Symantec attacked over claims that WannaCry ransomware is the work of North Korea

Claims by Symantec earlier this week that the WannaCry ransomware is the work of a North Korean group called Lazarus have been labelled "premature, inconclusive and distracting", by the Institute for Critical Infrastructure Technology (ICIT).

"The recent speculation concerning WannaCry attributes the malware to the Lazarus Group, not to North Korea, and even those connections are premature and not wholly convincing," warned James Scott, a senior fellow at the ICIT.

He continued: "Lazarus itself has never been definitively proven to be a North Korean state-sponsored advanced persistent threat; in fact, an abundance of evidence suggests that the Lazarus Group may be a sophisticated, well-resourced, and expansive cyber-criminal and occasional cyber-mercenary collective."

Indeed, the speed with which the ransomware took hold - raising its profile and, therefore, victims' reluctance to pay-up, as well as piquing the interest of law enforcement worldwide - combined with a series of coding shortcomings that made it easy to defeat, indicate that WannaCry wasn't the work of the most technically accomplished of malware writers.

Scott continued: "Circumstantial similarities between malware variants and command-and-control infrastructure led to the recent attribution of WannaCry to Lazarus despite a sharp difference in the level of sophistication of the malware and threat actors, glaring differences in the target demographics, and severe variations in the operational procedures of the actors.

"At best, WannaCry either borrowed heavily from outdated Lazarus code and failed to change elements, such as calls to command and control servers, or WannaCry was a side campaign of a minuscule subcontractor or group within the massive cyber-criminal Lazarus advanced persistent threat," Scott suggests.

Scott also criticised Symantec's methodology, which only monitored a "small number of targeted WannaCry 1.0 attacks in February, March and April 2017" and, on the basis of this, claim that the attacks in May were "nearly identical", except with the addition of an exploit spilled from the US National Security Agency (NSA), called EternalBlue, and the removal of some code from a 2015 Lazarus Group sample.

In addition, Scott claims that while Symantec highlighted some of the tools used in WannaCry associated with Lazarus, it ignored other tools used that weren't. In other words, Scott accused Symantec of being selective in what it chose to highlight in its research.

"It is important to note that while malware used in past Lazarus campaigns was discovered on systems infected with the WannaCry malware, it is uncharacteristic of the Lazarus Group to leave identifying tools on victim systems or more recently, to not deploy a destructive wiper component when finished exfiltrating valuable data," wrote Scott.

Kaspersky, noted Scott, has in the past pointed out that Lazarus tends to be "silent and sophisticated", to deploy persistent backdoors and to learn about their targets before they launch their attacks. They are also known for deploying ‘wipers' into their malware to destroy data and for minimising the re-use of tools - operating a factory-style conveyor belt of different or always-evolving malware.

"Lazarus exhibits strict organization at all stages of operation. On a few rare occasions, Lazarus has re-used tools due to the size and scale of the Group hindering immediate communication and constant awareness of all active initiatives… WannaCry's shoddy configuration and meagre profiteering does not align with the sophistication and targeting profile of the Lazarus Group," concluded Scott.

The WannaCry ransomware was launched on the morning of Friday 12 May. It affected more than 230,000 PCs around the world, including systems running in 20 per cent of NHS trusts in the UK, self-propagating using the EternalBlue SMB networking exploit.

That exploit was spilled into the wild in 2013 when an NSA server hosting the exploit was cracked by an unknown group calling itself the Shadow Brokers - but only released publicly in February 2017, with Microsoft releasing a patch for Windows 7 a month later, after failing to produce a patch in its February Patch Tuesday.

The WannaCry ransomware was suddenly shut down within days when a curious security researcher registered a random domain name the malware used to check whether it was sandboxed for analysis.

The ransomware was able to run wild partly due to its use of the NSA EternalBlue exploit, and partly due to many individuals and organisations not applying patches in a timely fashion - or at all.

Earlier claims that the out-of-support Windows XP operating system was largely to blame was found not to be true, as the operating system typically crashes before it can be used to spread the exploit.

Microsoft's SMB networking protocol, meanwhile, is no stranger to catastrophic security flaws, having been the subject of a major scares in 2009 and 2015.