Clues point to a link between a hacking group connected to North Korea and the ransomware attacks that have crippled computer systems worldwide, according to two cyber-security firms.
Experts at the global cyber-security firm Symantec found that earlier versions of the ransomware known as WannaCry were found on computers that also bore evidence of the cyber tools used against Sony Pictures Entertainment, as well as banks in Poland and Bangladesh's central bank— attacks that all were linked to North Korea.
Also, a researcher at Google singled out an identical code used both in the ransomware and used by the Lazarus Group, a team of hackers tied to North Korea, noted Symantec.
In a blog post, Moscow-based Kaspersky Lab showed screens of the code, first identified in a tweet by Google researcher Neel Mehta, who pointed to the similarity between a WannaCry sample from February 2017 and a sample from Lazarus from February 2015.
"The scale of the Lazarus operations is shocking. The group has been very active since 2011," said Kapersky in the blog.
Microsoft, whose older Windows operating system was the target of the ransomware that a quarter-million computers in 150 countries, has blamed the National Security Agency for stockpiling cyberweapons that were then stolen and used to form the attack, a scenario echoed by cybersecurity firms.
U.S. homeland security adviser Tom Bossert said Monday WannaCry was not a tool developed by the NSA to hold ransom data, but he did not address if the vulnerability was based on stolen NSA cyber tools.
The U.S. has had run-ins with North Korea's hackers before. In 2014, the United States charged North Korea with attacking computers at Sony in retaliation for the creation of a comedy titled "The Interview" that was about a C.I.A. plot to kill North Korean leader Kim Jong-Un.
Researchers warned that despite the findings, it could it could be months before any definitive link can be proven. "At this time, all we have is a temporal link," Symantec investigator Eric Chien told the New York Times. "We want to see more coding similarities ... to give us more confidence.’’
In the WannaCry attack, which started Friday, the attackers have demanded $300 per computer in payments to unlock infected computers, a scheme that paralyzed computers at U.K. hospitals, a Spanish telephone company, and European car factories. But payouts so far have yet to top $100,000, according to firms tracking the attackers' bitcoin accounts.
Could there be another reason?
Security researcher Matthieu Suiche, of Comae Technologies in the United Arab Emirates, said the hackers may be sending a message in some of the code that's showing up, suggesting their purpose is to stir political mayhem.
Contributing: Laura Mandaro
© 2017 USATODAY.COM