North Korea’s secret cyber hackers were probably responsible for the “ransomware” attacks that crippled governments, hospitals and businesses in 150 countries, defectors from the rogue state and internet experts have said.
They pointed to “Unit 180”, a special cell in the country’s spy agency, saying it may have been behind a series of online raids on financial networks and firms in the US, South Korea and more recently across the world.
Pyongyang branded the suggestion “ridiculous”.
However technical evidence is said to link the dictatorship’s spies to Lazarus Group, the cybergang allegedly behind last year’s $81m (£62m) heist of the Bangladesh Central Bank and a 2014 hack of Sony’s Hollywood studios.
Security firms claimed that code used in those two attacks had similarities to sequences used in the WannaCry ransomware that created havoc inside the NHS’s computer systems on 12 May.
Experts said that Kim Jong-un’s regime may be using cyber attacks to raise money.
Kim Heung-kwang, a computer science professor who defected from North Korea in 2004, claimed his former students had joined the country’s Strategic Cyber Command.
He told Reuters: “Unit 180 is engaged in hacking financial institutions (by) breaching and withdrawing money out of bank accounts.
“The hackers go overseas to find somewhere with better internet services than North Korea so as not to leave a trace.”
Mr Kim said government hackers were likely to pose as traders and businessmen when they travelled abroad.
North Korea releases footage of simulated White House attack
North Korea expert James Lewis, of the Washington-based Centre for Strategic and International Studies, said the Communist state first used hacking to spy on its enemies and harass political targets overseas.
“They changed after Sony by using hacking to support criminal activities to generate hard currency for the regime,” he said.
“So far, it’s worked as well or better as drugs, counterfeiting, smuggling – all their usual tricks.”
No criminal charges have been brought over the ransomware attacks, and there is no conclusive proof linking them to North Korea.
Simon Choi, a director at anti-virus software company Hauri Inc, said that the regime had been mining Bitcoin, the currency used in the ransomware hack, using malicious computer programs since 2013.
Last year, he accidentally spoke to a hacker traced to a Pyongyang internet address about development of ransomware and alerted South Korean authorities.
The security company Kaspersky Lab said portions of the “WannaCry” ransomware use the same code as malware previously distributed by Lazarus, a group behind the 2014 Sony hack blamed on North Korea.
But it is possible the code was simply copied from the Lazarus malware without any other direct connection.
Another security company, Symantec, has also found similarities between WannaCry and Lazarus’s tools, but said “they so far only represent weak connections. We are continuing to investigate for stronger connections.”