Who’s behind the ransomware known as WannaCry that is wrecking havoc on computers around the world? We don’t know for sure, but a security researcher has found a piece of evidence that points to a culprit: a North Korean operation known as the Lazarus Group.
The online epidemic, which began on Friday, involves hackers exploiting a flaw in older versions of Microsoft software in order to lock the computers—including those of companies and the U.K. health service—and demanding payment to unlock them.
On Monday, Google security researcher Neel Mehta tweeted lines of code from the current ransomware attack that had also been used in a separate 2015 attack. The earlier attack has been tied to the Lazarus Group, so the reuse of the code is a possible clue that the group is also behind the ransom.
The Lazarus Group, which is responsible for a series of online heists targeting central banks, is believed to be a North Korea military outfit that funds its cyber warfare operations through crime. The wanton character of the current ransomware attacks would be consistent with previous behavior by the Lazarus Group.
Get Data Sheet, Fortune’s technology newsletter.
The computer code tweeted by Mehta, however, is far from definitive evidence North Korea is responsible for the ransomware. There are numerous reasons (including the fact hackers regularly borrow malicious computer code) to avoid drawing firm conclusions.
Nonetheless, Mehta’s discovery is getting serious attention from top security researchers, who are weighing in on Twitter:
Very interesting seeing shared code here. https://t.co/CVnCEnzcvd
— Shane Huntley (@ShaneHuntley) May 15, 2017
For everyone following #Wanacry / #wannacrypt, @neelmehta has provided a join the dots. https://t.co/UQwWd04KWx
— Morgan Marquis-Boire (@headhntr) May 15, 2017
Meanwhile, one Twitter user floated a theory that the North Koreans had somehow fouled up the attack—possibly referring to the fact that a U.K. security researcher was able to trigger a so-called “kill switch” that shut down part of the ransomware attacks, partially limiting the fallout.
https://twitter.com/daviottenheimer/status/864217650498600962
Meanwhile, as reported by CyberScoop, researchers at Kaspersky Labs—a highly regarded security firm—published a blog post supporting the theory that Lazarus Group could be tied to the ransomware attacks.
“We believe this might hold the key to solve some of the mysteries around this attack. One thing is for sure — Neel Mehta’s discovery is the most significant clue to date regarding the origins of Wannacry,” said the blog post.
Kaspersky Labs also rejected the idea that Mehta’s discovery was a “false flag” planted by the perpetrator of the attacks in order to wrongly incriminate North Korea.
U.S. and European security officials told Reuters on condition of anonymity that it was still too early to say who might be behind the attacks, but they did not rule out North Korea as a suspect.
