Cyber security experts have found technical evidence they said could link North Korea with the global WannaCry ransomware attack that has infected more than 300,000 computers in 150 countries since it surfaced on Friday.
Cyber security firms Symantec and Kaspersky Lab said on Monday that some code in an earlier version of the ransomware had appeared in programs used by the Lazarus Group, a hacking operation many researchers from several companies have linked to North Korea.
Kurt Baumgartner, a Kaspersky Lab researcher, told Reuters: “this is the best clue we have seen to date as to the origins of WannaCry.”
However, both firms said it was still too early to tell whether North Korea was involved in the attacks, based on the evidence provided by Neel Mehta, a Google security researcher who published the findings on Twitter. Despite slowing down on Monday, the attacks are among the fastest-spreading extortion campaigns on record.
The findings will be closely followed by law enforcement agencies around the world, including Washington, where homeland security said on Monday that possible culprits include foreign nations and cyber criminals.
FireEye Inc, another large cyber security firm, said it was also looking into possible links.
One of the firm’s researchers, John Miller, said: “the similarities we see between malware linked to that group and WannaCry are not unique enough to be strongly suggestive of a common operator”.
The Lazarus hackers, which work under impoverished North Korea, have been known to pursue financial extortion more than others, and have been blamed some cyber security firms for the theft of $81 million from the Bangladesh central bank. The North Korean mission to the UN did not immediately provide any comments.
However some researchers are not entirely certain if money was the primary motive of the WannaCry attack, noting that large cyber extortion campaigns usually receive millions of dollars of revenue.
Matthew Hickey, co-founder of British cyber consulting firm Hacker House, said “I believe that this was spread for the purpose of causing as much damage as possible”.
To date, the countries more affected by WannaCry are Russia, Taiwan, Ukrain, and India, according to Czech security firm Avast.
Beyond the immediate need to bolster cyber security, the issue also brought to light the discussion of the roles played by national governments in cyber security.
In a blog post published on Sunday, Microsoft Corp President Brad Smith confirmed that the attack made use of a hacking tool built by the NSA that had leaked online in April – a fact that was already widely concluded by researchers.
Regardless of who perpetrated the attack and their motives, investors have flocked towards cyber security stocks on Monday, betting that governments and corporations will spend more to upgrade their security infrastructure.