It's thought that the group might also have been behind the 2014 Sony Pictures hack, which supposedly was carried out in response to a comedy film about North Korea, although Pyongyang has never admitted any involvement.
Speculation that Lazarus might be in involved with the recent Wannacry outbreak started when Google researcher Neel Mehta posted a mysterious string of characters in a tweet alongside the hashtag #WannaCryptAttribution'.
The string is two samples of code which share similarities: one is from a WannaCry encryptor example from February this year, and the other is a Lazarus APT group sample from February 2015.
Cybersecurity researchers at Kaspersky have posted an image of the code comparison in a blog post and suggest that the two pieces of code share a common author.
"We strongly believe the February 2017 sample was compiled by the same people, or by people with access to the same sourcecode as the May 2017 Wannacry encryptor used in the May 11th wave of attacks," said Kaspersky researchers, adding how Mehta's discovery "is the most significant clue to date regarding the origins of Wannacry".
Researchers at Symantec have also noted similarities in the shared code between known Lazarus tools and the WannaCry ransomware, noting the SSL implementation uses a specific sequence of 75 ciphers which to date have only been seen in Lazarus and WannaCry malicious software.
While these links don't definitively prove anything, Symantec researchers said: "We believe that there are sufficient connections to warrant further investigation."
Kaspersky researchers added that "in theory anything is possible". For example, the code might have somehow been stolen or copied from the Lazarus group. Nonetheless, they say the idea of this being a false flag -- that is, an attempt to trick investigators -- is "although possible, improbable".
When machines become infected by Wannacry ransomware, their users are issued with a ransom of $300 in Bitcoin for unencrypting their files. That doubles to $600 if the demand isn't met within three days, and if a week goes by without payment, the victims are threatened with permanent deletion of their files.