Cyber gang behind attack tied to N. Korea
WannaCry virus blamed for global disruptions
The “ransomware” attack on computers throughout the world has been linked to a gang of cybercriminals possibly tied to the North Korean government.
Analysts from security firms Symantec and Kaspersky said they were looking at clues that appeared to link the WannaCry virus to the Lazarus Group who are believed to be behind a strong of high-profile cyber crimes.
Kaspersky said there were similarities in coding between an early version of WannaCry and a February 2015 cyber attack from the Lazarus Group.
“We believe it’s important that other researchers around the world investigate these similarities and attempt to discover more facts about the origin of WannaCry,” said Kaspersky in a blog.
The security firm has previously investigated the Lazarus Group and believes it was behind the “Sony Wiper” attack — which crippled the company in 2014, the “DarkSeoul” operation — which targeted South Korean banks and media companies, and a US$81 million cyber heist of a Bangladeshi bank.
“The scale of the Lazarus operations is shocking,” said the Kaspersky blog that accused the group of running a “malware factory.”
The U.S. government later blamed North Korea for the Sony attack and there has been speculation that the Lazarus Group is a North Korean state actor.
On Monday, the WannaCry cyberattack spread to thousands of more computers as people logged in at work, disrupting business, schools, hospitals and daily life, though no new large-scale breakdowns were reported.
In Britain, whose health service was among the first high-profile targets of the attack Friday, some hospitals and doctors’ offices were still struggling to recover.
The full extent of the damage from the cyberattack felt in 150 countries was unclear and could worsen if more malicious variations of the online extortion scheme appear.
The initial attack paralyzed computers running factories, banks, government agencies and transport systems in scores of countries, including Russia, Ukraine, Brazil, Spain, India and Japan, among others. Among those hit were Russia’s Interior Ministry and companies including Spain’s Telefonica and FedEx Corp. in the U.S.
The Saskatchewan government said Monday it was hit with a malicious cyber attack, but it was not known if it was connected to WannaCry.
Spokeswoman Kathy Young said the government network was being flooded, causing sporadic outages of the Saskatchewan.ca website and other issues.
Though the ransomware continued to spread at a more subdued pace Monday, many companies and government agencies were still struggling to recover from the first attack.
Carmaker Renault said one of its French plants, which employs 3,500 people, wasn’t reopening Monday as a “preventative step” while technicians deal with the aftermath of the attack.
In Asia, where Friday’s attack occurred after business hours, thousands of new cases were reported Monday as people came back to work.
The Japan Computer Emergency Response Team Coordination Center, a nonprofit group, said 2,000 computers at 600 locations in Japan were affected. Companies including Hitachi and Nissan Motor reported problems but said they had not seriously affected their business operations.
Chinese state media said 29,372 institutions there had been infected along with hundreds of thousands of devices.
Universities and other educational institutions in China were among the hardest hit, possibly because schools tend to have old computers and are slow to update operating systems and security, said Fang Xingdong, founder of ChinaLabs, an Internet strategy think-tank.
Railway stations, mail delivery, gas stations, hospitals, office buildings, shopping malls and government services also were affected, China’s Xinhua News Agency said.
In Indonesia, the malware locked patient files on computers in two hospitals in the capital, Jakarta, causing delays.
Experts urged organizations and companies to immediately update older Microsoft operating systems, such as Windows XP, with a patch released by Microsoft Corp. to limit vulnerability to a more powerful version of the malware — or to future versions that can’t be stopped.