Security experts are examining a potential link in the computer code behind Friday's global cyber attack with earlier ones that could suggest North Korea was responsible.
More than 300,000 computers in 150 countries have been infected with the WannaCry "ransomware" virus since the attack, crippling organisations from government agencies and global companies.
The NHS was also badly affected, with 47 trusts in England and 13 Scottish health boards compromised when the virus targeted computers with outdated security.
Marcus Hutchins, a young British computer expert, was hailed a hero for helping to shut down the crippling cyber attack after discovering a so-called "kill switch" that slowed the effects of the WannaCry virus as it swept through computer systems around the world.
Cyber experts are studying similarities between the computer code used in the WannaCry attack with malware distributed by Lazarus, a hacking group behind attacks on Sony Pictures in 2014 that was blamed on North Korea.
The potential link was highlighted on Monday by a researcher from Google who posted a message on Twitter showing a sample of the WannaCry malware that appeared online in February.
Researchers from global cyber security company Kaspersky Lab, whose European headquarters is in London, identified clear code similarities between the WannaCry virus and attacks by Lazarus in 2015.
Kaspersky Lab said: "The similarity of course could be a false flag operation.
"However, the analysis of the February sample and comparison to WannaCry samples used in recent attacks shows that the code which points at the Lazarus group was removed from the WannaCry malware used in the attacks started last Friday.
"This can be an attempt to cover traces conducted by orchestrators of the WannaCry campaign.
"Although this similarity alone doesn't allow proof of a strong connection between the WannaCry ransomware and the Lazarus Group, it can potentially lead to new ones which would shed light on the WannaCry origin which to the moment remains a mystery."
David Emm, principal security researcher at Kaspersky Lab, said there was a "commonality of code" between the WannaCry and Lazarus viruses.
He told the Press Association: "There's a precursor to the WannaCry, a WannaCry sample that goes back to February. The commonality is between that early WannaCry sample and some of the Lazarus code.
"Looking at that, there seems to be some commonality. It is possible that this has been deliberately set as a false flag, and we do see false flag operations where attackers will deliberately try to throw researchers off the scent by making it look like something else other than themselves.
"But we think actually that this is probably not the case - we think it is a legitimate connection between the two."
Mr Emm said it was unclear where the Lazarus code came from when it first emerged in 2011, but following the Sony Pictures attack, the FBI were "certainly pointing the finger at North Korea".
He said: "One of the issues to do with attribution (finding a source) is that we get to look at code, and code can tell us quite a bit about the nature of the attack. What it doesn't always tells us is additional information.
"You can get some information from IP addresses, but on the other hand it's possible also to spoof those.
"But if you're looking at agencies like the FBI, clearly they have access to intelligence that we don't.
"As cyber security researchers we're focused very much on code, they get human intel and other factors they can take into account as well."
Researchers at US software company Symantec and South Korean antivirus software company Hauri have also found similarities between WannaCry malware and the previous attacks blamed on North Korea.
The cyber attack paralysed large swathes of the NHS, with seven hospital trusts experiencing serious problems.
One of those, James Paget University Hospitals Trust in Norfolk, said on Tuesday all of its operations and appointments are going ahead as scheduled.
It came as the former head of Britain's eavesdropping service hit out at Microsoft for failing to protect vulnerable computer systems affected by the ransomware attack.
Sir David Omand, the former head of GCHQ who was once homeland security adviser to Number 10, said the tech giant knew public bodies around the world were at risk from hackers.
In a letter to The Times, Sir David said: "Should Microsoft have stopped supporting Windows XP so soon, knowing that institutions had invested heavily in it (at the urging of the company at the time)?"
The vulnerability in the Microsoft operating system had long been known by US spies.
The National Security Agency (NSA) was accused by the Windows manufacturer of "stockpiling" information about software flaws for their own operational benefit, rather than working with companies to fix it.
The stockpile was later leaked online, allowing hackers to infiltrate secure systems.
Microsoft's senior legal voice Brad Smith said it was equivalent to "the US military having some of its Tomahawk missiles stolen", but the White House said it was wrong to blame the NSA.
Homeland security adviser Tom Bosser told reporters: "This was not a tool developed by the NSA to hold ransom data. This was a tool developed by culpable parties - potentially criminals or foreign nation states."
Mr Hutchins was hailed as "a hero" for helping shut down the cyber attack.
The Briton, who works for Los Angeles-based Kryptos Logic but is from Ilfracombe in north Devon, spent the weekend fighting the virus, which meant computer systems could return to relative normality.
The 22-year-old told the Associated Press: "I'm definitely not a hero. I'm just someone doing my bit to stop botnets."
Why are you making commenting on The Herald only available to subscribers?
It should have been a safe space for informed debate, somewhere for readers to discuss issues around the biggest stories of the day, but all too often the below the line comments on most websites have become bogged down by off-topic discussions and abuse.
heraldscotland.com is tackling this problem by allowing only subscribers to comment.
We are doing this to improve the experience for our loyal readers and we believe it will reduce the ability of trolls and troublemakers, who occasionally find their way onto our site, to abuse our journalists and readers. We also hope it will help the comments section fulfil its promise as a part of Scotland's conversation with itself.
We are lucky at The Herald. We are read by an informed, educated readership who can add their knowledge and insights to our stories.
That is invaluable.
We are making the subscriber-only change to support our valued readers, who tell us they don't want the site cluttered up with irrelevant comments, untruths and abuse.
In the past, the journalist’s job was to collect and distribute information to the audience. Technology means that readers can shape a discussion. We look forward to hearing from you on heraldscotland.com
Comments & Moderation
Readers’ comments: You are personally liable for the content of any comments you upload to this website, so please act responsibly. We do not pre-moderate or monitor readers’ comments appearing on our websites, but we do post-moderate in response to complaints we receive or otherwise when a potential problem comes to our attention. You can make a complaint by using the ‘report this post’ link . We may then apply our discretion under the user terms to amend or delete comments.
Post moderation is undertaken full-time 9am-6pm on weekdays, and on a part-time basis outwith those hours.
Read the rules hereLast Updated:
Report this comment Cancel