A Russian cyber security firm claims it has found evidence that links the Lazarus Group to North Korea.
This group has been alleged, by two other companies, Symantec and Kaspersky Lab, to be behind the recent WannaCry ransomware attack.
The Lazarus Group has been said to be responsible for stealing from a Bangladesh bank, attacking Sony Pictures Entertainment, and also for an attack on South Korea's online industry in 2013.
The Russian company, Group-IB, said in a detailed report that it had analysed multiple layers of the two command and control infrastructure used by the Lazarus Group.
{loadposition sam08}One of the C&C servers had the IP address 210.52.109.22 which belonged to the Chinese company China Netcom. The second, which Group-IB, said provided definite proof of links to Pyongyang was 175.45.178.222 which it claimed was an IP allocated to a North Korean Internet service provider.
"The Whois service indicates that this address is allocated to the Potonggang District, perhaps coincidentally, where (North Korea's) National Defence Commission is located — the highest military body in North Korea," Group-IB said.
It said it had also come across a 2016 report on the South Korean TV channel Arirang News in which, during a clip about an attack on two Seoul corporations, two IPs in the same range were listed on screen: 175.45.178.19 and 175.45.178.97.
"South Korea's National Police Agency reportedly identified that the cyber attack had been performed from the unfinished North Korean Ryugyong hotel. Group-IB could not confirm this location attribution," it said.
Group-IB said the Lazarus Group had tried to masquerade as being of Russian origin by including debugging symbols and strings containing Russian words in commands issued by malware that it propagated.
However, it said, these words were quite often wrongly used and would not have been employed as such had the writer of the malware been a native Russian speaker.
Additionally, Group-IB said, the Lazarus Group used Enigma Protector to guard the executables they created; Enigma was professional software created by a Russian.
And finally, Lazarus was said to have borrowed exploits for Flash and Silverlight from those created by Russian hackers.
"To mask malicious activity, the hackers used a three-layer architecture of compromised servers with SSL-encrypted channels established between them," Group-IB said summing up its findings.
"In addition to encrypted traffic, data sent through (the) SSL-channel was additionally encrypted. The attackers achieved anonymity by employing a legitimate VPN client - SoftEther VPN. In some cases, they also used corporate Web servers that were part of the attacked infrastructure."
Group-IB said the earliest indicator of attacks on financial institutions by the Lazarus group was in March 2016.
"This was directly after the Central Bank of Bangladesh incident, which took place in February 2016, where attackers attempted to steal US$1 billion.
"Only a spelling mistake in an online bank transfer instruction helped prevent them from stealing more than US$81 million. Following this incident, the group modified its tactics and tools, adapting them to the changing environment and misleading researchers."
Other attack targets that Group-IB claimed to have identified included universities in the US, Canada, the UK, India, Bulgaria, Poland, Turkey, pharmaceutical companies in Japan and China, and government subnets in various countries.