Earlier this week, I wrote about some analysis conducted by Symantec that suggested WannaCry was likely linked to threat actors from North Korea. But there's further evidence now that has people wondering what is really going on.
The Institute for Critical Infrastructure Technology (ICIT) posted an article suggesting Symantec's analysis was premature. Their words were quite strong.
...firms motivated by private agendas are dangerously attempting to shift public dialogue back to speculation of attribution despite a clear and present necessity for pervasive, transparent, and inclusive dialogue addressing the underlying weaknesses in cybersecurity culture and critical infrastructure systems that enabled the May 12, 2017 WannaCry attack to succeed in the first place.
And today, a linguistic analysis released by Flashpoint that examined 28 WannaCry ransom notes written in various language including simplified and traditional Chinese, Danish, Dutch, English, French, German, Indonesian, Italian, Japanese, Korean, Norwegian, Portuguese, Romanian, Russian, Spanish, Swedish and Turkish found that the authors of WannaCry are fluent Chinese speakers and they also appear to know English.
I think, the bottom line here is that it we really aren't clear who pushed the WannaCry snowball down the hill first, and that it's possible multiple threat actors were involved.