The IP address linked to this week’s cyber attack that shut down thousands of computers at several major broadcasters and banks in South Korea is not Chinese as originally thought, investigators have admitted.
The Communications Commission said the IP address linked to the attack actually belonged to a computer at one of the South Korean companies that were hit, according to Australian reports.
Officials said the IP address was used only for the company's internal network and was identical to a public Chinese address.
But investigators said an analysis of the malware used indicates the attack was likely to have come from outside South Korea, but stopped short of naming any country.
Initially suspicion fell on neighbouring North Korea as tension continues to be high between the two countries after North Korea’s latest nuclear test and the subsequent UN sanctions.
Cyber security experts have said the investigation will take weeks, but it is uncertain whether the source of the attack will be identified with any certainty as attribution on the internet is extremely difficult.
For this reason, information security professionals have cautioned against anyone taking action in retaliation to cyber attacks based on IP addresses.
Read more about critical infrastructure
- Is UK critical national infrastructure properly protected?
- Government monitors companies supporting critical national infrastructure
- Critical infrastructure security: Electric industry shows the path
- C Management and critical infrastructure protection
- NetWars CyberCity missions to improve critical infrastructure protection
- Steve Lipner on the Microsoft SDL, critical infrastructure protection
“Government agencies and organised crime have the resources to operate hacking activities in many different countries,” said Marcus Ranum, chief security officer at Tenable Network Security.
Any organisation with a worldwide presence that is compromised can be used to launch attacks from a given country, he said.
“Organisations need to be vigilant to search for indicators of compromise on their networks, but they should not make any type of strategy decision based on where the immediate attacks are coming from based on 'geo IP' lookups,” said Ranum.
The attack on South Korea comes just over a week since North Korea accused South Korea and its US ally of "intensive and persistent" hacking attacks on its internet servers.
Security experts have said the choice of targets is telling of the trend that the chief candidates for attack are increasingly likely to be global financial markets and critical infrastructure systems.
Cyber attacks on critical national infrastructure is a top concern in the US, where president Barack Obama has signed a cyber security executive order requiring federal agencies to share cyber threat information with private companies.