勒索病毒攻击的幕后黑手指向朝鲜

谁是横扫全球计算机的勒索病毒WannaCry的幕后黑手？对此我们并不确定，但是一位网络安全研究人员发现了指向罪魁祸首——朝鲜黑客集团拉撒路集团（Lazarus Group）——的证据。

这场始于上周五的互联网瘟疫，与利用微软公司（Microsoft）旧版软件漏洞的黑客有关，其目的是锁定计算机，包括企业和英国国家卫生署的计算机，继而索要解锁计算机的赎金。

本周一，谷歌公司（Google）的网络安全研究人员奈耳·梅赫塔在推文中发布了本次勒索病毒攻击使用的代码，而在2015年发生的一次计算机攻击中，也使用了这些代码。2015年发生的那场计算机攻击与拉撒路集团有关，所以代码的重新使用，或许成为拉撒路集团是此次勒索病毒幕后黑手的线索。

拉撒路集团对一系列针对中央银行的网络劫案负责。据报道，拉撒路集团是朝鲜的军事机构，通过犯罪为其网络战斗行动提供资金。本次勒索病毒攻击显示出的不道德的特征，与拉撒路集团此前的行为特征一致。

但是，梅赫塔在推文中发布的计算机代码，与朝鲜作为此次勒索病毒母后黑手的确凿证据相去甚远——有很多原因能让这一结论站不住脚（包括黑客定期借用恶意计算机代码这一事实）。

但是，梅赫塔的发现引起众多著名网络安全研究人员的高度关注，他们纷纷加入Twitter上的辩论。

在此看到共享的代码，是非常有趣的。https://t.co/CVnCEnzcvd

- 肖恩·亨特利（@ShaneHuntley）2017年5月15日

对于关注#Wannacry/#wannacrypt的每个人来说，@neelmehta提供了连线。https://t.co/UQwWd04KWx

- 摩根·马奎斯-布瓦尔（@headhntr）2017年5月15日

与此同时，一位Twitter用户提出了一种观点，称朝鲜莫名其妙搞砸了这次计算机攻击，或许揭示了以下事实：英国网络安全研究人员能触发所谓的“kill switch（杀戮开关）”机制，阻止了部分勒索病毒攻击，这在一定程度上限制了病毒攻击的附带结果。

好吧，我相信这种观点。接受过俄罗斯培训的朝鲜人企图通过搞砸这次计算机攻击赚钱https://t.co/mTqsSHoWpt

- davi （（（����）））德海 （@daviottenheimer）2017年5月15日

同时，安全媒体CyberScoop报道称，著名的网络安全公司卡巴斯基实验室（Kaspersky Labs）的研究人员发布了博客贴子，对拉撒路集团与此次勒索病毒攻击有关的观点表示支持。

这篇博客贴子指出，“我们认为，这可能是解开此次计算机攻击部分秘密的关键所在。有一件事是肯定的，奈尔·梅赫塔的发现是迄今为止关于Wannacry起源的最重要线索。”

此外，对于梅赫塔的发现是此次计算机攻击幕后黑手设计的“虚假旗帜”，从而错误地归罪于朝鲜，卡巴斯基实验室对这一观点表示反对。

不愿透露姓名的美国和欧洲网络安全官员对路透社表示，现在说谁是幕后黑手还为时过早，但也未排除朝鲜就是“嫌疑人”。（财富中文网）

译者：刘进龙/汪皓

Who's behind the ransomware known as WannaCry that is wrecking havoc on computers around the world? We don't know for sure, but a security researcher has found a piece of evidence that points to a culprit: a North Korean operation known as the Lazarus Group.

The online epidemic, which began on Friday, involves hackers exploiting a flaw in older versions of Microsoft software in order to lock the computers—including those of companies and the U.K. health service—and demanding payment to unlock them.

On Monday, Google security researcher Neel Mehta tweeted lines of code from the current ransomware attack that had also been used in a separate 2015 attack. The earlier attack has been tied to the Lazarus Group, so the reuse of the code is a possible clue that the group is also behind the ransom.

The Lazarus Group, which is responsible for a series of online heists targeting central banks, is believed to be a North Korea military outfit that funds its cyber warfare operations through crime. The wanton character of the current ransomware attacks would be consistent with previous behavior by the Lazarus Group.

The computer code tweeted by Mehta, however, is far from definitive evidence North Korea is responsible for the ransomware. There are numerous reasons (including the fact hackers regularly borrow malicious computer code) to avoid drawing firm conclusions.

Nonetheless, Mehta's discovery is getting serious attention from top security researchers, who are weighing in on Twitter:

Very interesting seeing shared code here. https://t.co/CVnCEnzcvd

- Shane Huntley (@ShaneHuntley) May 15, 2017

For everyone following #Wanacry / #wannacrypt, @neelmehta has provided a join the dots. https://t.co/UQwWd04KWx

- Morgan Marquis-Boire (@headhntr) May 15, 2017

Meanwhile, one Twitter user floated a theory that the North Koreans had somehow fouled up the attack—possibly referring to the fact that a U.K. security researcher was able to trigger a so-called "kill switch" that shut down part of the ransomware attacks, partially limiting the fallout.

ok, i'll buy this theory. Russian-trained North Koreans attempting to actually make money when they screwed up https://t.co/mTqsSHoWpt

Meanwhile, as reported by CyberScoop, researchers at Kaspersky Labs—a highly regarded security firm—published a blog post supporting the theory that Lazarus Group could be tied to the ransomware attacks.

"We believe this might hold the key to solve some of the mysteries around this attack. One thing is for sure — Neel Mehta’s discovery is the most significant clue to date regarding the origins of Wannacry," said the blog post.

Kaspersky Labs also rejected the idea that Mehta's discovery was a "false flag" planted by the perpetrator of the attacks in order to wrongly incriminate North Korea.

U.S. and European security officials told Reuters on condition of anonymity that it was still too early to say who might be behind the attacks, but they did not rule out North Korea as a suspect.