There are still a lot of things that are unclear regarding the devastating WannaCry ransomware attack, but security researchers may be getting closer to understanding its origin.
According to a technical clue, the global cyberattack that has infected more than 300,000 computers across 150 countries since May 12 is connected to North Korea.
WannaCry Linked To North Korea
Google security research Neel Mehta sent out a cryptic message through Twitter that referenced identical code found in a sample of WannaCry from February and a version of the malware Cantopee from early 2015.
Cantopee was created by the hacking team known as the Lazarus Group, perhaps most famously known for the security breach launched against Sony Pictures in 2014. Researchers from various security firms believe that the Lazarus Group is financed by the government of North Korea.
Symantec and Kaspersky Lab agreed with Mehta's findings that hint at some sort of connection between WannaCry and North Korea.
"This is the best clue we have seen to date as to the origins of WannaCry," said Kurt Baumgartner, a researcher for Kaspersky Lab.
Comae Technologies founder and security researcher Matt Suiche, meanwhile, said that there is "no doubt" that the code is shared between the two programs.
"WannaCry and this [program] attributed to Lazarus are sharing code that's unique. This group might be behind WannaCry also," he added.
Did North Korea Sponsor The WannaCry Attack?
Despite the similar code between malware created by the Lazarus Group and an early version of WannaCry, security researchers believe that it is still too early to claim that North Korea was behind the global ransomware attack.
Security officials from the United States and Europe, meanwhile, also said that it was too early to pin the attack on North Korea, but the country is currently one of the suspects.
Symantec and Kaspersky Lab both said that further analysis of the code used by WannaCry is needed to pinpoint its exact origins. The companies also asked for security researchers from around the world for help in understanding one of the most damaging cyber extortion campaigns in history.
There is the possibility that the creators of WannaCry planted the Cantopee code into the ransomware to trick researchers and send investigations onto a different path. Kaspersky Lab researchers, however, believe that while plausible, such a thing is improbable because the snippet was removed from later versions of WannaCry. This meant that the similarity to the Cantopee code was not meant to serve as a decoy.
While the link to North Korea is apparent, it is difficult to understand why a government would sponsor ransomware such as WannaCry. It behaves like the standard ransomware used by cyber criminals, and it is unclear why a country such as North Korea would be interested in payments of $300 at a time for each victim.
Whoever is behind WannaCry, Microsoft said in a statement that the ransomware attack should serve as a "wake-up call" to governments who keep cybersecurity vulnerabilities as a secret. In addition, as tech companies continue to roll out patches to fix exploits, customers should regularly update their systems to remain protected from attacks such as the WannaCry ransomware.