Is North Korea Behind Global Cyber Attack? Identical Code Points Researchers Toward Possible Culprit

Cybersecurity researchers raised the possibility Monday that North Korea is behind "WannaCrypt," the ransomware program that targeted hundreds of thousands of computers in over 150 countries around the world.

Speculation began when Neel Mehta, a researcher with Google, tweeted two unclear rows of numbers and letters. Beneath them he wrote, "#WannaCryptAttribution." The rows were supposedly a means of identifying two malware programs: One - the first version of the program released in February, before the addition of the NSA's code, and two - an example of the code used by the Lazarus Group, which, according to researchers, was responsible for the theft of $81 million from the central bank of Bangladesh as well as the attack against sony studios for a movie mocking North Korean leader Kim Jong Un.

9c7c7149387a1c79679a87dd1ba755bc @ 0x402560, 0x40F598
ac21c8ad899727137c4b94458d7aa8d8 @ 0x10004ba0, 0x10012AA4#WannaCryptAttribution

— Neel Mehta (@neelmehta) May 15, 2017

According to various researchers, the same group worked in the service of North Korea.

Other researchers have begun looking into the issue. In another series of tweets, a researcher named Matthew Suiche wrote that there are significant similarities between the code of the two groups. Comparing the two examples of code, he wrote, "There is no doubt functions are 100% the same."

.@neelmehta Another diff between the decompiled functions between #WannaCry and Contopee #LazarusGroup - There is no doubt functions are 100% the same. pic.twitter.com/TgcWqaVCh2

— Matthieu Suiche (@msuiche) May 15, 2017

However, when a code is uncovered and published by researchers, there is a high possibility that another group will copy the code and use it for their own needs - exactly as WannaCrypt's developers did with the NSA's code. Various investigators who were asked about the Suiche's efforts told Haaretz that it's difficult to know with any certainty.

Checkpoint said that at the moment there's no information that supports or disproves the theory and they're continuing to investigate in order to find conclusive evidence. The company Kaspersky, which addressed the subject in a blog post, wrote that there's need for additional research into older versions of Wannacry. 

"One thing is for sure," read the blog post, "Neel Mehta's discovery is the most significant clue to date regarding the origins of Wannacry.

Meanwhile, Israeli researchers with the company Checkpoint succeeded in stopping the spread of one of the new versions of WannaCrypt, using the same method that stopped the version that became active on Friday.