Cybersecurity researchers said Monday that the massive “WannaCry” virus that has infected computers around the globe was developed using some of the same code used in the 2014 hack of Sony Pictures, raising the possibility that the hackers may have a connection to North Korea.
Investigators said they had detected code similar to that used by a shadowy cybercrime network implicated in the Sony attack, the Lazarus Group, though they stressed that more investigation was necessary.
“We believe this might hold the key to solve some of the mysteries around this attack,” the Moscow-based cybersecurity firm Kaspersky Labs said in an analysis of a few lines of duplicated code found in an earlier version of the WannaCry virus, which was first noticed by a Google security researcher.
An international manhunt was underway as private-sector researchers and government investigators alike tried to stamp out new versions of WannaCry while scouring for clues pointing to the authors of the original virus, who are “potentially criminals or foreign nation-states,” said Tom Bossert, President Trump’s homeland security advisor.
Security officials around the world expressed relief as the spread of the virus seemed to slow its pace, though not before freezing files and demanding ransom from the operators of hundreds of thousands of computers in at least 150 countries, including the United States.
The virus, which used a Windows vulnerability developed by and stolen from the U.S. National Security Agency, seemed to be the work of relatively unsophisticated hackers, experts initially said. They pointed to how easy it was to stop and how little money it has collected so far — a little over $50,000, a relatively paltry amount for an attack so large.
But the revelations of similarities to previous attacks launched by the Lazarus Group prompted a new evaluation. Kaspersky researchers called the discovery “the most significant clue to date regarding the origins of WannaCry.”
Other investigators also were looking into the possibility of a Lazarus connection.
“While these findings do not indicate a definite link between Lazarus and WannaCry, we believe that there are sufficient connections to warrant further investigation,” the Mountain View, Calif., security firm Symantec wrote in its analysis of the virus.
Symantec said it had identified “the presence of tools exclusively used by Lazarus on machines also infected with earlier versions of WannaCry.”
The Lazarus Group has been connected to a series of aggressive cyberattacks that date back to at least 2009, primarily aimed at targets in South Korea and the U.S., but also including financial institutions in Poland and Bangladesh.
The group was linked to the massive hack of data from Sony, which included emails between employees, information about executive salaries at the company and copies of Sony films that had yet to be released.
Some of the data were published online, embarrassing executives just as the company was about to release a movie critical of North Korea.
“We believe that Lazarus Group is very large and works mainly on infiltration and espionage operations,” Kaspersky analysts said after the Sony episode. “Clearly the group’s operations span across the whole world.”
Ransom payments collected so far provide additional clues, but they only go so far.
Because of the way bitcoin, or electronic money, works, the payments are public, allowing officials and researchers to monitor the three digital accounts where the victims’ payments are being deposited, making it possible to calculate how much money has been paid out.
Figuring out who controls those accounts is much harder.
New victims emerged as expected on Monday, and several security firms detected new variations of the virus, just as many had predicted. Thus far, none of these new versions had much of an effect, but security officials remained vigilant.
“Only one appears to have [gotten] some very limited traction,” said Costin Raiu, director of Kaspersky’s Global Research and Analysis team. “The other variants appear to have been manually patched by unknown entities and have not been created by the original WannaCry authors.”
In the United Kingdom, the National Health Service appeared to be largely back to business Monday. The NHS said that seven out of the nearly 50 NHS trusts affected are still facing serious problems. Others are reporting problems, but not as severe. The majority of patients are being advised to turn up for their usual appointments, unless told otherwise.
Across the globe in China, cybersecurity firm Qihoo 360 said that 29,372 institutions, including government offices, bank machines and hospitals had been infected over the weekend. French digital security agency ANSII reported that only a handful of organizations had been infected.
Bossert, Trump’s homeland security advisor, told reporters in Washington that there were “a small number of affected parties in the U.S., including FedEx.” He said the number of hacked computers worldwide had risen to 300,000 on Monday.
The carmaker Renault said it had halted manufacturing at some of its factories in France and one in Slovenia because of the virus. In Germany, rail passengers posted pictures on Twitter of departure and arrival screens at Deutsche Bahn, the German train operator, showing the red WannaCry warning sign.
Still, in an interview with Agence France-Presse, Europol spokesman Jan Op Gen Oorth said the European Union law enforcement agency’s worst fears were not realized Monday.
“The number of victims appears not to have gone up and so far the situation seems stable in Europe, which is a success,” he told AFP. “It seems that a lot of Internet security guys over the weekend did their homework and ran the security software updates.”
A top Microsoft executive lashed out at the NSA on Sunday, saying the agency bore the blame for turning an obscure computer vulnerability into a weapon.
Russian President Vladimir Putin — whose Interior Ministry was reported to be a victim of the attacks — picked up on that theme Monday, blaming the U.S. for the creation of the ransomware virus.
“We are fully aware that the genies, in particular, those created by secret services, may harm their own authors and creators, should they be let out of the bottle,” Putin said in Beijing, according to Russia’s Tass news agency.
Putin said Russia had invited Obama administration officials last year “to look into cybersecurity matters” and develop an intergovernmental agreement. “Regrettably, our proposal was rejected. Then the previous administration said it was prepared to get back to our proposal, but nothing was done in practice.”
Russia has been blamed for hacking attacks aimed at influencing the 2016 U.S. presidential election.
On Sunday, Europol described the WannaCry attack as “unprecedented.” However, it appears that a move by a security researcher to register an address on the Internet that fooled the virus has blunted its momentum.
The newer variants of the virus that emerged seemed to be ineffective because they were quickly made. Researchers are still on the watch for more sophisticated versions that can better exploit the remaining vulnerabilities.
Several governments, security agencies and research firms on Monday were calling on users not to pay the ransom for fear that it would inspire more such attacks. Still, it was not clear whether those who had paid had their access restored, or what other options exist for users who found their computers still encrypted.
Bossert, who spoke at a White House briefing, said the U.S. is “not aware of payments that have led to any data recovery,” implying that the hackers are simply absconding with the money. He added that it would be “very satisfying” to bring them to justice, and “the best and the brightest are working on that.”
Microsoft called over the weekend for its customers to be more aggressive about installing the security patch it had issued several weeks earlier. But the reality remains that millions of machines are likely running on older versions of its Windows operating system, or lack the resources and organizational sophistication to install the patch across their tangled web of IT systems.
“The fact that so many computers remained vulnerable two months after the release of a patch illustrates this aspect,” wrote Brad Smith, Microsoft’s president and chief legal officer in a blog post on Sunday. “As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems. Otherwise they’re literally fighting the problems of the present with tools from the past.”
On Monday, the process of reexamining the policies and politics of cybersecurity in Europe was underway in the wake of the attack.
In the U.K., there were reports that Health Secretary Jeremy Hunt was warned last summer that National Health Service organizations were at risk of cyberattacks. An assessment of 60 hospitals was carried out by experts who warned that a cyberattack was becoming a “bigger consideration” as the NHS moved increasingly away from paper records to digital files.
A July report presented to Hunt said that “computer hardware and software that can no longer be supported should be replaced as a matter of urgency.” And as long ago as 2014, the government told NHS trusts that they needed to update their systems and avoid using Windows XP as quickly as possible.
It appears many of those alarms were not heeded.
The British government announced that it was holding an emergency meeting late Monday to discuss the cyberattack.
A spokesman for Europol, Alex Niculae, said in an email to The Times that the agency’s Joint Cybercrime Taskforce was working with investigators from the various countries affected by the virus. He said that investigators from both the public and private sectors have “joined forces and are doing their best to get to the bottom of this.”
Special correspondent O’Brien reported from Toulouse, France, and Boyle from London. Times staff writer Jim Puzzanghera in Washington contributed to this report.
7:40 p.m.: This article was updated with reports of a possible connection to code used in the 2014 hack of Sony Pictures data.
1:10 p.m.: This article has been updated with comments from Tom Bossert.
9:40 a.m.: This article has been updated with comments from Putin and a Europol spokesman.
7:50 a.m.: This article has been updated throughout with staff reporting.
This article was originally published at 7:43 a.m.