A computer virus that exploits the same vulnerability as the global “ransomware” attack has latched on to more than 200,000 computers and begun manufacturing digital currency, experts said Tuesday.
The development adds to the dangers exposed by the WannaCry ransomware and provides another piece of evidence that a North Korea-linked hacking group may be behind the attacks.
WannaCry, developed in part with hacking techniques that were either stolen or leaked from the U.S. National Security Agency, has infected more than 300,000 computers since Friday, locking up their data and demanding a ransom payment to release it.
Researchers at security firm Proofpoint said the related attack, which installs a currency “miner” that generates digital cash, began infecting machines in late April or early May but had not been previously discovered because it allows computers to operate while creating the digital cash in the background.
Proofpoint executive Ryan Kalember said the authors may have earned more than $1 million, far more than has been generated by the WannaCry attack.
Like WannaCry, the program attacks via a flaw in Microsoft Corp’s Windows software. That hole has been patched in newer versions of Windows, though not all companies and individuals have installed the patches.
Digital currencies based on a technology known as blockchain operate by enabling the creation of new currency in exchange for solving complex math problems. Digital “miners” run specially configured computers to solve the problems and generate currency, whose value ultimate fluctuates according to market demand.
Bitcoin is by far the largest such currency, but the new mining program is not aimed at Bitcoin. Rather it targeted a newer digital currency, called Monero, that experts say has been pursued recently by North Korean-linked hackers.
North Korea has attracted attention in the WannaCry case for a number of reasons, including the fact that early versions of the WannaCry code used some programming lines that had previously been spotted in attacks by Lazarus Group, a hacking group associated with North Korea.
Security researchers and U.S. intelligence officials have cautioned that such evidence is not conclusive, and the investigation is in its early stages.
In early April, security firm Kaspersky Lab said that a wing of Lazarus devoted to financial gain had installed software to mine Monero on a server in Europe.
A new campaign to mine the same currency, using the same Windows weakness as WannaCry, could be coincidence, or it could suggest that North Korea was responsible for both the ransomware and the currency mining.
Kalember said he believes the similarities in the European case, WannaCry and the miner were “more than coincidence.”
“It’s a really strong overlap,” he said. “It’s not like you see Monero miners all over the world.”
The North Korean mission to the United Nations could not be reached for comment, while the FBI declined to comment.
(Fixes spelling of digital currency in paragraphs 11 and 14 to Monero not Moreno.)
(Reporting by Joseph Menn; Editing by Jonathan Weber and Cynthia Osterman)