Trail of global cyberattack could lead to North Korea

Researchers pointed to a piece of code suggesting North Korean involvement.

— -- Cyber security researchers tracking the global cyberattack tonight say the trail could lead back to North Korea.

Analysts from Google and and at least three major cybersecurity firms have pointed to a piece of code that appeared in both an earlier version of the WannaCry virus and the 2016 attack on international banks attributed to the North Korea-linked hackers Lazarus Group.

“There is a link,” said John Bambenek of Fidelis Cybersecurity. “We are really drilling down on what it means but there is part of the code that is shared between WannaCry and a known DPRK hacking tool.”

It could be someone else using the code, researchers say, and there’s still no official attribution, but according to Bambenek, it’s “a solid lead” in the investigation.

North Korea has a history of computer criminality. The Lazarus Group has been accused of launching attacks against South Korean institutions in 2013, Sony Pictures Entertainment in 2014, and the SWIFT financial system in 2016.

“We’ve seen them steal money,” said John Carlin, a former assistant attorney general for national security and an ABC News contributor. “We’ve seen them steal information. We’ve seen them destroy information. They may not be the most capable country in the world, but they certainly have capabilities in this space.

According to Ryan Kalember, senior vice president of cybersecurity at Proofpoint, a second and a third wave of WannaCry ransomware attacks both failed over the weekend, one variant using a modified “kill switch” and another variant with no “kill switch” at all. The first variant was quickly identified and stopped, while the second variant failed to “properly deploy.”

Kalember warned, however, that the threat is still serious.

“It remains critical that all organizations immediately ensure they have the most updated patches deployed and backups ready to restore in the event of a ransomware attack,” Kalember said.

Even so, the tally of targets — now more than 300,000 in 150 countries — continued to rise, with factories, offices, railroads, power stations around the world and FedEx in the U.S. all hit.

By far the most devastating attack affected hospitals in Great Britain, where ambulances were turned away and cancer treatments and surgeries were cancelled.

“Horrible, cried a lot,” Jess Laughton, a patient who had her surgery cancelled, told ABC News. “Didn’t really know what to say, that was the last thing we expected him to come in and say, was that here had been a cyberattack and everything had been cancelled.

Only a few hundred companies appeared to have followed the hackers’ directions to pay $300 or more to have their files freed, and according to Tom Bossert, President Donald Trump’s cybersecurity chief, that turned out to be a scam too.

“It appears less than $70,000 has been paid in ransom and we are not aware of any payments that have led to any data recovery,” Bossert said.

The hackers were so successful because they targeted a vulnerability in the widely-used Microsoft operating systems that was originally identified by the U.S. government’s own National Security Agency (NSA) and leaked to the public by the Hacker group The Shadow Brokers in April.

Microsoft provided a first security patch following the initial release and an additional patch following the attack, but according to Richard Clarke, a special adviser to President George W. Bush on cybersecurity and ABC News consultant, the NSA should have alerted Microsoft to the problem rather than attempting to exploit the vulnerability for its own spying.

“They didn’t tell Microsoft about the vulnerability, they tried to use it instead, and two, they allowed this attack tool to be stolen, right out from under their noses,” Clarke said.