Researchers at Kaspersky Lab have uncovered new evidence linking the WannaCry ransomware code to North Korea. In a post today, the group detailed a segment of code used in both an early WannaCry variant and a February 2015 sample attributed to the Lazarus Group, a Kaspersky-tracked actor tied to the North Korean government. The overlap was first spotted by Google researcher Neal Mehta, and Kaspersky believes the similarity goes far beyond shared code.

“We strongly believe the February 2017 sample was compiled by the same people,” Kaspersky writes, “or by people with access to the same source code as the May 2017 WannaCry encryptor used in the May 11th wave of attacks.”

Symantec found similar connections, according to a report in Cyberscoop, although the company said it was difficult to suss out the meaning of the shared code. “While these connections exist, they so far only represent weak connections,” the company said in a statement. “We are continuing to investigate for stronger connections.”

On some level, it’s hard to know what to make of this. WannaCry behaves like standard criminal ransomware, and before this latest finding, there was no reason to suspect a nation state was behind it. This kind of early code analysis is necessarily speculative, and it’s entirely plausible that the WannaCry authors lifted the relevant code from a North Korean sample just like they lifted the EternalBlue code from the NSA. Even if all of Kaspersky’s assumptions are true, it could be the result of an internal data breach rather than a government operation.

Still, it’s a tantalizing clue toward the origins of one of the most damaging worms the internet has ever seen. If there is some connection between WannaCry and North Korea, it would suggest the origins of the attack are far more unusual than anyone suspected.