New analysis suggests Chinese link in WannaCry cyber attack

A new analysis by Security Company Flashpoint suggests Chinese-speaking criminals may have been behind the WannaCry ransomware cyber attack that infected over 300,000 computers worldwide.

In a recent analysis, Flashpoint discovered links to someone who was “native or at least fluent” in Chinese after scrutinising the ransom note.  The ransom notice appeared to be displayed in 28 languages, “but only three, the English and the Chinese version (Simplified and Traditional), are likely to have been written by humans”, while “nearly all of the ransom notes were machine translated using Google Translate.”

However, Flashpoint noted the English version of the ransom notice was used by the hacker as a source text for machine translation into other languages. It struck them when an English text in the notice used some unusual phrases such as: “But you have not so enough time”, which appeared to be written by someone with a strong command over English but by a non-native or perhaps poorly educated person for making grammatical error in the note.

The WannaCry cyber-attack infected more than 300,000 computers in 150 countries, including India, affecting government, healthcare, and businesses, taking advantage of a vulnerability of the Microsoft’s operating system Windows discovered by the National Security Agency and then stolen by a group of hackers calling themselves “Shadow Brokers”.

The FBI, Europol and the UK’s National Crime Agency are still investigating who was responsible for the ransomware attack.

Security Company Symantec had cautiously linked hands of North Korean criminals in the cyber-attack. It was believed that the Lazarous Group, who were behind the devastating hack on Sony Pictures in 2014, and on a Bangaldeshi Bank in 2016, worked out of China, but on behalf of the North Koreans.

However, Flashpoint researchers in their analysis noted the Korean-language ransom note to be poorly translated version of the English text.

“A number of unique characteristics in the note indicate it was written by a fluent Chinese speaker. A typo in the note, “帮组” (bang zu) instead of “帮助” (bang zhu) meaning “help,” strongly indicates the note was written using a Chinese-language input system rather than being translated from a different version,” Flashpoint wrote in a blogpost.

“One term, “礼拜” for “week,” is more common in South China, Hong Kong, Taiwan, and Singapore; although it is occasionally used in other regions of the country. The other “杀毒软件” for “anti-virus” is more common in the Chinese mainland.

“Perhaps most compelling, the Chinese note contains substantial content not present in any other version of the note, is lengthier, and differs slightly in format,” they added.