Governments have turned their attention to a possible new wave of cyber attacks after the group that leaked US hacking tools used to launch the global WannaCrypt ransomware attack warned it would release more exploits.
The fast-spreading extortion campaign, which has infected more than 300,000 computers worldwide since Friday, eased for the second day yesterday, but the identity and motive of its creators remain unknown.
The attack includes exploits that belong to the US National Security Agency and were leaked online last month.
Shadow Brokers, the group that has taken credit for that leak, threatened on Tuesday to release more exploits to enable hackers to break into the world's most widely used computers, software and phones.
A blog post written by the group promised from June to release tools every month to anyone willing to pay for access to some of the tech world's biggest commercial secrets.
It also threatened to dump data from banks using the SWIFT international money transfer network and from Russian, Chinese, Iranian or North Korean nuclear and missile programs. "More details in June," it promised.
The spread of the WannaCrypt attack slowed to a trickle on Tuesday, with few, isolated examples being reported.
In Canada, the Universite de Montreal was hit, with 120 of the French-language university’s 8300 computers affected, according to a university spokeswoman.
There were no new, major incidents in the United States. Fewer than 10 US organisations have reported attacks to the Department of Homeland Security since Friday, a US official said.
The attack has caused most damage in Russia, Taiwan, Ukraine and India, according to Czech security firm Avast.
Microsoft said on Tuesday it was aware of Shadow Brokers' most recent claim and that its security teams monitor potential threats in order to "help us prioritise and take appropriate action."
North Korea link probed
Security researchers around the world have said they have found evidence that could link North Korea with the WannaCrypt attack.
A researcher from South Korea's Hauri Labs said its findings matched those of Symantec and Kaspersky Lab, who said on Monday that some code in an earlier version of the WannaCrypt software had also appeared in code used by the Lazarus Group, identified by some researchers as a North Korea-run hacking operation.
"It is similar to North Korea's backdoor malicious codes," said Simon Choi, a senior researcher with Hauri who has done extensive research into North Korea's hacking capabilities and advises South Korean police and National Intelligence Service.
Both Symantec and Kaspersky said it was too early to tell whether North Korea was involved in the attacks, based on the evidence that was published on Twitter by Google security researcher Neel Mehta.
FireEye said it was also investigating, but it was cautious about drawing a link to North Korea.
"The similarities we see between malware linked to that group and WannaCry are not unique enough to be strongly suggestive of a common operator," FireEye researcher John Miller said.
US and European security officials told Reuters on condition of anonymity that it was too early to say who might be behind the attacks, but they did not rule out North Korea as a suspect.
The Lazarus hackers, acting for impoverished North Korea, have been more brazen in their pursuit of financial gain than others, and have been blamed for the theft of US$81 million from the Bangladesh central bank, according to some security firms. The United States accused it of being behind a cyber attack on Sony Pictures in 2014.
North Korea has denied being behind the Sony and banking attacks. North Korean officials were not immediately available for comment and its state media has been quiet about the matter.