Author: China National News
Posted: Wednesday 17th May, 2017
North Korea has been mining bitcoins using malicious computer programs since as early as 2013
Symantec and Kaspersky Lab found similarities between WannaCry and previous attacks blamed on North Korea
Authorities are searching for digital clues to catch the extortionists behind the global cyberattack
SEOUL, South Korea – In a bid to catch the extortionists behind the global cyberattack that affected more than 150 countries, investigators are now searching for digital clues.
Cybersecurity experts now reveal that circumstantial evidence indicates that North Korea may be behind the global “ransomware” attack – citing the modus operandi from previous similar cyberattacks attributed to North Korea
According to Simon Choi, who advises the South Korean government and has been analyzing North Korean malware since 2008 – North Korea is no newcomer to the world of bitcoins.
Choi, who is also a director at South Korean anti-virus software company Hauri Inc. has said that North Korea has been mining the digital currency using malicious computer programs since as early as 2013.
In the ransomware attack that has gripped the world since the weekend, hackers demand payment from victims in bitcoins to regain access to their encrypted computers.
The malware struck hospitals, factories, government agencies, banks and other businesses – taking all the data hostage since Friday.
However, as opposed to expert predictions – the second-wave outbreak largely failed to materialize after the weekend.
Like Choi, a number of researchers around the world have suggested a possible link between the “ransomware” known as WannaCry and hackers linked to North Korea.
According to researchers at Symantec and Kaspersky Lab – similarities between WannaCry and previous attacks blamed on North Korea have been found.
However, so far there has been no conclusive evidence of the links.
Authorities meanwhile continue to investigate the ransomware and are focussed on the digital clues and following the money.
Choi said, “We are talking about a possibility, not that this was done by North Korea.”
Experts meanwhile have also said that the rapid spread of the worm globally suggests it did not rely on phishing, a method whereby an email is sent to people with the aim of having them click on infected documents or links.
Analysts at the European Union cybersecurity agency have said that the hackers likely scanned the internet for systems that were vulnerable to infection and exploited those computers remotely.
They explained that the worm is likely to have spread through a channel that links computers running Microsoft Windows in a network.
A similar method has been found in previously known North Korean cyberattacks, including the 2014 Sony hack that was blamed on North Korea.
Choi said, “Since a July 2009 cyber attack by North Korea, they used the same method. It’s not unique in North Korea but it’s also not a very common method.”
He has cited an accidental communication he had last year with a hacker traced to a North Korean internet address who admitted development of ransomware.
According to Kaspersky Lab, portions of the WannaCry program use the same code as malware previously distributed by the Lazarus Group, a hacker collective that was said to be behind the 2014 Sony hack.
Further, Symantec claimed to have found similarities between WannaCry and Lazarus tools.
However, it is also possible that the code was simply copied from the Lazarus malware without any other direct connection.
Choi noted that if North Korea, that is believed to be training cyber warriors at schools, is indeed responsible for the latest attack, the world should stop underestimating its capabilities and work together to think of a new way to respond to cyber threats.
Choi said, “We have underestimated North Korea so far that since North Korea is poor, it wouldn’t have any technologies. But North Korea has been preparing cyber skills for more than 10 years and its skill is significant. We should never underestimate it.”
Meanwhile, commenting on additional clues that could be found in the bitcoin accounts accepting the ransom payments – Steve Grobman, chief technology officer with the California security company McAfee has said, “Although bitcoin is anonymized, researchers can watch it flow from user to user. So investigators can follow the transactions until an anonymous account matches with a real person.”
So far, investigators have identified three accounts and there’s no indication yet that the criminals have touched the funds.
Further, James Lewis, a cybersecurity expert at the Center for Strategic and International Studies in Washington, said U.S. investigators are collecting forensic information, including internet addresses, samples of malware or information the culprits might have inadvertently left on computers.
These would be matched with the work of known hackers.