Who’s behind the ransomware known as WannaCry that is wrecking havoc on computers around the world? We don’t know for sure, but a security researcher has found a piece of evidence that points to a culprit: a North Korean operation known as the Lazarus Group.
The online epidemic, which began on Friday, involves hackers exploiting a flaw in older versions of Microsoft software in order to lock the computers—including those of companies and the U.K. health service—and demanding payment to unlock them.
On Monday, Google security researcher Neel Mehta tweeted lines of code from the current ransomware attack that had also been used in a separate 2015 attack. The earlier attack has been tied to the Lazarus Group, so the reuse of the code is a possible clue that the group is also behind the ransom.
The Lazarus Group, which is responsible for a series of online heists targeting central banks, is believed to be a North Korea military outfit that funds its cyber warfare operations through crime. The wanton character of the current ransomware attacks would be consistent with previous behavior by the Lazarus Group.
The computer code tweeted by Mehta, however, is far from definitive evidence North Korea is responsible for the ransomware. There are numerous reasons (including the fact hackers regularly borrow malicious computer code) to avoid drawing firm conclusions.
Nonetheless, Mehta’s discovery is getting serious attention from top security researchers, who are weighing in on Twitter:
Very interesting seeing shared code here. https://t.co/CVnCEnzcvd
— Shane Huntley (@ShaneHuntley) May 15, 2017
9c7c7149387a1c79679a87dd1ba755bc @ 0x402560, 0x40F598
ac21c8ad899727137c4b94458d7aa8d8 @ 0x10004ba0, 0x10012AA4#WannaCryptAttribution
— Neel Mehta (@neelmehta) May 15, 2017
Meanwhile, one Twitter user floated a theory that the North Koreans had somehow fouled up the attack—possibly referring to the fact that a U.K. security researcher was able to trigger a so-called “kill switch” that shut down part of the ransomware attacks, partially limiting the fallout.
ok, i'll buy this theory. Russian-trained North Koreans attempting to actually make money when they screwed up https://t.co/mTqsSHoWpt
— davi (((🐧))) 德海 (@daviottenheimer) May 15, 2017
Meanwhile, as reported by CyberScoop, researchers at Kaspersky Labs—a highly regarded security firm—published a blog post supporting the theory that Lazarus Group could be tied to the ransomware attacks.
“We believe this might hold the key to solve some of the mysteries around this attack. One thing is for sure — Neel Mehta’s discovery is the most significant clue to date regarding the origins of Wannacry,” said the blog post.
Kaspersky Labs also rejected the idea that Mehta’s discovery was a “false flag” planted by the perpetrator of the attacks in order to wrongly incriminate North Korea.
U.S. and European security officials told Reuters on condition of anonymity that it was still too early to say who might be behind the attacks, but they did not rule out North Korea as a suspect.
This story originally appeared on Fortune.com. Copyright 2017