In the wake of Friday’s global cyberattack that disrupted around 300,000 computer systems in more than 150 nations, cybersecurity experts speculated that uncovering the perpetrator could take months of investigation. While this might still be true, a group of cybersecurity researchers has confirmed the first piece of legitimate evidence linking the ransomware to North Korean hackers. On Monday, researchers from two cybersecurity providers—the American software company Symantec and the Russian-based Kaspersky Lab—revealed that some of the code used in the ransomware, known as WannaCry, was nearly identical to code used by the Lazarus Group, a North Korean hacking operation.
The connection was first hinted at on Twitter by Neel Mehta, a Google security researcher. While the link is mostly speculative, researchers say the code is exclusive to North Korean hackers, who used an extremely similar version for three of the most prominent cyberattacks in recent history: the 2014 hack of Sony Pictures Entertainment, the 2016 hack of Bangladesh Central Bank, and a February hack of several Polish banks. Still, both the Kaspersky Lab and Symantec—which has previously identified hacks carried out by the United States, Israel, and North Korea—said they would need to investigate further before confirming North Korea’s involvement.