The virus attack of WannaCry is gradually coming to naught, and antivirus companies, as well as specialists of various interested services, have the opportunity to study the worm and draw preliminary conclusions about its origin.
Experts believe that the traces of the largest virus attack in the history of the Internet are stretching to North Korea, to be exact - to a well-known group of hackers called Lazarus, working for the government of this country. The same code is found in WannaCry and Trojans from Lazarus.
What is the Lazarus group and how is it known?
The North Korean group of hackers committed several digital sabotage against the South Korean government in the 2000s - it was a kind of pen test. Then hackers managed to withdraw through SWIFT 81 million dollars (and wanted to withdraw almost half a billion) from the bank of Bangladesh. And the most famous incident is the hacking of Sony Pictures: hackers stole personal data of company employees and their families, the contents of internal e-mail, information about wages, copies of unreleased Sony movies and much more. Also, hackers threatened with terrorist attacks at the premiere of the film "Interview", in which the North Korean leader Kim Jong Un is parodied. The film's screenings were canceled. The investigation revealed that in all cases, traces lead to North Korea and that the handwriting of the intruders is similar. The investigation concluded that the hackers of the Lazarus group are working for the government of this country.
A number of evidence have been found for WannaCry and Lazarus
Symantec specialists revealed the presence of similar tools that were used exclusively by Lazarus on computers infected with previous versions of WannaCry. These versions of WannaCry did not have mechanisms for distribution through SMB.
Кроме того, в инструментах группы Lazarus и в черве WannaСry специалист Google Нил Мехта обнаружил общий код. Symantec установила, что этот код — форма SSL. Он используется для выполнения конкретной последовательности, состоящей из 75 шифров, которые до сих пор проявлялись только в инструментах Lazarus (в том числе contopee и brambul) и различных версиях WannaСry.
Although these findings do not prove the connection between Lazarus and WannaCry, Symantec experts believe that there are sufficient grounds for initiating an official investigation, writes EuroNews.