Researchers also say the same tools used in previous Lazarus attacks on banks and media companies in South Korea in 2013 were used in the WannaCry ransomware episode.

Those tools have evolved, but are what researchers call “variants” of the same tools used in the other attacks.

Researchers also said they saw heavy crossover between the computer code in the earlier attacks and WannaCry. That crossover provided what Mr. Chien said was yet another “hard link.”

Other digital crumbs linking the North Korean group to WannaCry include a tool that deletes data that had been used in other Lazarus attacks. The hackers behind WannaCry also used a rare encryption method and an equally unusual technique to cover their tracks.

“We don’t see that used anywhere else,” Mr. Chien said.

In the February WannaCry attacks, Symantec’s researchers said the hackers spread from server to server the same way the Lazarus hackers had in their previous attacks.

In May, another group of hackers that call themselves the Shadow Brokers published the details of National Security Agency hacking tools that the WannaCry hackers were able to use to add muscle to their attacks. They used a leaked N.S.A. hacking tool to automatically spread from server to server, eventually infecting hundreds of thousands of machines around the world, most notably in Europe and Asia.

Some computer security experts have said it is too soon to accuse North Korea, and North Korean officials have denied involvement.