Why a shadowy hacking crime group called Lazarus may have launched a mass ransomware attack
SAN FRANCISCO — The shadowy organization believed to be behind the world's largest ransomware attack may represent a new cyberwar front to the escalating tensions between North Korea and the West. But it may just be about cold, hard cash.
In the days after an unnamed organization unleashed a virulent form of malware that paralyzed computers in 150 countries, cybersecurity researchers poring over the WannaCry malware's code and earlier, similar viruses noted a resemblance that amounted to a digital trail of breadcrumbs pointing to what's known as The Lazarus Group.
The group — described by some researchers as a criminal hacking contractor — may have ties to North Korea, raising the specter that the regime was escalating its use of cyber missiles alongside its ballistic missile launches.
But the hackers' group, whether working on behalf of North Korea or not, also wanted to raise money: $300 in bitcoin per frozen computer, according to victims like the U.K. National Health Service, Spain's Telefonica and U.S. shipper FedEx. And that would fit the profile of a communist country that is cash-strapped, say security experts, even though this particular ransomware scam has collected a scant $70,000 so far.
Hackers linked to ransomware threaten 'wine of the month' type leaks
“The Lazarus group appears to be a contractor in the area of cyber mischief, but they seem to straddle the worlds of politics and crime," says John Arquilla, chair of defense analysis at the Naval Postgraduate School in Monterey, Calif. "I would call them a strategic criminal actor,” Arquilla says.
Unlike many hacking groups, the underground organization doesn't claim responsibility for attacks, does not release communiqués, and does not tweet its exploits. Instead, what cybersecurity researchers know about it stems from years of piecing together snippets of computer code it has reused, misspellings of programs that reappear throughout its programs, the languages it uses and even the time zone the attackers appear to work in.
It may not be linked to North Korea at all. Gartner senior cybersecurity analyst Avivah Litan says some of her sources indicate its leaders might be in Russia, with workers spread throughout the globe.
Sleuthing to stop and then trace the malware started early Friday, in the hours after an early morning attack started to hit computer networks in Europe and Asia. A ransomware program, dubbed WannaCry, was spreading rapidly across networks running older versions Microsoft Windows, locking up screens with demands of payments.
“Why would they be doing this? The answer is money,” said T.J. Pempel, a professor of political science at the University of California-Berkeley and expert on North Korea. Much of North Korean's population is near starvation, with little industry and an enormous proportion of the nation’s wealth going towards the military, he says. In the past it has made money selling weapons and attempting to sell nuclear technology. So it’s not inconceivable that it’s moving into cyberspace as a possible source hard currency with which to prop itself up, Pempel said.
After a seven-hour rampage, WannaCry was stopped Friday afternoon by a 22-year-old London-based security researcher working at Kryptos Logic, Marcus Hutchins, when he registered an Internet address the code used to test whether it was under surveillance. Enterprises rushed to install code patches Microsoft had made available. Those that did were protected against the hundreds of copy-cat variants of the program that sprouted after the initial launch. Those that weren’t found themselves locked out of their data. The onslaught hit 200,000 computers, chiefly in Europe and Asia. It then petered out for the start of the U.S. workweek.
By Tuesday, the Department of Homeland Security was saying fewer than 10 companies in the U.S. were reporting disruptions related to the global cyber attack.
Security researchers, meanwhile, were busy trying to find out whodunnit, posting their clues and successes to twitter and blogs. Google security researcher Neel Mehta Monday tweeted a similarity between traces of computer code in the WannaCry ransomware that was similar to a previous hacking event linked to the Lazarus Group. Cybersecurity firms Kaspersky Labs and Symantec confirmed the connection, and Symantec pointed to a second link: evidence that earlier versions of the malware were found on machines that showed evidence of the Lazarus Group tools.
Some of those tools had been used in attacks on Sony Pictures Entertainment in 2014, the massive theft of personal and corporate data that the Obama Administration eventually blamed on North Korea, plus the cyberheist of Bangladesh's central bank in 2016 that netted more than $80 million and multiple assaults on Polish banks in February.
Eric Chien, technical director of Symantec Security Response, says it does not have enough evidence to conclusively pin the attack on Lazarus, but would not dismiss a link. It still requires a week or two of more research, he said.
The links raise multiple questions, only a few of which have been answered: Does Lazarus Group work for the North Korean government or is it independent? And what does it hope to accomplish?
North Korea is one of a handful number of countries — Russia, China and Iran are others — with “offensively advanced cyberattacking capabilities,” says Robert Silvers, former assistant secretary for cyber policy at the U.S. Department of Homeland Security under the Obama Administration.
“What is alarming is they are willing to use them and not be constrained,” Silvers says. “It’s becoming clear North Korea is turning to the cyber domain to operate and achieve its political and criminal objectives. It doesn't seem concerned about being caught; there is a sense of impunity to it.”
Deepening the intrigue is the United States role in the formation of the malware.
Microsoft has blamed the National Security Agency for stockpiling cyberweapons that were then stolen and used to form the attack, a scenario echoed by cybersecurity firms. A hacking group called the Shadow Brokers said it hacked the Equation Group, believed connected to the NSA, in August and posted what it found — vulnerabilities to Windows code — online after first trying to sell them.
U.S. Administration officials have denied the agency created the malware, while sidestepping the question of whether it may have once held the vulnerability that later formed WannaCry.
The murky underworld of the Dark Web has left analysts connecting the dots.
“It’s a matter of suspicions and implications," said the Naval Postgraduate School's Arquilla. "We don’t really have CSI-Cybercrimes just yet."
Follow USA TODAY's Elizabeth Weise @eweise and Jon Swartz @jswartz on Twitter.