It is widely believed that the Lazarus Group worked out of China, but on behalf of the North Koreans.
Security experts are now cautiously linking the Lazarus Group to this latest attack after a discovery by Google security researcher Neel Mehta. He found similarities between code found within WannaCry - the software used in the hack - and other tools believed to have been created by the Lazarus Group in the past.
It's a mere sliver of evidence, but there are other clues to consider too.
Prof Alan Woodward, a security expert, pointed out to me that the text demanding the ransom uses what reads like machine-translated English, with a Chinese segment apparently written by a native speaker.
"As you can see it's pretty thin and all circumstantial," Prof Woodward said.
"However, it's worth further investigation."
"Neel Mehta’s discovery is the most significant clue to date regarding the origins of WannaCry,” said Russian security firm Kaspersky, but noted a lot more information is needed about earlier versions of WannaCry before any firm conclusion can be reached.
"We believe it’s important that other researchers around the world investigate these similarities and attempt to discover more facts about the origin of WannaCry,” the company added.
"Looking back to the Bangladesh attack, in the early days, there were very few facts linking them to the Lazarus Group.
"In time, more evidence appeared and allowed us, and others, to link them together with high confidence. Further research can be crucial to connecting the dots."