Symantec has released further evidence it suggests ties the infamous North Korea-linked Lazarus Group to the WannaCry campaign, but it has already come under fire from critics who called it a premature assessment.
The security giant explained in a new blog on Monday that the “tools and infrastructure” used in WannaCry have “strong links” to Lazarus, the group pegged for attacks as varied as the ones against Sony Pictures Entertainment and Bangladesh Bank.
It claimed that an earlier version of WannaCry used in small targeted attacks from February-April is almost identical to the one which landed on May 12 and features many classic Lazarus tools, techniques and infrastructure, making it “highly likely” that it’s the work of the possible nation state group.
Symantec’s evidence includes Lazarus-linked malware – Trojan.Volgmer and two variants of the disk-wiping Backdoor.Destover – left on victim networks in February.
Trojan.Alphanc was used to spread WannaCry in the March and April attacks, and is a modified version of Backdoor.Duuzer, a sub-family of Backdoor.Destover linked to Lazarus.
Trojan.Bravonc was used to drop WannaCry onto several victims, and connects to a C&C server using the same IP address as that used by a sample of Destover and Duuzer. Bravonc’s method of spreading over SMB using hard-coded credentials, was the same technique used by Joanap, another Lazarus-linked tool, Symantec said.
Bravonc also has similar code obfuscation as WannaCry and Infostealer.Fakepude, also linked to Lazarus.
Finally, there’s shared code between WannaCry and Backdoor.Contopee, the latter also tied to Lazarus.
However, not everyone is thrilled with the assessment.
James Scott, senior fellow at cybersecurity thinktank the Institute for Critical Infrastructure Technology (ICIT), warned in a long note against “premature, inconclusive and distracting attribution.”
Writing a day after Symantec published its latest findings, he claimed that the connections to Lazarus are “premature and not wholly convincing.”
“Circumstantial similarities between malware variants and C2 infrastructure led to the recent attribution of WannaCry to Lazarus despite a sharp difference in the level of sophistication of the malware and threat actors, glaring differences in the target demographics, and severe variations in the operational procedures of the actors,” Scott argued.
“At best, WannaCry either borrowed heavily from outdated Lazarus code and failed to change elements, such as calls to C2 servers, or WannaCry was a side campaign of a minuscule subcontractor or group within the massive cybercriminal Lazarus APT.”
He claimed that the Lazarus Group was known for borrowing code from other malware, so any links are tentative. In addition, the group does not usually leave “identifying tools” behind, which should be another red flag, Scott said.
He added that those responsible for WannaCry exhibited none of the “silent and sophisticated” ways of working which Kaspersky Lab ascribed to the Lazarus Group, with white hats even managing to sinkhole the kill switch to thwart further infections.
A true North Korean group could have paired the attack with destructive malware to create a “devastating hybrid warfare attack on global targets”, he hypothesized.
“Eeach and every WannaCry attack has lacked the stealth, sophistication, and resources characteristic of Bluenoroff itself or Lazarus as a whole,” Scott explained. “If either were behind WannaCry, the attacks likely would have been more targeted, had more of an impact, would have been persistent, would have been more sophisticated, and would have garnered significantly greater profits.”
The conversation, therefore, should focus on improving industry cybersecurity best practices such as prompt patching and migrating to supported systems, rather than attribution, ICIT concluded.