An ominous question is what other businesses, in South Korea or elsewhere, may also be in the sights of the attacker, said Barnett, who heads the cybersecurity practice at Washington law firm Venable.
“This needs to be a wake-up call,” he said. “This can happen anywhere.”
An official at the Korea Communications Commission said investigators speculate that malicious code was spread from company servers that send automatic updates of security software and virus patches.
LG Uplus Corp., which provides network services for the companies that suffered outages, saw no signs of a cyberattack on its networks, company spokesman Lee Jung-hwan said.
The South Korean military raised its cyberattack readiness level but saw no signs of cyberattacks on its networks, the Defense Ministry said.
No government computers were affected, officials said. President Park Geun-hye called for quick efforts to get systems back online, according to her spokeswoman, Kim Haing.
The shutdown raised worries about the overall vulnerability to attacks in South Korea, a world leader in broadband and mobile Internet access. Previous hacking attacks at private companies compromised millions of people’s personal data. Past malware attacks also disabled access to government agency websites and destroyed files in personal computers.
Seoul believes North Korea runs an Internet warfare unit aimed at hacking U.S. and South Korean government and military networks to gather information and disrupt service.
Seoul blames North Korean hackers for several cyberattacks in recent years. Pyongyang has either denied or ignored those charges. Hackers operating from IP addresses in China have also been blamed.
In 2011, computer security software maker McAfee Inc. said North Korea or its sympathizers likely were responsible for a cyberattack against South Korean government and banking websites earlier that year. The analysis also said North Korea appeared to be linked to a 2009 massive computer-based attack that brought down U.S. government Internet sites. Pyongyang denied involvement.
“North Korea has almost certainly done similar attacks before,” said Tim Junio, a cybersecurity fellow at Stanford University’s Center for International Security and Cooperation. “Part of why this wasn’t more consequential is probably because South Korea took the first major incident seriously and deployed a bunch of organizational and technical innovations to reduce response time during future North Korea attacks.”
South Korea has created a National Cybersecurity Center, a national monitoring sector and a Cyber Command modeled after the U.S. Cyber Command. Junio said South Korea’s major antivirus firms also play a large role in stopping hacking attacks.
“These companies have security monitoring centers getting fed info from all over Korea to help detect incidents quickly and push technical solutions,” he said. “They also have formal relationships with the government and sectors within their companies dedicated to national security work, including North Korean malware.”
The shutdown comes amid rising rhetoric and threats of attack from Pyongyang over the U.N. sanctions. Washington also expanded sanctions against North Korea this month in a bid to cripple the government’s ability to develop its nuclear program.