Washington - Cyber security researchers have found technical evidence they said could link DPRK with the global WannaCry "ransomware" cyber attack that has infected more than 300,000 computers in 150 countries since Friday.
Symantec and Kaspersky Lab said on Monday that some code in an earlier version of the WannaCry software had also appeared in programs used by the Lazarus Group, which researchers from many companies have identified as a DPRK-run hacking operation.
"This is the best clue we have seen to date as to the origins of WannaCry," Kaspersky Lab researcher Kurt Baumgartner told Reuters.
Both firms said it was too early to tell whether DPRK was involved in the attacks, based on the evidence that was published on Twitter by Google security researcher Neel Mehta. The attacks, which slowed on Monday, are among the fastest-spreading extortion campaigns on record.
In a blog post on Sunday, Microsoft Corp President Brad Smith confirmed what researchers already widely concluded: The attack made use of a hacking tool built by the US National Security Agency (NSA) that had leaked online in April.
He poured fuel on a long-running debate over how government intelligence services should balance their desire to keep software flaws secret - in order to conduct espionage and cyber warfare - against sharing those flaws with technology companies to better secure the internet.
On Monday, Trump homeland security adviser Tom Bossert sought to distance the NSA from any blame.
"This was not a tool developed by the NSA to hold ransom data. This was a tool developed by culpable parties, potentially criminals or foreign nation-states, that were put together in such a way as to deliver phishing emails, put it into embedded documents, and cause infection, encryption and locking," Bossert said.
Russian President Vladimir Putin, noting the technology's link to the US spy service, said it should be "discussed immediately on a serious political level."
"Once they're let out of the lamp, genies of this kind, especially those created by intelligence services, can later do damage to their authors and creators," he said.
Regardless of the source of the attack, investors piled into cyber security stocks on Monday, betting that governments and corporations will spend more to upgrade their defenses.
The perpetrators had raised less than $70,000 from users paying to regain access to their computers, Bossert said.
"We are not aware if payments have led to any data recovery," Bossert said, adding that no US federal government systems had been affected.
WannaCry demanded ransoms starting at $300, in line with many cyber extortion campaigns, which keep pricing low so more victims will pay.
Still, some security experts said they were not sure if the motive of WannaCry was primarily to make money, noting that large cyber extortion campaigns typically generate millions of dollars of revenue.
"I believe that this was spread for the purpose of causing as much damage as possible," said Matthew Hickey, a co-founder of British cyber consulting firm Hacker House.
The economies most affected by WannaCry to date are Russia, Taiwan, Ukraine and India, according to security firm Avast.
The number of infections has fallen dramatically since Friday's peak when more than 9,000 computers were being hit per hour.
Authorities in Europe and the United States turned their attention to preventing hackers from spreading new versions of the virus.