The WannaCry ransomware virus code could be used in future attacks with nation-state motivations, a Symantec expert said, even though WannaCry was likely not state-sponsored.

Vikram Thakur, technical director of Symantec Security Response, told MeriTalk that his company found strong evidence linking the WannaCry virus to the Lazarus group, a cyber crime group responsible for many high-profile hacks over recent years.

“Nation-states do not ship buggy code,” said Vikram Thakur. (Photo: LinkedIn)

“We found that those tools which were being used with WannaCry were really just evolutions of Lazarus tools over the years,” said Thakur, explaining that though they were unable to identify “patient zero” in the hack, the tools used to develop WannaCry and its predecessor were incredibly similar to those used by Lazarus.

However, though Lazarus has worked with nation-states before, such as with North Korea on the hack of Sony Pictures in 2014, this hack did not have indicators of a nation-state.

“Nation-states don’t attack regular users of the Internet, especially not for a few hundred dollars,” said Thakur, adding that such a motivation “just does not add up from an analytical standpoint.”

Thakur added that faults on the code, such as the existence of a kill switch and bugs in the program, indicate that the hacks were executed with less sophistication than a nation-state would provide.

“To some sense, it was botched. It wasn’t executed as well as we would expect. The malware itself didn’t function flawlessly,” said Thakur. “Nation-states do not ship buggy code.”

According to Thakur, these indicators mean that researchers must consider a more diverse set of motivations for the Lazarus group to use this software.

“They open up the possibilities to a couple of avenues. On the one side, we have to assume that the group has to be open to monetary gain,” said Thakur. “On the other side, we might assume that there might be splinters within the Lazarus group.”

He explained that it was possible for someone to have stolen the code or for an individual member of the Lazarus group to have used the code for their own personal gain.

However, the Lazarus group’s past involvement with hacks for North Korea and Symantec research showing that the cyber threat landscape has experienced a major shift toward politically motivated attacks, indicate that the WannaCry code and others developed by the group could be used in a future nation-state hack.

Read More About
More Topics
Jessie Bur
Jessie Bur
Jessie Bur is a Staff Reporter for MeriTalk covering Cybersecurity, FedRAMP, GSA, Congress, Treasury, DOJ, NIST and Cloud Computing.