Is North Korea Behind Global Cyber Attack? Identical Code Points Researchers Toward Possible Culprit

'There is no doubt functions are 100% the same,' says one researcher, but possibility remains that WannaCrypt developers copied code previously used by North Korea

A lock screen from a cyber attack warns that data files have been encrypted on a laptop computer in this arranged photo in London, U.K., on Monday, May 15, 2017.
Simon Dawson/Bloomberg

Cybersecurity researchers raised the possibility Monday that North Korea is behind "WannaCrypt," the ransomware program that targeted hundreds of thousands of computers in over 150 countries around the world.

Speculation began when Neel Mehta, a researcher with Google, tweeted two unclear rows of numbers and letters. Beneath them he wrote, "#WannaCryptAttribution." The rows were supposedly a means of identifying two malware programs: One - the first version of the program released in February, before the addition of the NSA's code, and two - an example of the code used by the Lazarus Group, which, according to researchers, was responsible for the theft of $81 million from the central bank of Bangladesh as well as the attack against sony studios for a movie mocking North Korean leader Kim Jong Un.

According to various researchers, the same group worked in the service of North Korea.

Other researchers have begun looking into the issue. In another series of tweets, a researcher named Matthew Suiche wrote that there are significant similarities between the code of the two groups. Comparing the two examples of code, he wrote, "There is no doubt functions are 100% the same."

However, when a code is uncovered and published by researchers, there is a high possibility that another group will copy the code and use it for their own needs - exactly as WannaCrypt's developers did with the NSA's code. Various investigators who were asked about the Suiche's efforts told Haaretz that it's difficult to know with any certainty.

Checkpoint said that at the moment there's no information that supports or disproves the theory and they're continuing to investigate in order to find conclusive evidence. The company Kaspersky, which addressed the subject in a blog post, wrote that there's need for additional research into older versions of Wannacry. 

"One thing is for sure," read the blog post, "Neel Mehta's discovery is the most significant clue to date regarding the origins of Wannacry.

Meanwhile, Israeli researchers with the company Checkpoint succeeded in stopping the spread of one of the new versions of WannaCrypt, using the same method that stopped the version that became active on Friday.