Pyongyang's hand suspected in global ransomware attack
Potential link to North Korean hacking group found in WannaCry malware
TOMOYUKI KAWAI and SOTARO SUZUKI, Nikkei staff writers
WASHINGTON/SEOUL -- A North Korean digital warfare cell may be behind the cyberattack that spread across the globe over the weekend, possibly aimed at disrupting society and raking in foreign currency.
A researcher at Google found segments of code shared between the "WannaCry" ransomware program used in the attack and a tool used in 2015 by a hacker group known as "Lazarus." Lazarus, believed to be backed by Pyongyang, is "operating a malware factory," according to Russia-based cybersecurity group Kaspersky Lab.
The global ransomware strike -- software that encrypts users' data, locking it away, then asks them to pay to recover it -- exploited weaknesses in Microsoft's Windows operating system that were found by the U.S. National Security Agency and published online by a group calling itself the "Shadow Brokers." Lazarus is thought to have developed malware that targeted these weak points.
South Korean media suggest that a Northern cyberwarfare cell called Bureau 121 may be behind the attack. Major newspaper JoongAng Ilbo, or Central Daily News, has reported that Bureau 121 handles most of the North's hacking operations. The cell belongs to the General Bureau of Reconnaissance, which during wartime gathers intelligence and conducts spying and during peace engages in what may be called terrorism. The General Bureau is believed to have been involved in February's assassination of Kim Jong Nam, half-brother of North Korean leader Kim Jong Un, in Malaysia.
North Korea appears to be positioning its hacking capabilities as a strategic means on par with its nuclear and missile development. The country is estimated to have a team of 7,000 digital warriors, thought to operate largely out of hotels in Chinese cities such as Shenyang and Dandong.
Bureau 121 also is thought to be behind a 2014 hack on Sony's U.S. movie unit, which at the time was preparing to release a comedy called "The Interview" whose story involved a plot to assassinate Kim Jong Un. Pyongyang has not admitted to involvement, but Washington judged that the state had a hand in the attack and slapped additional sanctions on the bureau and its affiliates.
The same cell is suspected of carrying out digital bank heists, including a major robbery of Bangladesh's central bank. Banks in North Korea have since been barred from using the international transaction system SWIFT, or Society for Worldwide Interbank Financial Telecommunication.
Pyongyang could have turned to ransomware as a new source of funds after getting locked out of SWIFT complicated the rogue state's efforts to hack banks remotely.
South Korea's National Intelligence Service says it has not confirmed that Pyongyang was involved, but is looking into that scenario among others.