Were Chinese hackers behind WannaCry after all? Experts claim to have narrowed the search
Analysis of ransom notes suggest they were written in Chinese then translated into other languages using Google Translate
Despite seemingly being cleared during the WannaCry witch hunt, Chinese entities have re-emerged as potential suspects following analysis from risk intelligence firm Flashpoint.
Initial assessment seemed to suggest that China was not behind the attack, despite the country usually being one of the first accused, after the Chinese government's petrol corporation reportedly saw 20,000 of its stations hit by the ransomware.
Reports also claimed that around half of the IP addresses hit were registered in China.
Flashpoint has, however, come up with a new theory after analysing the ransom notes that appeared on infected machines.
Linguistic analysis of the notes, it claims, proves that all of them were translated from one language into other languages using Google Translate - except the English version and two Chinese versions.
These versions, it claims, were written by the hackers, but a "glaring grammatical error" proves that the perpetrator was most likely a non-native English speaker.
From this evidence, Flashpoint draws the conclusion that the hacker is a fluent Chinese speaker who translated the ransom note from Chinese to other languages, using the internet.
Flashpoint said on its website: "Flashpoint assesses with high confidence that the author(s) of WannaCry's ransomware notes are fluent in Chinese, as the language used is consistent with that of Southern China, Hong Kong, Taiwan, or Singapore.
"Flashpoint also assesses with high confidence that the author(s) are familiar with the English language, though not native. This alone is not enough to determine the nationality of the author(s).
"Flashpoint assesses with moderate confidence that the Chinese ransom note served as the original source for the English version, which then generated machine-translated versions of the other notes.
"The Chinese version contains content not in any of the others, though no other notes contain content not in the Chinese. The relative familiarity found in the Chinese text compared to the others suggests the authors were fluent in the language - perhaps comfortable enough to use the language to write the initial note."
The increasing focus on China differs from initial theories from the likes of Symantec and Kaspersky, which in the aftermath of the attack claimed North Korea was most likely to be behind the attack.
Symantec claimed that tools and infrastructure used in WannaCry share similarities with the hacking group Lazarus, which is widely considered to be linked to North Korea, and was credited with the Sony hack in 2014.