NKOREA-POLITICS-CONGRESS-PARTY-PARADE
North Korean leader Kim Jong-Un waves from a balcony of the Grand People's Study House following a mass parade marking the end of the 7th Workers Party Congress in Kim Il-Sung Square in Pyongyang on May 10, 2016. North Korea kicked off a massive parade in the centre of Pyongyang on May 10 to celebrate a just-concluded ruling party congress that was seen as a formal coronation for supreme leader Kim Jong-Un. / AFP / Ed Jones (Photo credit should read ED JONES/AFP/Getty Images) ED JONES AFP/Getty Images

Ransomware Attack: Clue Points to North Korea

May 15, 2017

Who's behind the ransomware known as WannaCry that is wrecking havoc on computers around the world? We don't know for sure, but a security researcher has found a piece of evidence that points to a culprit: a North Korean operation known as the Lazarus Group.

The online epidemic, which began on Friday, involves hackers exploiting a flaw in older versions of Microsoft software in order to lock the computers—including those of companies and the U.K. health service—and demanding payment to unlock them.

On Monday, Google security researcher Neel Mehta tweeted lines of code from the current ransomware attack that had also been used in a separate 2015 attack. The earlier attack has been tied to the Lazarus Group, so the reuse of the code is a possible clue that the group is also behind the ransom.

The Lazarus Group, which is responsible for a series of online heists targeting central banks, is believed to be a North Korea military outfit that funds its cyber warfare operations through crime. The wanton character of the current ransomware attacks would be consistent with previous behavior by the Lazarus Group.

Get Data Sheet, Fortune’s technology newsletter.

The computer code tweeted by Mehta, however, is far from definitive evidence North Korea is responsible for the ransomware. There are numerous reasons (including the fact hackers regularly borrow malicious computer code) to avoid drawing firm conclusions.

Nonetheless, Mehta's discovery is getting serious attention from top security researchers, who are weighing in on Twitter:

Meanwhile, one Twitter user floated a theory that the North Koreans had somehow fouled up the attack—possibly referring to the fact that a U.K. security researcher was able to trigger a so-called "kill switch" that shut down part of the ransomware attacks, partially limiting the fallout.

Meanwhile, as reported by CyberScoop, researchers at Kaspersky Labs—a highly regarded security firm—published a blog post supporting the theory that Lazarus Group could be tied to the ransomware attacks.

"We believe this might hold the key to solve some of the mysteries around this attack. One thing is for sure — Neel Mehta’s discovery is the most significant clue to date regarding the origins of Wannacry," said the blog post.

Kaspersky Labs also rejected the idea that Mehta's discovery was a "false flag" planted by the perpetrator of the attacks in order to wrongly incriminate North Korea.

U.S. and European security officials told Reuters on condition of anonymity that it was still too early to say who might be behind the attacks, but they did not rule out North Korea as a suspect.

All products and services featured are based solely on editorial selection. FORTUNE may receive compensation for some links to products and services on this website.

Quotes delayed at least 15 minutes. Market data provided by Interactive Data. ETF and Mutual Fund data provided by Morningstar, Inc. Dow Jones Terms & Conditions: http://www.djindexes.com/mdsidx/html/tandc/indexestandcs.html. S&P Index data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. Terms & Conditions. Powered and implemented by Interactive Data Managed Solutions