Thirty five Russian diplomats have been expelled from the United States as punishment for alleged interference into this year’s presidential election.
The US will also close two Russian compounds used for intelligence-gathering, in Maryland and New York, as part of a raft of retaliatory measures.
President Barack Obama had vowed action against Russia amid accusations it directed hacks against the DNC and Hillary Clinton’s campaign.
Russia has denied any involvement.
The 35 Russian diplomats from the Washington DC embassy and the consulate in San Francisco have been declared “persona non grata” by state department, giving them and their families 72 hours to leave the US.
The Russian government is expected to respond in turn by expelling US diplomats.
The state department move follows calls from senior senators to sanction Russian officials who are believed to have played a role in the hacking, which some lawmakers referred to as America’s “political Pearl Harbor”.
President-elect Donald Trump has dismissed the claims as “ridiculous” and said Americans should “get on with our lives” when asked about the possibility of sanctions before the announcement on December 28.
Sanctions have also been announced against nine entities and individuals including the GRU and FSB Russian intelligence agencies.
The US Department of Treasury said that the move targeted those responsible for “undermining election processes or institutions”.
Konstantin Kosachyov, chairman of the international affairs committee in the upper house of the Russian parliament, told the RIA news agency the expulsion represented “the death throes of political corpses”.
In a statement President Barack Obama said “all Americans should be alarmed by Russia’s actions”.
The outgoing president called the moves a “necessary and appropriate response to efforts to harm US interests”, adding it would not be “the sum total of our response to Russia’s aggressive activities”.
Barack Obama also announced the US would declassify technical information related to Russian cyber activity to “help network defenders in the United States and abroad identify, detect, and disrupt Russia’s global campaign of malicious cyber activities”.
House Speaker Paul Ryan, the top Republican in Congress, said in a statement that despite the measures being overdue “it is an appropriate way to end eight years of failed policy with Russia”.
Paul Ryan added that “it serves as a prime example of this administration’s ineffective foreign policy that has left America weaker in the eyes of the world”.
Maryland Democrat Senator Ben Cardin applauded sanctions against Russia but called them insufficient.
Ben Cardin called for Congress to take action separately from the White House, and plans to introduce legislation to establish a committee “to further examine the attack and Russian’s efforts to interfere in our election”.
In a joint statement by the Department of Homeland Security, the Office of the Director of National Security, and the FBI, officials appeal to companies to “look back within their network traffic” and report any signs of “malicious cyber activity” to law enforcement.
The Russian hacking, which the intelligence agencies describe as a “decade-long campaign” included methods such as “spearphishing, campaigns targeting government organizations, critical infrastructure, think tanks, universities, political organizations, and corporations; theft of information from these organizations; and the recent public release of some of this stolen information”.
Emails stolen from John Podesta and from the servers of the DNC were released during the 2016 presidential election by WikiLeaks.
Several US agencies, including the FBI and CIA have concluded that the hacked information was released to cause damage to Hillary Clinton and the Democrats in order to favor Donald Trump.
The Secret Service is looking into a “cyber breach” after what appeared to be a scan of First Lady Michelle Obama’s passport was published online.
The hacking group DC Leaks posted on its Twitter account this morning what appears to be a scanned copy of Michelle Obama’s passport, along with several White House staffers’ private communications.
The scan appeared to have been taken from a Gmail account belonging to a White House employee, a spokesman said.
Photo Getty Images
Other confidential information was published online, including travel details, names, social security numbers and birth dates of members of staff.
The White House said it had not yet verified the documents.
DCLeaks.com, the hacker group which last week published personal emails from an account belonging to former Secretary of State Colin Powell’s emails, claimed responsibility for the hack.
US Attorney General Loretta Lynch said the incident was “something that we are looking into”. White House press secretary Josh Earnest said the breach “should be a wake-up call for all of us”.
Josh Earnest said that the employee targeted by the hackers was a contract worker and not a permanent member of staff.
He said: “At this point I cannot announce any sort of conclusion that’s been reached about the individual or individuals that may have been responsible for the cyber breach that resulted in this information being leaked.”
The Secret Service, which is responsible for protecting the President and First Lady, said it was “concerned” about the apparent hacking.
“The Secret Service is concerned any time unauthorized information that might pertain to one of the individuals we protect, or our operations, is allegedly disclosed,” said communications director Cathy Milhoan.
Sony Pictures Entertainment has agreed to pay up to $8 million over employees’ personal data lost in the 2014 hacking scandal surrounding the release of The Interview movie.
Hackers had broken into Sony computers and released thousands of items of personal information in an attempt to derail the release of the North Korea-themed comedy.
Sony employees argued they suffered economic harm from the stolen data.
US investigators have blamed North Korean hackers for the attack.
The cyber attack wiped out massive amounts of data and led to the online distribution of emails, personal and sensitive employee data as well as pirated copies of new movies.
The lawsuit against the company was filed by former employees claiming Sony’s negligence caused them economic harm by forcing them to step up credit monitoring to address their increased risk of identity theft. They described the data breach as an “epic nightmare.”
The Interview depicted the fictional assassination of North Korean leader Kim Jong-un.
The cyber-attack drew widespread international attention and Sony subsequently stopped the movie’s general release.
An unknown group calling itself #GOP – later identified as Guardians of Peace – claimed it was behind the attack, prompting the FBI to launch an investigation.
North Korea dismissed any suggestion it may have had a hand in the attack as a form of retaliation for Sony’s release of The Interview. A North Korean foreign ministry spokesman had earlier called the movie an “act of terrorism”, promising “merciless” retaliation if it was released.
The Interview eventually received a much smaller release and was offered through legal digital downloads.
The settlement with a US District Court in Los Angeles still needs to be approved by a judge but it sees Sony paying pay up to $8 million to reimburse current and former employees for losses, preventative measures and legal fees related to the hack of its computers in 2014.
Under the agreement, Sony Entertainment will pay up to $10,000 a person, capped at $2.5 million, to reimburse employees for identity theft losses, up to $1,000 each to cover the cost of credit-fraud protection services, capped at $2 million, and up to $3.5 million to cover legal fees.
Sony Entertainment CEO Michael Lynton called the agreement “an important, positive step forward in putting the cyber-attack firmly behind us”.
The court had dismissed Sony’s initial attempt to stops the court case, confirming that the employees could pursue their claims that the company was negligent and violated a California confidentiality law.
The CIA has decided to withdraw its staff from the US embassy in China after data stolen from government computers could expose its agents, the Washington Post reports.
In April, data about some 21 million federal employees was stolen in a massive attack on the US Office of Personnel Management (OPM).
Security companies have blamed Chinese state hackers for the attack.
Removing the CIA staff was “precautionary”, agency officials told the Washington Post.
The CIA declined to comment directly on the matter.
Information about CIA staff was not in the massive cache of files stolen from OPM computers, but other records about background checks carried out by the State Department on employees were copied in the raid.
The CIA fears that by comparing the list of those who have been checked with the roster of known embassy personnel could help the Chinese expose its intelligence workers.
Those working at the embassy but not checked by the State Department were CIA agents, said the newspaper, citing “unnamed officials”.
The danger that trawling through the data would expose intelligence agents was also raised by CIA Director James Clapper during a hearing before the Senate Armed Services Committee.
James Clapper said the breach had “potentially very serious implications” for the intelligence community by identifying its agents in other countries.
“This is a gift that’s going to keep on giving for years,” he told the Senate committee looking into the cyber-threats facing the US and the steps the nation took to combat them.
James Clapper added the US itself engaged in the types of cyber-attacks China had been accused of.
According to a new report, up to 100 banks and financial institutions worldwide have been attacked in an “unprecedented cyber robbery”.
Computer security company Kaspersky Lab estimates $1 billion has been stolen in the attacks, which it says started in 2013 and are still active.
A cybercriminal gang with members from Russia, Ukraine and China is responsible, it said.
Kaspersky said it worked with Interpol and Europol on the investigation.
It said the attacks had taken place in 30 countries including financial institutions in Russia, US, Germany, China, Ukraine and Canada.
“These attacks again underline the fact that criminals will exploit any vulnerability in any system,” said Sanjay Virmani, director of Interpol’s digital crime centre.
Kaspersky said the gang’s methods marked a new stage in cyber robbery where “malicious users steal money directly from banks and avoid targeting end users”.
The gang, which Kaspersky dubbed Carbanak, used computer viruses to infect company networks with malware including video surveillance, enabling it to see and record everything that happened on staff’s screens.
In some cases it was then able to transfer money from the banks’ accounts to their own, or even able to tell cash machines to dispense cash at a pre-determined time of day.
Kaspersky said on average each bank robbery took between two and four months, with up to $10 million stolen each time.
“It was a very slick and professional cyber robbery,” said Kaspersky Lab’s principal security researcher, Sergey Golovanov.
The Financial Services Information Sharing and Analysis Center, a body that alerts banks about hacking activity, said that its members had received a briefing about Kaspersky’s report in January.
“We cannot comment on individual actions our members have taken, but on balance we believe our members are taking appropriate actions to prevent and detect these kinds of attacks and minimize any effects on their customers,” it said in a statement.
The US Central Command’s Twitter and YouTube accounts have been suspended after being hacked by a group claiming to back Islamic State.
One message on Centcom’s Twitter feed said: “American soldiers, we are coming, watch your back.”
It was signed by ISIS, another name for the Islamic State. Some internal military documents also appeared on the Centcom Twitter feed.
Centcom said it viewed the breach as “cyber-vandalism” and not serious.
In a statement, the military command said there was no operational impact and no classified information was posted.
“We are viewing this purely as a case of cyber-vandalism,” it said.
The hack happened as President Barack Obama was giving a speech on cyber-security.
Reflecting on major breaches like a recent hack of Sony Pictures, President Barack Obama said in his speech the US had been reminded of “enormous vulnerabilities for us as a nation and for our economy”.
Barack Obama’s spokesman Josh Earnest said the US is looking into the Centcom hacking.
He said they were investigating the extent of the incident, and that there was a significant difference between a large data breach and the hacking of a Twitter account.
An unnamed Pentagon official told Reuters the hacking was an embarrassment but did not appear to be a security threat.
In a fiery statement, North Korea has threatened unspecified attacks on the US in an escalation of a war of words following the Sony Pictures Entertainment cyber-attacks.
North Korea warned of strikes against the White House, Pentagon and “the whole US mainland”.
The communist country denies US claims it is behind cyber-attacks linked to The Interview movie that features the fictional killing of its leader Kim Jong-un.
North Korea has a long history of issuing threats against the US.
The latest statement comes days after the US formally accused North Korea of orchestrating a massive cyber attack on Sony Pictures.
“The army and people of the DPRK [North Korea] are fully ready to stand in confrontation with the US in all war spaces including cyber warfare space,” a long statement carried by the official Korean Central News Agency said.
“Our toughest counteraction will be boldly taken against the White House, the Pentagon and the whole US mainland, the cesspool of terrorism, by far surpassing the ‘symmetric counteraction’ declared by Obama.”
It also accuses President Barack Obama of “recklessly making the rumor” that North Korea was behind the Sony attack.
The statement also said it “estimates highly the righteous action” taken by the hackers of Sony, although it is “not aware of where they are”.
The hack resulted in unreleased films and the script for the next James Bond film being leaked online.
Details of Sony finances and private emails between producers and Hollywood figures were also released.
The eventual fallout from the attack saw Sony cancel the Christmas release of The Interview, a comedy depicting the assassination of North Korean leader Kim Jong-un.
That decision followed threats made by a group that hacked into Sony’s servers and leaked sensitive information and emails.
North Korea has denied being behind the attacks, and offered to hold a joint inquiry with the US.
The US turned down the offer, and President Barack Obama said it was considering putting North Korea back on its list of terrorism sponsors, a move that further angered Pyongyang.
North Korea had been on the US list of state sponsors of terrorism for two decades until the White House removed it in 2008, as part of now-stalled negotiations relating to Pyongyang’s nuclear program.
In an interview with CNN on December 21, Barack Obama promised to respond “proportionately” to the cyber-attack.
“I’ll wait to review what the findings are,” he said, adding that he did not think the attack “was an act of war”.
The US has reportedly also asked China to curb cyber-attacks by North Korea.
China is North Korea’s close ally and is seen as the nation with the most influence over Pyongyang.
Chinese Foreign Minister Wang Yi held a telephone conversation with his US counterpart John Kerry on December 21 in which they discussed the Sony row.
Wang Yi said China was “against all forms of cyber-attacks and cyber-terrorism” but did not refer directly to North Korea.
In a statement posted on China’s foreign ministry’s website on December 22, Wang Yi said that China “opposes any country or person using infrastructure from another country to launch a cyber attack on a third-party country”.
At a later news conference, a foreign ministry spokesman said China wanted to “engage in constructive co-operation with the international community in cyber security on the basis of mutual respect and mutual trust”.
Asked to respond to claims that North Korea was using Chinese facilities for cyber-attacks, the spokesman added: “I think to arrive at any conclusion, sufficient facts and evidence are needed. China will handle the case on the basis of facts, international laws and Chinese laws.”
Correspondents say the issue of hacking is a sensitive one in China-US relations, with the two sides frequently trading accusations of cyber-espionage.
PlayStation network has been shut down after cyber-attackers overloaded it in what’s known as a distributed denial of service attack.
Sony said in a blog post that no personal information had been accessed.
On August 24, an American Airlines flight carrying a senior Sony executive was also diverted following a bomb scare.
The group claiming responsibility for closing down the network also tweeted suggesting there was a security threat to the flight.
Sony also said that “the PlayStation Network and Sony Entertainment Network have been impacted by an attempt to overwhelm our network with artificially high traffic”.
PlayStation network has been shut down after cyber-attackers overloaded it in what’s known as a distributed denial of service attack
“We will continue to work towards fixing this issue and hope to have our services up and running as soon as possible,” the blog said.
Sony has said the FBI is investigating the security scare over the flight carrying Sony Online Entertainment President John Smedley, which should have landed in San Diego but was diverted to Phoenix, Arizona.
John Smedley tweeted: “Yes. My plane was diverted. Not going to discuss more than that. Justice will find these guys.”
Sony’s 52 million strong PlayStation network has been hit by hacking attacks before, including a security breach in 2011.
Sony had already scheduled routine maintenance work to be done on its PlayStation network on August 25.
Some services including PlayStation Store, PSN account management and registration, entertainment services and online gameplay will be unavailable.
eBay is urging users to change their passwords following a cyber-attack that compromised one of its databases.
The auction site said the database was hacked between late February and early March, and had contained encrypted passwords and other non-financial data.
eBay added that it had no evidence of there being unauthorized activity on its members’ accounts.
However, it said that changing the passwords was “best practice and will help enhance security for eBay users”.
eBay is urging users to change their passwords following a cyber-attack that compromised one of its databases
The company has 128 million active users and accounted for $212 billion worth of commerce on its various marketplaces and other services in 2013.
A post on eBay’s corporate site said that cyber-attackers accessed the information after obtaining “a small number of employee log-in credentials”, allowing them to access its systems – something it only became aware of a fortnight ago.
“The database… included eBay customers’ name, encrypted password, email address, physical address, phone number and date of birth,” it said.
“However, the database did not contain financial information or other confidential personal information.
“Extensive forensics subsequently identified the compromised eBay database, resulting in the company’s announcement today.”
Although eBay also owns the PayPal money transfer service, it said that the division’s data was stored separately, encrypted and that there was no evidence that it had been accessed.
It added that any members who used the same login details used on eBay for other sites should also update them.
eBay has not provided any information about the kind of encryption it used.
One expert said there was still a concern that the hackers might be able to make use of their haul.
South Korea has issued a cyber alert after a hacking attack on government websites.
The website of the presidential office was one of several official and media sites hit by an apparently co-ordinated attack on Tuesday morning, reports said.
The identity of the hackers was not known, a government statement said.
The incident came on the anniversary of the start of the 1950-53 Korean War, which divided the Korean peninsula.
“The government can confirm a cyber attack by unidentified hackers that shut down several sites including the Blue House,” the Science Ministry said in a statement, referring to the presidential office.
The website for the office for Government Policy Co-ordination and some media servers were also said to be affected by the attack.
South Korea has issued a cyber alert after a hacking attack on government websites
Messages praising North Korean leader Kim Jong-un and claiming that hacking collective Anonymous was responsible were left on the hacked websites.
However, Anonymous denied any involvement in the South Korean cyber-attacks on its official Twitter account, AFP news agency reported.
Instead, the “hacktivist” group was said to have planned attacks against North Korean websites.
A number of North Korean websites went offline on Tuesday morning and appeared to have been targeted by hackers on Tuesday, South Korea’s Yonhap news agency reported, citing unnamed sources.
These included the websites of North Korea’s Korean Central News Agency, newspaper Rodong Sinmun, and portal Naenara.
Anonymous has previously claimed to have hacked and vandalized social networking profiles linked to North Korea as part of its Operation Free Korea.
South Korea has raised its cyber-alert level, and asked citizens to review their internet security.
South Korean investigators say North Korea has frequently carried out cyber attacks in the South.
On March 20, cyber attacks on six South Korean banks and broadcasters affected 32,000 computers and disrupted banking services.
South Korea has blamed that incident – which came at a time of heightened tensions between the two Koreas following Pyongyang’s nuclear test on February 12 – on North Korea.
North Korea has also been blamed for previous cyber attacks in 2009 and 2011.
Australian Foreign Minister Bob Carr says a report alleging Chinese hackers stole plans for Australia’s new intelligence hub will not hit ties with Beijing.
On Monday the Australian Broadcasting Corporation (ABC) reported blueprints setting out the building’s cable layouts and security systems had been illegally accessed by a server in China.
Bob Carr did not comment directly on the claims.
But he said the government was “very alive” to cyber security threats.
“I won’t comment on whether the Chinese have done what is being alleged or not,” he said.
“I won’t comment on matters of intelligence and security for the obvious reason: we don’t want to share with the world and potential aggressors what we know about what they might be doing, and how they might be doing it.”
Bob Carr said the ABC report had “no implications” for a strategic partnership.
“We have enormous areas of co-operation with China,” he said.
The claims were made in a report on Chinese cyber-espionage by ABC’s Four Corners investigative programme on Monday night.
Chinese hackers stole plans for Australia’s new intelligence hub
The programme alleged that blueprints to the new intelligence headquarters in Canberra – due to be finished last year but delayed – were stolen in a cyber attack on a contractor that was traced to a server in China.
The plans detailed communications cabling and server locations, floor plans and security systems, the programme alleged.
It quoted Professor Des Ball, an expert on cyber security from the Australian National University, as saying access to such details would enable an outside party to identify rooms used for sensitive activities and work out how to monitor them.
The programme also alleged that the Prime Minster’s Office, the Defence Ministry and the Department of Foreign Affairs had been breached in hacking operations.
Four Corners did not identify the source of its information.
Chinese Foreign Ministry spokesman Hong Lei rejected the claims, saying “groundless” accusations would not solve the problem of cyber hacking.
“Since it is technically untraceable, it is very difficult to find the source and identify the hacker,” he said.
“Therefore we have no idea what is the evidence for their report in which they make the claim with such certainty.”
Earlier this year, hackers from China – which is now Australia’s biggest trading partner – were thought to be behind an attack on the Reserve Bank of Australia, the Australian Financial Review reported.
The issue of cyber espionage looks set to be high on the agenda when the US and Chinese presidents hold their first summit in California next month.
Earlier this month, the Pentagon for the first time directly accused the Chinese government and military of targeting US government computers as part of a cyber espionage campaign aimed at collecting intelligence on US diplomatic, economic and defence sectors.
China called the report “groundless”, saying it represented “US distrust”.
South Korea is accusing North Korean spies of masterminding a series of high-profile cyber-attacks on its banks and television broadcasters in March.
Tens of thousands of computers were made to malfunction, disrupting work at banks and televisions in South Korea.
Investigators in Seoul said they had discovered some of the code involved was identical to that used in malware previously linked to Pyongyang.
The allegation adds to growing tension on the Korean peninsula.
South Korea is accusing North Korean spies of masterminding a series of high-profile cyber-attacks on its banks and television broadcasters in March
On Tuesday North Korea told foreigners in the South to “work out measures for evacuation” to avoid becoming involved in a “thermonuclear war”.
Seoul’s foreign minister subsequently said that there was a “considerably high” risk that North Korea might fire a ballistic missile at it over the coming days.
North Korea has not commented on the cyber-attack accusation.
About 48,000 PCs and servers in South Korea were struck on March 20.
The assault shut down computer networks at TV stations KBS, MBC and YTN, and halted operations at three banks – Shinhan, NongHyup and Jeju.
Investigators in Seoul reported their initial findings suggested North Korea’s military-run Reconnaissance General Bureau had been responsible.
A spokesman announced that 30 out of 76 programs recovered from affected computers were the same as those used in previous strikes.
In addition he said that 22 of the 49 internet protocol (IP) addresses involved in the incidents matched those used in attacks blamed on North Korea over the past five years.
The recent assaults shortly followed a South Korea-US joint military exercise, but it was suggested they had been long in the planning.
“The attackers gained control of personal computers or server computers within the target organizations at least eight months ago,” a government statement reported in the Korea Herald said.
“After maintaining monitoring activities [they] sent out the command to delete data stored in the server, and distributed malware to individual computers through the central server.”
South Korea’s Financial Services Commission added that no bank records or personal data had been compromised.
Previous cyber-intrusions blamed on Pyongyang include attempts to block access to the website of South Korea’s presidential office and other government departments, and hacks of computers at Nonghyup bank and the Joonang Ilbo newspaper.
In turn, North Korea has accused both South Korea and the US of preventing users from being able to visit its official media sites – the Rodong Sinmun newspaper and the Korean Central News Agency (KCNA) – earlier this year.
It has led some commentators in the South to criticize the state of their cyber-defenses bearing in mind the public there is much more reliant on the internet than citizens in North Korea.
“South Korea cannot cope with unpredictable and sophisticated provocations from North Korea with a bureaucratic, rigid mindset,” wrote Chae In-taek in the Joonang Ilbo.
“National security cannot be assured through an outdated system. We must come up with an innovative security system fast.”
Global internet has been slowed down in what security experts are describing as the biggest cyber-attack of its kind in history.
A row between spam-fighting group Spamhaus and hosting firm Cyberbunker has sparked retaliation attacks affecting the wider internet.
It is having an impact on popular services like Netflix – and experts worry it could escalate to affect banking and email systems.
Five national cyber-police-forces are investigating the attacks.
Spamhaus, a group based in both London and Geneva, is a non-profit organization which aims to help email providers filter out spam and other unwanted content.
To do this, Spamhaus maintains a number of blocklists – a database of servers known to be being used for malicious purposes.
A row between spam-fighting group Spamhaus and hosting firm Cyberbunker has sparked retaliation attacks affecting the wider internet
Recently, Spamhaus blocked servers maintained by Cyberbunker, a Dutch web host.
Sven Olaf Kamphuis, who claims to be a spokesman for Cyberbunker, said, in a message, that Spamhaus was abusing its position, and should not be allowed to decide “what goes and does not go on the internet”.
Spamhaus has alleged that Cyberbunker, in cooperation with “criminal gangs” from Eastern Europe and Russia, is behind the attack.
Steve Linford, chief executive for Spamhaus, said the scale of the attack was unprecedented.
“We’ve been under this cyber-attack for well over a week.
“But we’re up – they haven’t been able to knock us down. Our engineers are doing an immense job in keeping it up – this sort of attack would take down pretty much anything else.”
Steve Linford said the attack was being investigated by five different national cyber-police-forces around the world.
He claimed he was unable to disclose more details because the forces were concerned that they too may suffer attacks on their own infrastructure.
The attackers have used a tactic known as Distributed Denial of Service (DDoS), which floods the intended target with large amounts of traffic in an attempt to render it unreachable.
In this case, Spamhaus’s Domain Name System (DNS) servers were targeted – the infrastructure that joins domain names, such as bbc.co.uk, the website’s numerical internet protocol address.
Steve Linford said the attack’s power would be strong enough to take down government internet infrastructure.
“If you aimed this at Downing Street they would be down instantly,” he said.
“They would be completely off the internet.”
Steve Linford added: “These attacks are peaking at 300 gb/s (gigabits per second).
“Normally when there are attacks against major banks, we’re talking about 50 gb/s.”
Spamhaus is able to cope, the group says, as it has highly distributed infrastructure in a number of countries.
The group is supported by many of the world’s largest internet companies who rely on it to filter unwanted material.
Steve Linford said several companies, such as Google, had made their resources available to help “absorb all of this traffic”.
The attacks typically happened in intermittent bursts of high activity.
“They are targeting every part of the internet infrastructure that they feel can be brought down,” he said.
“We can’t be brought down.
“Spamhaus has more than 80 servers around the world. We’ve built the biggest DNS server around.”
South Korean officials announce they incorrectly linked a Chinese IP address to a cyber-attack on local banks and broadcasters earlier this week.
On Thursday, the Korean Communications Commission said it had traced the attack to an internet address in China, although the identity of those behind the attack could not be confirmed.
But it said further investigation showed the malware came from a local computer in one of the affected banks.
However, South Korean officials still believe the attack was orchestrated from abroad.
Wednesday’s cyber-attack on six South Korean banks and broadcasters affected 32,000 computers and disrupted banking services.
The apparent link to China had fuelled speculation that North Korea was to blame.
Hackers can route their attacks through addresses in other countries to obscure their identities, and intelligence experts believe that North Korea routinely uses Chinese computer addresses to hide its cyber-attacks.
South Korean officials announce they incorrectly linked a Chinese IP address to a cyber-attack on local banks and broadcasters earlier this week
North Korea has been blamed for previous cyber-attacks on the South in 2009 and 2011.
South Korean officials initially linked the cyber-attack to an IP address in China, but on Friday said they had made a mistake.
Further investigation showed the IP address was in the internal server of Nonghyup bank, one of the victims of Wednesday’s attack.
Its IP address “coincidentally matched” a Chinese IP address, the KCC said.
“Malicious code seemed to be spread from the server [of Nonghyup Bank] and there were records of [it] being approached by someone at that time,” Lee Jae-il, vice-president of Korea’s Internet Security Agency (KISA), told reporters.
“We’re still tracking some dubious IP addresses which are suspected of being based abroad,” he said, adding that they were “keeping all kinds of possibilities open”.
South Korean officials have announced that the cyber-attack on the country’s banks and broadcasters came from an internet address in China.
However, the identity of those behind the cyber attack cannot be confirmed.
The telecoms regulator said hackers used a Chinese address to plant a malicious code that hit networks at six organizations on Wednesday.
Officials said they were continuing to investigate the origins of the attack.
North Korea has been blamed for previous attacks in 2009 and 2011.
“Unidentified hackers used a Chinese IP address to contact servers of the six affected organizations and plant the malware which attacked their computers,” said Park Jae-moon of South Korea’s communications regulator.
“At this stage, we’re still making our best efforts to trace the origin of attacks, keeping all kinds of possibilities open,” he said.
Officials stressed that the IP address did not reveal who was behind the attack, as hackers can route their attacks through addresses in other countries to obscure their identities.
However, the discovery has strengthened speculation that North Korea was behind the attack.
South Korean officials have announced that the cyber-attack on the country’s banks and broadcasters came from an internet address in China
Intelligence experts believe that North Korea routinely uses Chinese computer addresses to hide its cyber-attacks.
A taskforce is being formed to analyze the virus and stop further attacks, and free computer vaccines have been handed out to South Korean companies.
Korea’s Communications Commission (KCC) said that the attacks on all six organizations appeared to come from a single entity.
The networks had been attacked by malicious codes, rather than distributed denial-of-service (DDoS) attacks as initially suspected.
Following Wednesday’s attack, the KCC raised its cyber-attack alert levels to “caution,” the third highest out of five levels, news agency Yonhap reported.
Around 32,000 computers were affected by the incident, and some services at Shinhan bank, including internet banking and ATM machines, were disrupted.
However, so far no damage had been detected in public institutions and infrastructure, the KCC was quoted as saying by Yonhap.
The incident comes with tensions between the two Koreas high.
North Korea has stepped up rhetoric in recent days in response to fresh UN sanctions over its nuclear test in February and joint annual military drills between the US and South Korea, which it bitterly opposes.
On March 15, North Korea’s KCNA news agency also accused the US and its allies of “intensive and persistent” hacking attacks on its internet servers.
South Korea’s authorities are investigating a suspected cyber-attack that has paralyzed computer networks at broadcasters and banks.
Broadcasters KBS, MBC and YTN told police their networks were halted around 14:00, Yonhap news agency said.
Two banks, Shinhan Bank and Nonghyup, said their networks were affected.
The exact cause of the problems remains unknown. Last week, North Korea accused the US and its allies of attacks on its internet servers.
The networks had been “partially or entirely crippled”, the Korean Internet Security Agency (KISA), a state watchdog, said.
“This incident is pretty massive and will take a few days to collect evidence,” a police official told AFP news agency.
Staff at the three broadcasters said their computers crashed and could not be restarted, with screens simply displaying an error message, although they have continued to make television broadcasts.
There are reports of skulls popping up on some computer screens, which could indicate that hackers had installed malicious code in the networks, KISA said.
Some banking services at Shinhan bank, including internet banking and ATM machines, were also affected, although banking operations now appear to have been restored.
A third bank, Woori Bank, also came under attack but was not infected, authorities say.
South Korea’s authorities are investigating a suspected cyber-attack that has paralyzed computer networks at broadcasters and banks
South Korean internet service provider LG Uplus said it believed its network had been hacked, Reuters news agency reported, citing an unidentified spokesman.
But AP news agency reported LG Uplus spokesman Lee Jung-hwan as saying that the company’s networks were operating normally, with no signs of a cyber-attack.
An official from the presidential office told Yonhap the authorities were “now trying to determine the cause of the network paralysis”, adding it was not yet known whether North Korea was involved.
“We do not rule out the possibility of North Korea being involved, but it’s premature to say so,” Defence Ministry spokesman Kim Min-seok said.
No government-related computer networks had been affected, an official from the National Computing and Information Agency (NCIA) told the agency.
The military has upgraded its information surveillance status by one level, Yonhap said.
North Korea is believed to have been behind two major cyber-attacks on the South in 2009 and 2011 that targeted government agencies and financial firms.
Nonghyup bank was one of the victims of the 2011 attack, which left its customers unable to access or transfer their cash for three days.
North Korea has stepped up rhetoric in recent days in response to fresh UN sanctions over its nuclear test in February and joint annual military drills between the US and South Korea, which it bitterly opposes.
Last week, North Korea’s KCNA news agency accused the US and its allies of “intensive and persistent” hacking attacks on its networks.
Official sites such as KCNA, Air Koryo and Rodong Sinmun, the party newspaper, were reportedly inaccessible for short periods.
North Korea has accused the United States and its allies of attacks on its internet servers, amid tension on Korean peninsula.
KCNA news agency said the “intensive and persistent” attacks coincided with US-South Korea military drills.
Official sites such as KCNA, Air Koryo and Rodong Sinmun, the party newspaper, are reported to have been inaccessible on some occasions in recent days.
Tension has escalated in the wake of North Korea’s third nuclear test last month.
The test led to fresh UN sanctions being imposed on Pyongyang, which has responded with strong rhetoric – both to the UN move and the annual joint drills, which it bitterly opposes.
It says it has scrapped the Korean War armistice and ended non-aggression pacts with Seoul. It has also cut off a hotline that connects the two countries.
The two Koreas remain technically at war because the 1950-53 conflict ended in an armistice, not a treaty. South Korea says North Korea cannot unilaterally dissolve the armistice and has called on Pyongyang to tone down its language.
North Korea called the cyber attack a “cowardly and despicable act”.
“It is nobody’s secret that the US and South Korean puppet regime are massively bolstering up cyber forces in a bid to intensify the subversive activities and sabotages against the DPRK [North Korea],” KCNA said.
North Korea has accused the US and South Korea of attacks on its internet servers
However, accusations of cyber attacks on the peninsula usually flow in the opposite direction.South Korean intelligence sources say North Korea routinely attempts to access the network here, and Pyongyang is believed to have broken into Defence Ministry data at least once in the past few years, our correspondent adds.
Current internet access in North Korea is extremely limited for locals, with most people only having access to a small number of state-run pages. The wider internet is available only to the government and the military.
Microsoft has become the latest technology company to confirm that it has been targeted by computer hackers.
In a blog post, Microsoft announced that “a small number” of its computers had recently been deliberately infected with malicious software.
The firm said it found no evidence that any customer data had been accessed, but an investigation is continuing.
On Tuesday Apple said its computers were attacked by the same hackers who targeted Facebook a week earlier.
At the time, Facebook said it had traced a cyber attack back to China which had infiltrated employees’ laptops.
In Friday’s blog post, Microsoft spokesman Matt Thomlinson said: “This type of cyberattack is no surprise to Microsoft and other companies that must grapple with determined and persistent adversaries.”
Microsoft has become the latest technology company to confirm that it has been targeted by computer hackers
Russian researchers have discovered a complex targeted cyber-attack that collected private data from countries such as Israel and Iran.
Russian security firm Kaspersky Labs said they believed the malware, known as Flame, had been operating since August 2010.
The company said it believed the attack was state-sponsored, but could not be sure of its exact origins.
They described Flame as “one of the most complex threats ever discovered”.
Research into the attack was carried out in conjunction with the UN’s International Telecommunication Union.
Russian security firm Kaspersky Labs said they believed the malware, known as Flame, had been operating since August 2010
In the past, targeted malware – such as Stuxnet – has targeted nuclear infrastructure in Iran.
Others like Duqu have sought to infiltrate networks in order to steal data.
This new threat appears not to cause physical damage, but to collect huge amounts of sensitive information, said Kaspersky’s chief malware expert Vitaly Kamluk.
“Once a system is infected, Flame begins a complex set of operations, including sniffing the network traffic, taking screenshots, recording audio conversations, intercepting the keyboard, and so on,” he said.
More than 600 specific targets were hit, Vitaly Kamluk said, ranging from individuals, businesses, academic institutions and government systems.
Iran’s National Computer Emergency Response Team posted a security alert stating that it believed Flame was responsible for “recent incidents of mass data loss” in the country.
Vitaly Kamluk said the size and sophistication of Flame suggested it was not the work of independent cybercriminals, and more likely to be government-backed.
He explained: “Currently there are three known classes of players who develop malware and spyware: hacktivists, cybercriminals and nation states.
“Flame is not designed to steal money from bank accounts. It is also different from rather simple hack tools and malware used by the hacktivists. So by excluding cybercriminals and hacktivists, we come to conclusion that it most likely belongs to the third group.”
Among the countries affected by the attack are Iran, Israel, Sudan, Syria, Lebanon, Saudi Arabia and Egypt.
“The geography of the targets and also the complexity of the threat leaves no doubt about it being a nation-state that sponsored the research that went into it,” Vitaly Kamluk said.
The malware is capable of recording audio via a microphone, before compressing it and sending it back to the attacker.
It is also able to take screenshots of on-screen activity, automatically detecting when “interesting” programs – such as email or instant messaging – were open.
Kaspersky’s first recorded instance of Flame is in August 2010, although it said it is highly likely to have been operating earlier.
Prof. Alan Woodward, from the Department of Computing at the University of Surrey said the attack is very significant.
“This is basically an industrial vacuum cleaner for sensitive information,” he said.
He explained that unlike Stuxnet, which was designed with one specific task in mind, Flame was much more sophisticated.
“Whereas Stuxnet just had one purpose in life, Flame is a toolkit, so they can go after just about everything they can get their hands on.”
Once the initial Flame malware has infected a machine, additional modules can be added to perform specific tasks – almost in the same manner as adding apps to a smartphone.