American cyber-security firm Symantec said in a new report that tools and infrastructure used in the devastating WannaCry ransomware attack strongly suggest that a hacking group affiliated with North Korea was behind the malware attack that infected over 300,000 computers worldwide.
Security researchers at Symantec said they have identified numerous instances of similar code being used both in the Lazarus group's previous attacks and an early version of the WannaCry ransomware, which was launched in slow doses in February, March and April.
"Analysis of these early WannaCry attacks by Symantec's Security Response Team revealed substantial commonalities in the tools, techniques, and infrastructure used by the attackers and those seen in previous Lazarus attacks, making it highly likely that Lazarus was behind the spread of WannaCry," Symantec said in a blog post on Monday.
Lazarus is the same hackers group behind the destructive hacks on Sony Pictures in 2014 and on a Bangladeshi bank in 2016. The Lazarus group is believed to be based out of China while working on behalf of North Korea.
In addition to similarities in code, researchers have also found strong evidence that WannaCry and previous Lazarus malware tools shared the same network infrastructure.
For example, during the attacks against Sony, a malware family called Backdoor.Destover was deployed. Later variants of Backdoor.Destover were seen to use the IP address 126.96.36.199 for command and control. The Trojan.Bravonc sample discovered dropping WannaCry also connects to this IP address.
The security researchers, however, also said despite having strong links to North Korean hackers, the WannaCry ransomware attack is not likely to be a government-backed campaign, because of the flaws in the malware's code and demands for ransom in Bitcoin.
"Our confidence is very high that this is the work of people associated with the Lazarus Group, because they had to have source code access," Vikram Thakur, Symantec's security response technical director, told Reuters. "We don't think that this is an operation run by a nation-state."
Last week, North Korea reportedly denied allegations linking it to WannaCry ransomware.
"It is ridiculous," Kim In-Ryong, North Korea's deputy ambassador to the United Nations, told reports on Friday, suggesting the US and South Korea were behind the allegation.
"Whenever something strange happens, it is the stereotyped way of the United States and the hostile forces to kick off a noisy anti-DPRK campaign."