With the dust now settling after "WannaCry," the biggest ransomware attack in history, cybersecurity experts are taking a deep dive into how it was carried out, what can be done to protect computers from future breaches and, trickiest of all, who is to blame. Beyond the frequently used shorthand that North Korea was likely behind the attack lies a more complicated story of the rise of an infamous group of hackers known as "Lazarus," who may be using secret lairs in northeast China and have created a virtual "malware factory" that could wreak a lot more havoc in the future.
Who are they? On Dec. 19, 2014, just one month after a devastating hack hobbled Sony Pictures Entertainment, the FBI's field office in San Diego issued a press release stating North Korea was the culprit and saying such cyberattacks pose "one of the gravest national security dangers" to the United States. Its claim North Korea was to blame has been disputed.
An industry consortium led by Novetta launched "Operation Blockbuster" and in 2016 released a detailed public report on the attack that lined up with the FBI's conclusion that the tactics, tools and capabilities strongly indicated the work of a "structured, resourced and motivated organization," but said its analysis could not support the direct attribution of a nation-state. It determined the attack "was carried out by a single group, or potentially very closely linked groups, sharing technical resources, infrastructure and even tasking." It named the group Lazarus and tied it to a string of attacks dating back to 2007 or 2009.
Researchers at cybersecurity giant Kaspersky Labs, which also participated in Operation Blockbuster, surmised the Lazarus attackers are probably located in a time zone eight or nine hours ahead of Greenwich Mean Time — which would include China, Malaysia and parts of Indonesia, among other places — because they seem to start working at around midnight GMT and break for lunch three hours later. They even claimed the hackers get roughly 6-7 hours of sleep per night.
It also said it found indications of the Korean language on a majority of the computers being used. James Scott, a senior fellow at the Institute for Critical Infrastructure Technology, a Washington-based think tank, said the group is believed to outsource the development of malware to "numerous external threat actors."But he said any connections between Lazarus and North Korea remain unclear.
Read more at ABC