Attacks using malware called BadRabbit hit Russia and other nations on Tuesday, taking down Russia’s Interfax news agency and causing flight delays at Ukraine’s Odessa airport.

BadRabbit came on the heels of attacks in May and June that used similar malware and resulted in what some economists estimated are billions of dollars in losses.

“It is highly likely that the same group of hackers was behind (the) BadRabbit ransomware attack on Oct. 25, 2017 and the epidemic of the NotPetya virus, which attacked the energy, telecommunications and financial sectors in Ukraine in June 2017,” Group-IB said in a technical report. “Research revealed that the BadRabbit code was compiled from NotPetya sources.”

Investigators caution that attributing cyber attacks is a slippery business and it remains possible that copycats are simply using the older group’s tools.

Ukrainian officials have said the NotPetya attack was directly targeted Ukraine and was linked to a group of suspected Russian hackers known as BlackEnergy who have carried out a sustained campaign against Ukraine’s energy industry since at least December 2015.

Most of BadRabbit’s victims were in Russia, followed by Ukraine, Bulgaria, Turkey, and Japan, according to cyber firm ESET.

But Group-IB said some parts of the BadRabbit virus dated from mid-2014, suggesting the hackers used old tools from previous attacks. “This corresponds with BlackEnergy timeframes, as the group started its notable activity in 2014,” it said.

Group-IB also said BadRabbit operated as genuine ransomware, encrypting files, and charging its victims a fee to have them released. That is in contrast to NotPetya, which also made ransom demands but made infected files impossible to recover.

Using a proper ransomware virus may have been part of an attempt by the BadRabbit culprits to disguise themselves as cyber criminals, Group-IB said, providing a “smokescreen” for a possible state-sponsored attack.