A massive digital attack that swept the world late last week, holding computers and their data hostage for ransom, has largely petered out (for now). But as the crisis settles down, researchers are now able to take the time to start figuring out who started it all… and fingers are pointing at a familiar target.
The hack attack, a worm called WannaCry, ramped up last Friday, sweeping through more than a dozen hospitals in England before hopping over to massive phone and utility companies in Spain. By Sunday, security experts said more than 200,000 targets in 150 countries worldwide had been hit, and the worm was still spreading.
However, some security experts managed to come up with a “kill switch” over the weekend that dramatically stemmed the tide, and the WannaCry outbreak was brought under control — though not completely eliminated.
The worm exploits a vulnerability in Microsoft Windows that the NSA knew about, and kept to itself, for quite some time. That exploit, along with a whole bunch of other information, was leaked from the NSA this spring by a group calling itself the Shadow Brokers.
Microsoft issued a patch for the vulnerability back in March, when it became known, but clearly several enterprise IT departments around the world had yet to install or apply that particular update to their systems, which vulnerable to WannaCry.
Meanwhile, security experts around the world have been poring over this attack, figuring out not only how it was able to spread so fast, but trying to suss out who was behind it.
As NPR reports today, a security expert at Google first spotted the possible connection to North Korea. Poring over the code, he recognized similarities to the malware behind the huge Sony hack in 2014, which was carried out by a group with ties to north Korea.
Other researchers then took a look and also confirmed similarities between the WannaCry code and code used in earlier malware. Security firm Symantec (you’ve probably had their Norton Antivirus on at least one computer once) said it “identified the presence of tools exclusively used by Lazarus on machines also infected with earlier versions of WannaCry,” and also pointed to “a specific sequence of 75 ciphers” that to date had only been seen in other Lazaraus tools and WannaCry variants.
Although it’s a clear hint, it’s not yet definitive proof, NPR cautions. U.S. authorities have said they don’t yet know who is responsible for WannaCry, although they are investigating leads.