Security experts are examining a potential link in the computer code behind Friday’s global cyber attack with earlier ones that could suggest North Korea was responsible.
More than 300,000 computers in 150 countries have been infected with the WannaCry “ransomware” virus since the attack, crippling organisations from government agencies and global companies.
The NHS was also badly affected, with 47 trusts in England and 13 Scottish health boards compromised when the virus targeted computers with outdated security.
Marcus Hutchins, a young British computer expert, was hailed a hero for helping to shut down the crippling cyber attack after discovering a so-called “kill switch” that slowed the effects of the WannaCry virus as it swept through computer systems around the world.
Cyber experts are studying similarities between the computer code used in the WannaCry attack with malware distributed by Lazarus, a hacking group behind attacks on Sony Pictures in 2014 that was blamed on North Korea.
The potential link was highlighted on Monday by a researcher from Google who posted a message on Twitter showing a sample of the WannaCry malware that appeared online in February.
Researchers from global cyber security company Kaspersky Lab, whose European headquarters is in London, identified clear code similarities between the WannaCry virus and attacks by Lazarus in 2015.
Kaspersky Lab said: “The similarity of course could be a false flag operation.
“However, the analysis of the February sample and comparison to WannaCry samples used in recent attacks shows that the code which points at the Lazarus group was removed from the WannaCry malware used in the attacks started last Friday.
“This can be an attempt to cover traces conducted by orchestrators of the WannaCry campaign.
“Although this similarity alone doesn’t allow proof of a strong connection between the WannaCry ransomware and the Lazarus Group, it can potentially lead to new ones which would shed light on the WannaCry origin which to the moment remains a mystery.”