The unprecedented cyber attack that crashed the computer networks of major South Korean broadcasters and banks Wednesday used malicious codes from China, Seoul’s investigators said on Thursday, raising suspicions that North Korea may be behind the attack.

The Korea Communications Commission said the malware codes from an Internet protocol address in China were found to be the cause of the cyber attack on KBS, MBC and YTN, and the three banks including Shinhan.

A total of 31 servers and 32,000 PCs were hacked, and all six institutions were seemingly hacked by the same organization, said Park Jae-moon, director-general of the network policy division at the KCC.

“We don’t have exact proof but the malicious codes have harmed the hard disks of the affected PCs at all institutions, and the same information contained within the malicious codes are on all of them,” he said during a press briefing in Seoul.

Inca Internet, a PC security firm which is participating in the government-civilian-military joint cyber threat response team, also said that the message, “Hacked by Whois Team” was discovered in all malicious files collected from the agencies involved in the attack. 

With the government confirming that the activity came from China, a high-ranking government official said North Korea was highly suspected to be behind the cyber attack.

The suspicion is rooted in the history of the North using Internet protocol addresses based in China for past hackings and the communist country warning of a possible cyber attack last week.

Many experts on North Korea speculate that it is training cyber terrorists operating in China.

“We have suspicions that the move may have been by the North and we’re tracking and analyzing the details which are open to all possibilities,” said a high-ranking Cheong Wa Dae official, without going into details.

Cheong Wa Dae is also considering launching a strategic meeting on national cyber security taken part by the related government branches as well as the private sector, said another Cheong Wa Dae official.

According to data compiled by the National Intelligence Service, Pyongyang has carried out six such cyber terrorist acts against Seoul over the past five years, including a distributed denial of service (DDoS) attack against South Korean government Internet sites on July 7, 2009; a similar DDoS incident in March 2011 targeting state institutions like the presidential office, the National Assembly and media outlets; and an attack against a conservative newspaper last June.

On Wednesday, the websites and computer networks of broadcasters KBS, MBC and YTN, along with Nonghyup, Shinhan and Jeju banks were simultaneously shut down at 2 p.m.

While the systems of the six institutions were paralyzed, their intranets were hacked and files of those who were connected to the companies’ servers were deleted from their hard disks.

The KCC said that it would take up to five days to completely normalize the servers and systems at the institutions.

“We’re taking all possibilities into consideration and we’ll put our utmost efforts into indentifying the hacker,” said Park.

To minimize the impacts of the attack, the Korea Internet and Security Agency is offering a free malware vaccine that can be downloaded from its website (www.boho.or.kr).

People can also change the system time and date of their CMOS program by pressing the “F2” or “Delete” key immediately after booting up the PC as a preventive measure against malicious code, said KCC officials.

Software that monitors the computer in real time for malicious files is available for download on the Inca website (www.nprotect.com).

There were no further attacks, and bank operations have been normalizing although some devices, including ATM machines, were still not functioning properly as of Thursday.

Operations at broadcasters KBS, MBC and YTN were also seeing improvements, but they were still not using their company email servers for news reporting.

“The main server is currently shut down while being restored, so some functions, like the company’s news production system, email and news search, have been brought to a halt,” said an MBC official based in Jeonju, North Jeolla Province.

By Cho Ji-hyun (sharon@heraldcorp.com)