|© Getty Images|
Researchers have discovered identical code in the Wanna Cry ransomware and a North Korean state hacking group.
Wanna Cry has infected hundreds of thousands of machines across 150 countries. Victims have ranged from British hospitals to the Russian Ministry of the Interior, to a Spanish Telecom.
Google security researcher Neel Mehta appears to be the first to have noticed that large swaths of computer code in an early version of Wanna Cry were identical to code used by the Lazarus Group, a team of hackers linked to the government of North Korea
Mehta tweeted midday Monday a roadmap researchers could use to find the overlapping code.
The overlap has swayed other researchers. Kaspersky Lab noted that the matching code was removed from later versions of the ransomware, which they believe would be unlikely if it had been intended to throw researchers off the scent of the real criminals. The overlap only shows up in a sample from February.
"We believe a theory a false flag although possible, is improbable," Kaspersky Lab explained in a blog post.
Lazarus Group is best known for hacking Sony Pictures in 2014 to protest the movie "The Interview." But recently it has been linked to a series of digital bank robberies that, in one case, stole $81 million from the central bank of Bangladesh. The robberies would, many suspect, provide a revenue stream while the country faces crippling sanctions.
Kaspersky Lab describes the overlapping code as a significant piece of evidence but does not believe it solves the case.
"For now, more research is required into older versions of Wannacry. We believe this might hold the key to solve some of the mysteries around this attack. One thing is for sure — Neel Mehta’s discovery is the most significant clue to date regarding the origins of [Wanna Cry]," the company's post reads.