North Korea and WannaCry

I have been wondering why Symantec would think that WannaCry, the infamous worm with ransomware attached, would be involved with North Korea, ore that it was the North pretending to be the Lazarus Group of hackers.  I think only SC got this right in all of the reporting done on it.  It reflects some of the main problems with attribution and a press that feels it has to have s story, and the accuracy of it only has to be "close enough".  I remember when that was regularly followed by "for government work", but it now obviously applies to the press too.

Kaspersky Labs has a short report on the link between Lazarus and North Korea.  Their report says the group is Korean and works long hours, probably the most of any group they have ever studied.  That says a lot.  Perhaps Lazarus is a persona used by more than one entity, and that accounts for their hard work.  The code links are common between some of the attack vectors being used, and previous attacks against Sony and South Korea.  My own view of this was the North Koreans were blamed, but the U.S thought China was actually behind it.  The New York Times' David Sanger had a number of stories about that incident and the retaliation being planned.  It was not all about North Korea, because options on routing around China's Great Firewall were also considered.  It was clear the Obama White House thought it was China.

Ransomeware is not something most places associate with government attacks, but North Korea has a plausible reason for doing it since they are "looking for outside currency".  China hasn't shut off their currency flow yet, so that is hardly credible.  It may be more practical to think of this as a test of the kinds of attacks that might make havoc in an old computer system using stolen or no longer supported versions of an operating system.  That might apply to hospitals in the U.K. But it also applies to a lot of old military systems around the world.  Even the Chinese fell victim to some of that, also being infected.

At least one good thing comes of every incident like this.  People who steal software and people who use unlicensed software need to rethink that strategy.  Having supported software and having licenses may get you support that you can't get otherwise.  There were even groups in the financial community that were using XP in some of their systems, long after it had stopped being supported.  Whatever happened to due diligence on this kind of thing?