Officials believe Lazarus hackers in North Korea behind NHS cyber attack

British security officials believe that hackers in North Korea were behind the cyberattack that ransomed the NHS and other organisations around the world last month, BBC news reports.

Britain’s National Cyber Security Centre (NCSC) led the international investigation into the attacks that threatened the privacy of millions in the UK in May.

Security sources have told the BBC that the NCSC believes that a hacking group known as the Lazarus Group launched the attack.

The same group is believed to have targeted Sony Pictures in 2014.

NHS under fire:

In May, ransomware called WannaCry  affected thousands of computers across the world, locking out users and demanding payment for them to be unlocked. The NHS was particularly badly hit.

Officials in Britain’s National Cyber Security Centre (NCSC) began their own investigation and have since concluded their assessment.

The ransomware did not target Britain or the NHS specifically, and may well have been a money-making scheme that got out of control, particularly since the hackers do not appear to have retrieved any of the ransom money as yet.

Although the group is based in North Korea the exact role of the leadership in Pyongyang in ordering the attack is less clear.

Private sector cyber-security researchers around the world began picking apart the code to try to understand who was behind the attack soon after.

Adrian Nish, who leads the cyber threat intelligence team at BAE, saw overlaps with previous code developed by the Lazarus group.

“It seems to tie back to the same code-base and the same authors,” Nish says. “The code-overlaps are significant.”

Private sector cyber security researchers reverse engineered the code but the British assessment by the NCSC – part of the intelligence agency GCHQ – is likely to have been made based on a wider set of sources.

What can be done?

For interested industry stakeholders, the National Cyber Security Centre’s (NCSC) response to the attacks could well mark a statement of intent from the government organisation.

Following their encouragement of private sector businesses to prepare for an Active Cyber Defence strategy – colloquially known as “hackback”, one might expect a reasonably offensive approach following the NHS attacks. Whether they do or not however, is perhaps for politicians to decide, but will inevitably set the precedent for cyberattack responses to come.