North Korean hackers are allegedly behind the widespread ransomware attack that hit the UK’s National Health Service, affecting computers and hospitals and doctors’ offices last month, according to the BBC.
The hackers belong to a group known as Lazarus, who is believed to have targeted Sony Pictures in 2014 as it planned to release the movie The Interview.
They used a ransomware program called WannaCry which hit multiple countries across the globe, locking up computers and ransoming access in exchange for large Bitcoin payments.
The NHS wasn’t specifically targeted in the attack and the attack affected organisations from across a range of sectors.
The claim that the ransomware attack originated from North Korea was originally made in May by Google security researcher Neel Mehta, who posted a cryptic set of characters on Twitter together with the hashtag #WannaCryptAttribution.
Kaspersky Lab researchers explained that Mehta has posted two similar code samples, one from an early version of WannaCry, and one originating from Lazarus.
Mehta allegedly found evidence that a variant of WannaCry shares code with the 2015 version of Cantopee, a backdoor used by Lazarus Group.
Moreover, WannaCry’s code contained a kill switch a way to stop the malware from spreading indicating that whoever is behind the attack is not (purely) financially motivated.
Another cybersecurity expert, Adrian Nish, who leads the cyber threat intelligence team at BAE, also noticed the overlap with previous code developed by Lazarus.
“It seems to tie back to the same code-base and the same authors,” Nish told the BBC. “The code-overlaps are significant.”
Lazarus Group is highly sophisticated and very active, according to Kaspersky, who in a blog post called the scale of the group’s operation “shocking”.
Britain’s National Cyber Security Centre (NCSC), who is part of the GCHQ, led the international investigation.