Cybersecurity firms have found clues that last weekend's global "ransomware" attack that infected more than 300,000 computers in 150 countries could be linked to North Korea.
The security companies Sympantec and Kaspersky Lab said on May 15 that portions of the "WannaCry" ransomware used in the attacks have the same code as malware previously distributed by Lazarus, a group behind the 2014 Sony hack blamed on North Korea.
"This is the best clue we have seen to date as to the origins of WannaCry," Kaspersky researchers said.
But it's possible the code was simply copied from the Lazarus malware without any other direct connection, the companies said.
Symantec said the similarities between WannaCry and Lazarus tools "so far only represent weak connections. We are continuing to investigate for stronger connections."
Israeli security firm Intezer Labs said it agreed North Korea might be behind the attack.
The WannaCry virus over the weekend paralyzed vital computer systems around the world that run factories, banks, government agencies, and transport systems in some 150 countries.
The virus mainly hit computers running older versions of Microsoft Windows software that had not been recently updated.
But by May 15, the fast-spreading extortion scheme was waning. The only new outbreaks reported were in China, where traffic police and schools said they had been targeted, but there were no major disruptions.
The link to North Korea found by the security firms will be closely followed by law enforcement agencies around the world, including Washington.
U.S. President Donald Trump's homeland security adviser said on May 15 that both foreign nations and cyber criminals were possible culprits.
Symantec and Kaspersky said they need to study the code more and asked for others to help with the analysis. Hackers reuse code from other operations at times, so even copied lines fall well short of proof.
U.S. and European security officials told Reuters that it was still too early to say who might be behind the attacks, but they did not rule out North Korea as a suspect.
The Lazarus hackers, acting for impoverished North Korea, have been more brazen in pursuit of financial gain than some other hackers, and have been blamed for the theft of $81 million from a Bangladesh bank.
Moreover, North Korea might have motives to launch such a large-scale, global attack as its economy is crumbling under some of the stiffest-ever UN economic sanctions imposed over its repeated testing of nuclear bombs and ballistic missiles.
The United Nations Security Council on May 15 condemned Pyongyang's latest missile test on May 14, and vowed to take further measures, including possible new sanctions, in response to its "highly destabilizing behavior and flagrant and provocative defiance" of existing prohibitions against such tests.
Whoever is responsible, the perpetrators of the massive weekend attacks have raised very little money thus far -- less than $70,000 from users looking to regain access to their computers, according to Trump homeland security adviser Tom Bossert.
Some private sector cybersecurity experts do not believe the motive of the attacks was primarily to make money, given the apparently meager revenues that were raised by the unprecedented large operation. They said that wreaking havoc likely was the primary goal.
The countries most affected by WannaCry were Russia, Taiwan, Ukraine, and India, according to Czech security firm Avast.
Bossert denied charges by Russian President Vladimir Putin and others that the attacks originated in the United States, and came from a hacking tool developed by the U.S. National Security Agency that was later leaked online.
"This was not a tool developed by the NSA to hold ransom data. This was a tool developed by culpable parties, potentially criminals or foreign nation-states, that were put together in such a way as to deliver phishing e-mails, put it into embedded documents, and cause infection, encryption, and locking," Bossert said.
British media were hailing as a hero a 22-year-old computer security whiz who appeared to have helped stop the attack from spreading by discovering a "kill switch" - an internet address which halted the virus when activated.