The WannaCry malware that spread quickly through much of the world in May, doing grievous temporary damage to the network security of Britain’s National Health Service (NHS), is now believed to have been the work of hackers operating from North Korea. This is the conclusion of the British National Cyber Security Centre (NCSC), a department of the Government Communications Headquarters. It led an investigation of the attack that had widespread cooperation from other cyber security agencies from around the globe.
The BBC has reported that security officials believe the hacking group known as Lazarus was behind the attack. This group is believed to have carried out a significant attack on Sony Pictures in 2014, which was in retaliation of the Seth Rogan movie The Interview, a satirical spoof of the North Korean leadership.
It is also suspected of other cyber crimes, including the electronic theft of bank funds, the most high profile case being an $81 million heist in 2016 from the central bank of Bangladesh. This cyber crime used weaknesses in the international transfer system SWIFT to launder money in various ways and is one of the biggest bank robberies of all time.
Lazarus is known to be based in North Korea, but its relationship with the secretive leadership in the country in unknown. Another attack that it has been linked to, which also featured ransomware, was against a South Korean supermarket chain.
It is not believed the ransomware — which encrypted data on computers and then demanded payment in Bitcoin to provide the key to un-encrypt the data — was specifically targeting Britain or the NHS. The conclusion is that it was a theft operation that grew out of control. It does not appear that the hackers received any ransom payments during the widespread incident.
The head of cyber threat intelligence at BAE Systems, Adrian Nish, recognized code in WannaCry that was familiar from prior Lazarus malware. He stated that the code-overlaps “are significant.” BAE is a defense and security multinational and is one of many private sector professionals who examined the WannaCry code. It is believed the NCSC assessment was deeper, using more robust examination tools.
The U.S. National Security Agency also assessed the attack, but since the malware was not as prevalent in the United States, the British probe had more resources at its disposal. There have been no credible reports of any other culprits being suspected of this crime.