In the first clues of the origin of the massive ransomware attacks, Google researcher Neel Mehta posted computer code that showed similarities between the "WannaCry" malware and a vast hacking effort widely attributed to North Korea.
Cyber security researchers have found evidence they say could link North Korea with the "WannaCry" cyber attack that has infected more than 300,000 computers worldwide, as global authorities scrambled to prevent hackers from spreading new versions of the virus.
A researcher from South Korea's Hauri Labs said on Tuesday their own findings matched those of Symantec and Kaspersky Lab, who said on Monday that some code in an earlier version of the WannaCry software had also appeared in programmes used by the Lazarus Group, identified by some researchers as a North Korea-run hacking operation.
"It is similar to North Korea's backdoor malicious codes," said Simon Choi, a senior researcher with Hauri who has done extensive research into North Korea's hacking capabilities and advises South Korean police and National Intelligence Service.
Both Symantec and Kaspersky said it was too early to tell whether North Korea was involved in the attacks, based on the evidence that was published on Twitter by Google security researcher Neel Mehta.
The attacks, which slowed on Monday, are among the fastest-spreading extortion campaigns on record.
The "ransomeware" blocks computers and puts up images on victims' screens demanding payment of $300 (275 euros) in the virtual currency Bitcoin, saying: "Ooops, your files have been encrypted!"
Experts urge caution
FireEye Inc, another large cyber security firm, said it was also investigating, but it was cautious about drawing a link to North Korea.
"The similarities we see between malware linked to that group and WannaCry are not unique enough to be strongly suggestive of a common operator," FireEye researcher John Miller said.
The European police agency also said it was too early to determine who was behind a massive cyber attack.
"We are open to investigate in all directions, but we don't speculate and we cannot confirm this. It's still too early to say anything," said senior spokesman for Europol, Jan Op Gen Oorth.
"We are working on it. The investigation is ongoing," he told AFP. "It could come from everywhere, it could come from any country."