A Chinese Internet address was the source of acyberattack on one company hit in a massive network shutdown that affected32,000 computers at six banks and media companies in South Korea, initialfindings indicated Thursday.
It's too early to assign blame — Internet addresses caneasily be manipulated and the investigation could take weeks — but suspicionfor Wednesday's shutdown quickly fell on North Korea, which has threatenedSeoul and Washington with attack in recent days because of anger over U.N.sanctions imposed for its Feb. 12 nuclear test.
South Korean regulators said they believe the attacks camefrom a "single organization," but they've still not finishedinvestigating what happened at the other companies.
Experts say hackers often attack via computers in othercountries to hide their identities. South Korea has previously accused NorthKorean hackers of using Chinese addresses to infect their networks.
"We do know that North Korea does route attacks throughChinese servers because that's the only way they can communicate with SouthKorea," Timothy Junio, a cybersecurity fellow at Stanford University'sCenter for International Security and Cooperation, said. "It's notsurprising there's a Chinese IP address involved."
Seoul believes North Korea runs an Internet warfare unitaimed at hacking U.S. and South Korean government and military networks togather information and disrupt service.
The attack Wednesday caused computer networks at major banksand top TV broadcasters to crash simultaneously. It paralyzed bank machinesacross the country and raised fears that this heavily Internet-dependentsociety was vulnerable. On Thursday, only one of the attacked banks, Shinhan,was fully online, officials said.
A Chinese address created the malicious code in the serverof Nonghyup bank, according to an initial analysis by the state-run KoreaCommunications Commission, South Korea's telecom regulator.
KCC spokesman Cho Kyeong-sik said investigators areanalyzing the log-in records and the malicious code collected from the infectedservers and computers. It could take at least four to five days for theinfected computers to recover fully, he said. Experts say the entireinvestigation could take weeks.
South Korean regulators have also distributed vaccinesoftware to government offices, banks, hospitals and other institutions toprevent more outages.
In an indication of the high tension on the KoreanPeninsula, South Korean media reported that North Korea sounded air-raidwarnings in radio broadcasts Thursday morning as part of military drills.
The network paralysis took place just days after North Koreaaccused South Korea and the U.S. of staging a cyberattack that shut down itswebsites for two days last week. Loxley Pacific, the Thailand-based Internetservice provider, confirmed the North Korean outage but did not say what causedit. South Korea denied the allegation.
The attack may have also extended to the United States. GregScarlatoiu, executive director of the U.S.-based Committee for Human Rights inNorth Korea, said he discovered early Wednesday that their website had beenhacked. They have yet to establish who was behind it but strongly suspect itcame from North Korea.
Several of the committee's publications, including lengthyreports with satellite imagery of North Korean prison camps, had been removed, alongwith biographies of their staff and board, and their policy recommendations tothe Obama administration.
The South Korean shutdown did not affect government agenciesor sensitive targets such as power plants or transportation systems, and therewere no immediate reports that bank customers' records were compromised, butthe disruption froze part of the country's commerce.
Some customers were unable to use the debit or credit cardsthat many rely on more than cash. At one Starbucks in downtown Seoul, customerswere asked to pay for their coffee in cash, and lines formed outside disabledbank machines.
Broadcasters KBS and MBC still didn't have full computer useon Thursday, but the shutdown did not affect TV broadcasts.
The YTN cable news channel also said the company's internalcomputer network was paralyzed. Footage showed workers staring at blankcomputer screens.
KBS employees said they watched helplessly as files storedon their computers began disappearing.
Last year, North Korea threatened to attack several newscompanies, including KBC and MBC, over their reports critical of children's'festivals in the North.
"If it plays out that this was a state-sponsoredattack, that's pretty bald faced and definitely an escalation in the tensionsbetween the two countries," said James Barnett, former chief of publicsafety and homeland security for the U.S. Federal Communications Commission.
An ominous question is what other businesses, in South Koreaor elsewhere, may also be in the sights of the attacker, said Barnett, whoheads the cybersecurity practice at Washington law firm Venable.
"This needs to be a wake-up call," he said."This can happen anywhere."
An official at the South's Korea Communications Commissionsaid investigators speculate that malicious code was spread from companyservers that send automatic updates of security software and virus patches.
The shutdown raised worries about the overall vulnerabilityto attacks in South Korea, a world leader in broadband and mobile Internetaccess. Previous hacking attacks at private companies compromised millions ofpeople's personal data. Past malware attacks also disabled access to governmentagency websites and destroyed files in personal computers.
Seoul blames North Korean hackers for several cyberattacksin recent years. Pyongyang has either denied or ignored those charges. Hackersoperating from IP addresses in China have also been blamed.
In 2011, computer security software maker McAfee Inc. saidNorth Korea or its sympathizers likely were responsible for a cyberattackagainst South Korean government and banking websites earlier that year. Theanalysis also said North Korea appeared to be linked to a massivecomputer-based attack in 2009 that brought down U.S. government Internet sites.Pyongyang denied involvement.
"North Korea has almost certainly done similar attacksbefore," Junio said. "Part of why this wasn't more consequential isprobably because South Korea took the first major incident seriously anddeployed a bunch of organizational and technical innovations to reduce responsetime during future North Korea attacks."
South Korea has created a National Cybersecurity Center, anational monitoring sector and a Cyber Command modeled after the U.S. CyberCommand. Junio said South Korea's major antivirus firms also play a large rolein stopping hacking attacks.
The shutdown comes amid rising rhetoric and threats ofattack from Pyongyang over U.N. sanctions imposed for its December long-rangerocket launch and February nuclear test. Washington also expanded sanctionsagainst North Korea this month in a bid to cripple the government's ability todevelop its nuclear program.
North Korea has threatened revenge for the sanctions and forongoing U.S.-South Korean military drills, which the allies describe as routinebut which Pyongyang says are rehearsals for invasion.
Last week, North Korea's Committee for the PeacefulReunification of Korea warned South Korea's "reptile media" that theNorth was prepared to conduct a "sophisticated strike" on Seoul.
Lim Jong-in, dean of Korea University's Graduate School ofInformation Security, said North Korea was probably responsible for Wednesday'sattack.
"Hackers attack media companies usually because of apolitical desire to cause confusion in society," he said. "Politicalattacks on South Korea come from North Koreans."