tech2 News StaffMay 30, 2017 10:53:52 IST
One of the biggest unanswered questions about the WannaCry ransomware attacks is who the perpetrators are. Operating systems from Microsoft had vulnerabilities or security holes identified by the NSA. An entity related to the NSA, known as the Equation group, created the tools, known as exploits, to take advantage of discovered vulnerabilities. A hacking collective known as Shadow Brokers claimed to have hacked a secret server used by the Equation Group to get hold of the tools. After failing to auction the exploits, the Shadow Brokers dumped the cache of tools in public. This is when the perpetrators of the WannaCry ransomware come into the picture.
According to security researchers, the ransomware has similarities to malware associated with Unit 180, a threat actor associated with North Korea. Unit 180 is responsible for attacks related to financial gain, and was believed to be involved in both the SWIFT banking attack in Bangladesh and the Sony Pictures hack. The code used in WannaCry is similar to code used by a group known as “Lazarus”, according to a blog post by Symantec. The Lazarus group is also linked to North Korea.
However, the components that the WannaCry creators used with the NSA exploits were amateurish. While they went after the data, the ransomware did not affect backups or network storage. Additionally, the actual ransoming component and the bitcoin wallet provision were not well implemented. Samil Neino, 32, chief executive of Los Angeles-based Kryptos Logic told Reuters that "What really makes the magnitude of this attack so much greater than any other is that the intent has changed from information stealing to business disruption"
Now, Flashpoint analysis of the language used in the WannaCry malware provides clues about the perpetrators of the attack. The first clue is that the writers of the note had good command over English, but were not native speakers. This was given away by the line "But you have not so enough time." The security researchers then verified that the ransom note in the other languages were generated using Google Translate. Using the English version as the base, the researchers found that all the other notes almost exactly matched translations by Google.
The second clue is that the notes in simplified Chinese and traditional Chinese were substantially different from all the other notes. They had different content and were different in tone. The grammar, punctuation, syntax and character choice all point to fluency in Chinese. Additionally, a typo suggests that a Chinese language input system was used to write the note, instead of a translating service. The particular word for "antivirus" used in the note is common in the Chinese mainland. The particular word for "week" is commonly used in South China, Hong Kong, Taiwan, and Singapore.
The two clues, that the perpetrators were not native English speakers and that they were fluent in Chinese, together are not enough to conclusively prove the nationality of the attackers, however, says Flashpoint.