There is evidence that the notorious Lazarus group was responsible for the massive ransomware attack that swept across the globe. A Google researcher Tweeted a piece of code from Wannacry that looks like it was directly copied from samples of malware used by the North Korean hacker group.
9c7c7149387a1c79679a87dd1ba755bc @ 0x402560, 0x40F598
ac21c8ad899727137c4b94458d7aa8d8 @ 0x10004ba0, 0x10012AA4#WannaCryptAttribution
— Neel Mehta (@neelmehta) May 15, 2017
Lazarus is infamous for being behind the cyberattack on Sony Pictures that crippled the studio for several days. More recently, it was responsible for stealing millions of dollars from the Central Bank of Bangladesh.
There is a chance that the Wannacry code was borrowed by a copycat hacker, but security experts Kaspersky Labs believes that it is from the same group. This is because the copied code only exists in an earlier version of Wannacry, and was removed in later iterations of the malware.
For now, investigators are still looking into the Lazarus connection; which has bigger implications than if this attack was done by a regular cybercriminal group. The North Koreans are considered to be one of the most advanced threats in the existence and have shown to be highly skilled in their ability to infiltrate systems.
More importantly, this may be the first time that a state sponsored attack has exploited techniques from a different nation state. The SMB vulnerability used in Wannacry comes from the US National Security Agency’s stockpile of backdoors that were not disclosed to software companies. A number of these exploits were leaked by a separate hacker group last month.