Linguistic analysis conducted by security firm Flashpoint has indicated that hackers behind WannaCry ransomware attacks speak fluent Chinese.
The linguistic analysis also confirms that WannaCry notes posted by hackers were translated from Chinese and English to other languages.
The hackers behind WannaCry ransomware attacks left ransom notes in as many as 28 different languages around the world. A linguistic analysis was conducted on these noted by researchers at Flashpoint to find out the native language and origins of such hackers.
The researchers noted that out of the 28 different notes, three of them were written by humans and the rest were translated from one of these languages to others using translation tools like Google Translate. The handwritten languages were Chinese (Simplified), Chinese (Traditional) and English, which made it clear that the hackers spoke any of these tongues and used translation tools to translate from either Chinese or English to other languages.
However, the researchers found that even though the note written in English suggested that the writer had a strong command of the language, a glaring grammatical error in the note also suggested that the hacker behind it spoke English but was not a native English speaker.
"Flashpoint found that the English note was used as the source text for machine translation into the other languages. Comparisons between the Google translated versions of the English ransomware note to the corresponding WannaCry ransom note yielded nearly identical results, producing a 96% or above match," the researchers wrote in a blog post.
However, The researchers also discovered that the notes written in both traditional and simplified Chinese languages were not translated from English, as both notes differed substantially from other notes in 'content, format, and tone.'
"A number of unique characteristics in the note indicate it was written by a fluent Chinese speaker. A typo in the note, “帮组” (bang zu) instead of “帮助” (bang zhu) meaning “help,” strongly indicates the note was written using a Chinese-language input system rather than being translated from a different version."
"More generally, the note makes use of proper grammar, punctuation, syntax, and character choice, indicating the writer was likely fluent or at least native. There is, however, at least one minor grammatical error which may be explained by autocomplete, or a copy-editing error," they added.
The researchers have thus concluded that not only do the hackers speak Chinese, but their choice of words is consistent with the dialect spoken in Southern China, Hong Kong, Taiwan, or Singapore, which may point to the fact that such hackers reside in any of these places. "The relative familiarity found in the Chinese text compared to the others suggests the authors were fluent in the language—perhaps comfortable enough to use the language to write the initial note," they said. However, they have also urged caution, stating that the hackers may have deliberately employed these tools with an intention to mislead researchers.