Multiple security researchers have noticed the similarities
Earlier today, a Google researcher by the name of Neel Mehta posted a message on Twitter featuring the hashtag #WannaCryptAttribution.
ac21c8ad899727137c4b94458d7aa8d8 @ 0x10004ba0,0x10012AA4 #WannaCryptAttribution
The message also contains code samples, samples from the WannaCry cryptor sample from February 2017 and a Lazarus APT group sample from February 2015, folks from Kaspersky Lab point out. The commands presented in the tweet represent an encoding algorithm.
Lazarus is rather well-known hacker group. They’ve been linked to the Sony Wiper attack, as well as the Bangladesh bank heist that left them a few million short. The group has been active since 2011 and hundreds of samples have been collected over the years in regards to Lazarus. Mostly, it was revealed that they were creating malware, producing new samples via „multiple independent conveyors.“
There are, of course, plenty of questions about whether this is true or it’s just a ruse. After all, it’s not that difficult for the WannaCry authors to have copied Lazarus‘ code. On the other hand, the code appears to have not been removed from the 2015 backdoor code, which makes the story that much more believable.
Folks at Kaspersky are pretty certain that the WannaCry sample made available in February 2017 was actually compiled by the same people behind the current attack, or by people with access to the same source code.
Other security researchers other than the Mehta have noticed the same similarity, such as Comae Technologies‘ Matthieu Suiche, who also discovered and killed a new variant by activating the kill switch.
Now, the interesting part is that Lazarus has been identified by US intelligence agencies as a North Korean government operation. Kaspersky Lab itself presented some evidence just a month or so ago, linking the attacks on Vietnamese banks, and the Bangladeshi bank, as well as the SWIFT banking system, to Lazarus and North Korea.