Many in Seoul suspect hackers loyal to Pyongyang were responsible for Wednesday's attack, but South Korean officials have yet to assign blame and say they have no proof yet of North Korea's involvement. Pyongyang hasn't yet mentioned the shutdown.
The investigation could take weeks, but an initial finding linked a Chinese Internet Protocol address to one of the banks affected.
South Korea has set up a team of computer security experts from the government, military and private sector to identify the hackers and is preparing to deal with more possible attacks, presidential spokesman Yoon Chang-jung told reporters Friday. He didn't elaborate on the possibility of more attacks, but said the prime minister would later hold a meeting to discuss ways to beef up cybersecurity at institutions overseeing infrastructure such as roads and electricity.
Determining who's behind a digital attack is often difficult. But North Korea is a leading suspect for several reasons. It has unleashed a torrent of threats against Seoul and Washington since punishing U.N. sanctions were imposed for Pyongyang's Feb. 12 nuclear test. It calls ongoing routine U.S.-South Korean military drills a threat to its existence. Pyongyang also threatened revenge after blaming Seoul and Washington for a separate Internet shutdown that disrupted its own network last week. Seoul alleges six cyberattacks by North Korea on South Korean targets since 2009.
If the attack was in fact carried out by North Korea, it may be a warning to Seoul that Pyongyang is capable of breaching its computer networks with relative ease.
The cyberattack did not affect South Korea's government, military or infrastructure, and there were no initial reports that customers' bank records were compromised. But it disabled cash machines and disrupted commerce in this tech-savvy, Internet-dependent country, renewing questions about South Korea's Internet security and vulnerability to hackers.
The attack disabled some 32,000 computers at broadcasters YTN, MBC and KBS, as well as three banks. The broadcasters said their programming was never affected.
All three of the banks that were hit were back online and operating regularly Friday. It could be next week before the media companies have fully recovered.
A malicious code that spread through the server of one target, Nonghyup Bank, was traced to an IP address in China, the state-run Korea Communications Commission said in an announcement of initial findings. Regulators said all six attacks appeared to come from "a single organization." The investigation is continuing into the shutdown at the five other firms.
An IP address can be an important clue as to the location of an Internet-connected computer but can easily be manipulated by hackers operating anywhere in the world.
The Chinese IP address identified by the South Korean communications regulator belongs to an Internet services company, Beijing Teletron Telecom Engineering Co., according to the website tracking and verification service Whois. A woman who answered the telephone number listed on Beijing Teletron's website denied the company was involved in the cyberattack. She refused to identify herself or provide further information.
Wednesday's cyberattack does not fit the mould of previous attacks blamed on China. Chinese hacking, either from Beijing's cyber-warfare command or freelance hackers, tends to be aimed at collecting intelligence and intellectual property, not at disrupting commerce.
China is home to a sizable North Korean community, both North Koreans working in the neighbouring nation and Chinese citizens of ethnic ancestry who consider North Korea their motherland.