“The Lazarus Group’s activity spans multiple years, going back as far as 2009,” Kaspersky Labs said in a report last year. “Their focus, victimology, and guerrilla-style tactics indicate a dynamic, agile and highly malicious entity, open to data destruction in addition to conventional cyberespionage operations.”
But some experts see the latest attack as an anomaly.
WannaCry infected more than 200,000 systems in more than 150 countries with demands for payments of $300 in Bitcoin per victim in exchange for the decryption of the files it had taken hostage. Victims received warnings on their computer screens that if they did not pay the ransom within three days, the demand would double. If no ransom was paid, the victim’s data would be deleted.
As ransomware attacks go, that’s a pretty typical setup.
But that’s not — or at least hasn’t been — the way North Korean hackers are believed to work.
“This is not part of the previously observed behavior of DPRK cyberwar units and hacking groups,” Michael Madden, a visiting scholar at the Johns Hopkins School of Advanced International Studies and founder of North Korea Leadership Watch, said in an email to The Associated Press. “It would represent an entirely new type of cyberattack by the DPRK.”
Madden said the North, officially known as the Democratic People’s Republic of Korea, if it had a role at all, could have instead been involved by giving or providing parts of the packet used in the attack to another state-sponsored hacking group with whom it is in contact.
“This type of ransomware/jailbreak attack is not at all part of the M.O. of the DPRK’s cyberwar units,” he said. “It requires a certain level of social interaction and file storage, outside of those with other hacking groups, that DPRK hackers and cyberwar units would not engage. Basically they’d have to wait on Bitcoin transactions, store the hacked files and maintain contact with the targets of the attack.”
Other cybersecurity experts question the Pyongyang angle on different grounds.
James Scott, a senior fellow at the Institute for Critical Infrastructure Technology, a cybersecurity think tank, argues that the evidence remains “circumstantial at best,” and believes WannaCry spread due to luck and negligence, not sophistication.
“While it is possible that the Lazarus group is behind the WannaCry malware, the likelihood of that attribution proving correct is dubious,” he wrote in a recent blog post laying out his case. “It remains more probable that the authors of WannaCry borrowed code from Lazarus or a similar source.”
