UK National Cyber Security Centre pins WannaCry blame on North Korea's Lazarus Group

NCSC lines up behind Symantec to point finger at North Korea's Lazarus group

The National Cyber Security Centre (NCSC) has pointed the finger of blame for last month's outbreak of the WannaCry ransomware, which affected as many as 20 per cent of NHS hospital trusts in the UK, on North Korea's Lazarus Group.

According to the BBC, NCSC conducted its own investigation in the aftermath of the attacks in recent weeks, including examining code taken from infected computers and comparing it with samples from previous attacks. The analysis strongly pointed to Lazarus Group, the BBC reports, which has been linked with the North Korean government.

It's not the first analysis to point the likely finger of blame at North Korea.

According to BAE Systems' Adrian Nish, the code seen in WannaCry is congruent with code seen in attacks previously linked to Lazarus. Symantec has also linked the outbreak with North Korea.

However, an analysis of the ransom notes used by WannaCry conducted by Flashpoint suggested native Chinese speakers, although close links between North Korea and China might not necessarily rule out a North Korean connection based on that evidence.

Lazarus has been linked with a string of cyber attacks around the world, including:

• The February 2016 cyber-theft of $81m from Bangladesh Bank last year when attackers were able to gain access to the Bangladesh central bank's SWIFT global payments system terminals;
• The March 2013 attack on South Korea that shut down tens of thousands of servers across North Korea's vastly more successful neighbour;
• The attack in November 2014 on Sony Pictures Entertainment, which coincided with the release of a film, The Interview, about an assassination attempt on North Korea leader Kim Jong-un.

Russian security software and services company Group-IB claims to have traced the group to a specific district of the North Korean capital Pyongyang, claiming that it is controlled out of the Bureau 121 government agency, which has engaged in various money-raising criminal acts for years, including counterfeiting and drug smuggling, as well as cyber attacks and fraud.

The North Korean state is also alleged to employ an ‘army of trolls' numbering tens of thousands of staff whose purpose is to spread propaganda, hack websites and attack neighbouring South Korea in online posts.

Symantec has linked Lazarus with attacks going back to at least 2009, citing similarities in the malware code and attack techniques used.

However, James Scott, a senior fellow at the Institute for Critical Infrastructure Technology, criticised Symantec's report and suggested that it was premature to definitively point the finger of blame for WannaCry at North Korea.