Researchers see possible North Korea link to global cyber attack

Cyber security researchers have found technical clues they said could link North Korea with the global WannaCry "ransomware" cyber attack that has infected more than 300,000 machines in 150 countries since Friday.

Symantec and Kaspersky Lab said on Monday some code in an earlier version of the WannaCry software had also appeared in programs used by the Lazarus Group, which researchers from many companies have identified as a North Korea-run hacking operation.

"This is the best clue we have seen to date as to the origins of WannaCry," Kaspersky Lab researcher Kurt Baumgartner told Reuters.

Both firms said it was too early to tell whether North Korea was involved in the attacks, which slowed to a crawl on Monday but have already become one of the fastest-spreading extortion campaigns on record.

The cyber companies' research will be closely followed by law enforcement agencies around the world, including Washington, where U.S. President Donald Trump's homeland security adviser said on Monday that both foreign nations and cyber criminals were possible culprits.

The two companies said they needed to study the code more and asked for others to help with the analysis. Hackers do reuse code from other operations, so even copied lines fall well short of proof.

U.S. and European security officials told Reuters on condition of anonymity that it was still too early to say who might be behind the attacks, but they did not rule out North Korea as a suspect.

The Lazarus hackers, acting for impoverished North Korea, have been more brazen in pursuit of financial gain than others, and have been blamed for the theft of $81 million from a Bangladesh bank. The North Korean mission to the United Nations was not immediately available for comment.

Regardless of the source of the attack, investors piled into cyber security stocks on Monday, betting that governments and corporations will spend more to upgrade their defenses.

30 PHOTOS
Evidence of strained ties along the China/North Korea border
See Gallery
Evidence of strained ties along the China/North Korea border
Men rest on the North Korean side of the Yalu River north of the town of Sinuiju, North Korea, March 31, 2017. REUTERS/Damir Sagolj 
A North Korean soldier guards the gate on banks of the Yalu River, north of Sinuiju, North Korea, April 1, 2017. REUTERS/Damir Sagolj 
North Korean soldiers react as a boat sails from the Chinese side of the Yalu River, north of the North Korean town of Sinuiju and Dandong in China's Liaoning province, March 30, 2017. REUTERS/Damir Sagolj 
A man and boys enter the water on an ox-cart from the North Korean side of the Yalu River, just north of the town of Sinuiju, North Korea, March 30, 2017. REUTERS/Damir Sagolj 
A North Korean soldier sits on a bank of the Yalu River just north of Sinuiju, North Korea, April 2, 2017. REUTERS/Damir Sagolj
Tourists walk on the Broken Bridge, bombed by the U.S. forces in the Korean War and now a tourist site, over the Yalu River that divides North Korea and China, in Dandong, China's Liaoning province, April 1, 2017. REUTERS/Damir Sagolj 

People gather around a fortune teller in front of the Broken and Friendship bridges across the Yalu River in Dandong, China's Liaoning province, March 30, 2017. REUTERS/Damir Sagolj

A North Korean soldier looks from a watchtower on the banks of the Yalu River, just north of Sinuiju, North Korea, March 31, 2017. REUTERS/Damir Sagolj 
North Korean soldiers patrol behind a border fence near the North Korean town of Sinuiju and Dandong in China's Liaoning province, March 31, 2017. REUTERS/Damir Sagolj 
A vendor receives Chinese money after selling North Korean goods to tourists on a boat taking them from the Chinese side of the Yalu River for sightseeing close to the shores of North Korea, near Dandong, China's Liaoning province, April 1, 2017. REUTERS/Damir Sagolj 
A girl stands on a ferry on the North Korean side of the Yalu River, just north of Sinuiju, North Korea, April 2, 2017. REUTERS/Damir Sagolj 
North Korean farmers work in a field as a section of the Great Wall is seen on the Chinese side of the Yalu River, north of the town of Sinuiju in North Korea and Dandong in China's Liaoning province, April 2, 2017. REUTERS/Damir Sagolj 
Lights are turned on on the Friendship and the Broken bridges over the Yalu River connecting the North Korean town of Sinuiju and Dandong in China's Liaoning province, March 30, 2017. REUTERS/Damir Sagolj 
Workers stand on pile of goods at a port near North Korean town of Sinuiju, across the Yalu River from Dandong, in China's Liaoning province, April 1, 2017. REUTERS/Damir Sagolj 
Tourists from the Chinese side of the Yalu River sail in front of a North Korean boat ferrying people north of the town of Sinuiju in North Korea and Dandong in China's Liaoning province, April 1, 2017. REUTERS/Damir Sagolj 
Tourists pose with Chinese flag on a boat taking them from the Chinese side of the Yalu River for sightseeing close to the the shores of North Korea, near Dandong, China's Liaoning province, April 1, 2017. REUTERS/Damir Sagolj 
Tourists gather to watch North Korean side of the Yalu River from the Broken Bridge, bombed by the U.S. forces in the Korean War and now a tourist site, in Dandong, China's Liaoning province, April 1, 2017. REUTERS/Damir Sagolj 
A woman in traditional dress invites customers to a North Korean restaurant on the banks of the Yalu River in Dandong, China's Liaoning province, March 30, 2017. REUTERS/Damir Sagolj 
A souvenir vendor takes a nap in front of barbed wire marking the border between North Korea and China, just north of Dandong in China's Liaoning province, April 2, 2017. REUTERS/Damir Sagolj
Tourists look from a boat taking them from the Chinese side of the Yalu River for sightseeing close to the shores of North Korea, near Dandong, China's Liaoning province, April 1, 2017. REUTERS/Damir Sagolj 
A security officer guards an entrance of a luxury apartment complex built and offered for sale on the Moon Island on the Yalu River, in Dandong, China's Liaoning province, March 30, 2017. REUTERS/Damir Sagolj 
A man sits between binoculars he offers to tourists to watch the North Korean side of the Yalu River from the Broken Bridge, bombed by the U.S. forces in the Korean War and now a tourist site, in Dandong, China's Liaoning province, April 1, 2017. REUTERS/Damir Sagolj 
A couple gets ready for their wedding photo session on a boat that takes tourists from Chinese side of the Yalu River for sightseeing close to the shores of North Korea, near Dandong, China's Liaoning province, March 30, 2017. REUTERS/Damir Sagolj 
A woman exercises as a man stands at the banks of the Yalu River across from the North Korean town of Sinuiju, in Dandong, China's Liaoning province, March 31, 2017. REUTERS/Damir Sagolj 
A rocking chair is placed on the balcony of a luxury apartment overlooking the North Korean town of Sinuiju, in Dandong, China's Liaoning province, March 30, 2017. REUTERS/Damir Sagolj 
A man pauses at the banks of the Yalu River across from the North Korean town of Sinuiju, in Dandong, China's Liaoning province, March 31, 2017. REUTERS/Damir Sagolj
The North Korean side of the Yalu River and the Broken Bridge, bombed by U.S. forces in the Korean War and now a tourist site, are seen from a hotel room in Dandong, China's Liaoning province, April 2, 2017. REUTERS/Damir Sagolj 
A man carrying fishing net wades through shallow waters of the Yalu River between China and North Korea, north of Dandong, China's Liaoning province, April 1, 2017. REUTERS/Damir Sagolj 
The sun rises through fog over the Friendship and the Broken bridges over the Yalu River connecting the North Korean town of Sinuiju and Dandong in China's Liaoning province, March 30, 2017. REUTERS/Damir Sagolj
HIDE CAPTION
SHOW CAPTION
of
SEE ALL
BACK TO SLIDE

SMALL PAYOUT

The perpetrators had raised less than $70,000 from users looking to regain access to their computers, according to Trump homeland security adviser Tom Bossert.

"We are not aware if payments have led to any data recovery," Bossert said, adding that no federal government systems had been affected.

Some private sector cybersecurity experts said they were not sure if the motive of the attack was primarily to make money, noting that most large ransomware and other types of cyber extortion campaigns pull in millions of dollars of revenue.

"I believe that this was spread for the purpose of causing as much damage as possible," said Matthew Hickey, co-founder of British cyber consulting firm Hacker House.

The countries most affected by WannaCry to date are Russia, Taiwan, Ukraine and India, according to Czech security firm Avast.

The number of infections has fallen dramatically since Friday's peak when more than 9,000 computers were being hit per hour. Earlier on Monday, Chinese traffic police and schools reported they had been targeted as the attack rolled into Asia for the new work week, but no there were no major disruptions.

Authorities in Europe and the United States turned their attention to preventing hackers from spreading new versions of the virus.

Shares in firms that provide cyber security services rose sharply, led by Israel's Cyren Ltd (CYRN.O) and U.S. firm FireEye Inc (FEYE.O).

Cisco Systems (CSCO.O) closed up 2.3 percent, making it the second-biggest gainer in the Dow Jones Industrial Average, as investors focused more on opportunities the attack presented rather than the risk it posed to corporations.

Morgan Stanley, in upgrading the stock, said Cisco should benefit from network spending driven by security needs.

A screenshot shows a WannaCry ransomware demand, provided by cyber security firm Symantec, in Mountain View, California, U.S. May 15, 2017. Courtesy of Symantec/Handout via REUTERS

POLITICAL TOPIC

Beyond the immediate need to shore up computer defenses, the attack has turned cyber security into a political topic in Europe and the United States, including discussion of the role national governments play.

In a blog post on Sunday, Microsoft Corp (MSFT.O) President Brad Smith confirmed what researchers already widely concluded: the attack made use of a hacking tool built by the U.S. National Security Agency (NSA) that had leaked online in April.

He poured fuel on a long-running debate over how government intelligence services should balance their desire to keep software flaws secret - in order to conduct espionage and cyber warfare - against sharing those flaws with technology companies to better secure the internet.

On Monday, Bossert sought to distance the NSA from any blame.

"This was not a tool developed by the NSA to hold ransom data. This was a tool developed by culpable parties, potentially criminals or foreign nation-states, that were put together in such a way as to deliver phishing emails, put it into embedded documents, and cause infection, encryption and locking," Bossert said.

Russian President Vladimir Putin, noting the technology's link to the U.S. spy service, said it should be "discussed immediately on a serious political level."

"Once they're let out of the lamp, genies of this kind, especially those created by intelligence services, can later do damage to their authors and creators," he said.

In Britain, where the virus first raised alarm when it caused hospitals to divert patients on Friday, it gained traction as a political issue just weeks before a general election. The opposition Labour Party accused the Conservative government of leaving the National Health Service (NHS) vulnerable.

RANSOM VIA BITCOIN

Some victims were ignoring official advice and paying the $300 ransom demanded by the cyber criminals to unlock their computers, which was due to double to $600 on Monday for computers hit by Friday's first wave.

So far only a few victims of the attack appeared to have paid, based on publicly available bitcoin accounts on the web, where victims have been instructed to pay.

The initial ransom demand was $300 per machine. Three days after becoming infected the demand doubles. Starting on Monday, the first victims began facing demands of $600 to unlock their machines.

This coming Friday, victims face being locked out of their computers permanently if they fail to pay the $600 ransom, said Tom Robinson, co-founder of Elliptic, a London-based private security company that investigates ransomware attacks.

As of 1400 GMT, the total value of funds paid into anonymous bitcoin wallets the hackers are using stood at just $55,169, from 209 payments, according to calculations made by Reuters using publicly available data.

Brian Lord, managing director of cyber and technology at cyber security firm PGI, said victims had told him "the customer service provided by the criminals is second-to-none," with helpful advice on how to pay: "One customer said they actually forgot they were being robbed."

Companies and governments spent the weekend upgrading software to limit the spread of the virus. Monday was the first big test for Asia, where offices had already mostly been closed for the weekend before the attack first arrived.

Renault-Nissan (RENA.PA) (7201.T) said output had returned to normal at nearly all its plants. PSA Group (PEUP.PA), Fiat Chrysler (FCHA.MI), Volkswagen (VOWG_p.DE), Daimler (DAIGn.DE), Toyota (7203.T) and Honda (7267.T) said their plants were unaffected.

British media were hailing as a hero a 22-year-old computer security whiz who appeared to have helped stop the attack from spreading by discovering a "kill switch" - an internet address which halted the virus when activated.

Individual European countries and the United States saw infections at a rate of only 10 percent to 20 percent of the most affected countries, according to the researcher who stumbled on the "kill switch."

The virus hit computers running older versions of Microsoft Corp (MSFT.O) software that had not been recently updated. Microsoft released patches last month and on Friday to fix a vulnerability that allowed the worm to spread across networks. The company's shares were down about 1 percent on Monday, in a slightly higher broad market.

Infected computers appear to be largely out-of-date devices. Some were machines involved in manufacturing or hospital functions, difficult to patch without disrupting operations.

For a graphic on how the cyber attack spread, see: tmsnrt.rs/2qIUckv

Additional reporting by Guy Faulconbridge, Jim Finkle, Cate Cadell, Jemima Kelly, Noel Randewich, Eric Auchard, Joseph Menn, Michelle Nichols and Tim Ahmann; Writing by Peter Graff and Nick Zieminski; Editing by Peter Millership and Bill Rigby

Read Full Story

Sign up for Breaking News by AOL to get the latest breaking news alerts and updates delivered straight to your inbox.

Subscribe to our other newsletters

Emails may offer personalized content or ads. Learn more. You may unsubscribe any time.