>In its blog post, Kaspersky acknowledged that the repetition of the code could be a "false flag" meant to mislead investigators and pin the attack on North Korea. After all, the WannaCry authors cribbed techniques from the NSA as well. The ransomware leverages an NSA exploit known as EternalBlue that a hacker group known as Shadow Brokers made public last month.
>Kaspersky called that false flag scenario "possible" but "improbable."
This is more a standard disclaimer of any intelligence analyst than a serious qualification in this case. When trying to attribute something that allows easy copycats, an investigator will obviously constantly be thinking "is this clue genuine or intentionally placed to suggest a different origin"? And without an incredible amount of evidence, it's hard to definitively say certain malware or tools were written or used by a particular entity.
>Kaspersky called that false flag scenario "possible" but "improbable."
This is more a standard disclaimer of any intelligence analyst than a serious qualification in this case. When trying to attribute something that allows easy copycats, an investigator will obviously constantly be thinking "is this clue genuine or intentionally placed to suggest a different origin"? And without an incredible amount of evidence, it's hard to definitively say certain malware or tools were written or used by a particular entity.