immediately ensure they have the most updated patches deployed and backups ready to restore in the event of a ransomware attack,” Kalember said.
Even so, the tally of…