Seoul cyber experts warn of more attacks as North blamed

More than 200,000 computers in 150 countries were hit by the ransomware attack, described as the largest ever of its kind, over the weekend.

Since Friday, banks, hospitals and state agencies have been among the victims of hackers exploiting vulnerabilities in older versions of Microsoft computer operating systems and demanding payment in the virtual currency Bitcoin.

The code used in the latest attack shared many similarities with past hacks blamed on the North, including the targeting of Sony Pictures and the central bank of Bangladesh, said Simon Choi, director of Seoul internet security firm Hauri.

Choi, known to have vast troves of data on Pyongyang's hacking activities, has publicly warned against potential ransomware attacks by the North since last year.

"I saw signs last year that the North was preparing ransomware attacks or even already beginning to do so, targeting some South Korean companies," he told AFP.

He cited a major attack last year that stole the data of over 10 million users of Interpark, a Seoul-based online shopping site, in which hackers demanded bitcoin payments worth about $3 million.

Seoul police blamed the North's main intelligence agency for the attack.

More attacks were possible, Choi said, "especially given that, unlike missile or nuclear tests, they can deny their involvement in attacks in cyberspace and get away with it".

Security researchers in the US, Russia and Israel have also reported signs of a potential North Korean link to the latest cyberattack, although there is no conclusive evidence yet.

Google researcher Neel Mehta posted details showing similarities between the "WannaCry" malware and computer code used by the Lazarus hacking group, widely believed to be connected to Pyongyang.

The isolated, nuclear-armed state is known to operate an army of thousands of hackers operating in both the North, and apparently China, and has been blamed for a number of major cyberattacks.

In November 2014, Sony Pictures Entertainment became the target of the biggest cyberattack in US corporate history, linked to its release of North Korea satire "The Interview", hated by Pyongyang.

Washington blamed Pyongyang for the hacking, a claim it denied -- though it had strongly condemned the film, which features a fictional CIA plot to assassinate leader Kim Jong-Un.
'Encrypted!' 

The North appears to have stepped up cyber-attacks in recent years in a bid to earn hard foreign currency in the face of United Nations sanctions imposed over its nuclear and missile programmes, Choi said.

He claimed to have last year tracked down an elite North Korean hacker who boasted online that the country was conducting tests for ransomware attacks.

On an online messenger system, Choi told AFP, "He said he and his colleagues were running tests for ransomware attacks."

The hacker was believed to be from the North's elite Kim Chaek University of Technology in Pyongyang and suspected of launching multiple cyber-attacks on North Korean defector organisations in Seoul, Choi said.

His IP address and other digital traces pointed to the North, he added.

So far 11 South Korean companies have been affected by WannaCry, Seoul's Yonhap news agency said, citing data from the state-run Korea Internet and Security Agency.

The malware blocks computers and puts up images on victims' screens demanding payment of $300 in the virtual currency Bitcoin, saying: "Ooops, your files have been encrypted!"

Payment is demanded within three days or the price is doubled, and if none is received within seven days the locked files will be deleted, according to the message.

The malware uses a hacking tool known as EternalBlue, which was published last month by an anonymous hacking group called Shadow Brokers, saying it had been obtained from the US National Security Agency.

"When the leak was published, I thought the North would never miss a chance like this," Lim Jong-In, a professor of Korea University Graduate School of Information Security, told AFP.

"I'm afraid that there may be more attacks down the road using the rest of the tools leaked in April," he said.