Many in Seoul suspect hackers loyal to Pyongyang for Wednesday's attack, but South Korean officials have yet to assign blame and say they have no proof yet of North Korea's involvement. The investigation could take weeks, but an initial finding linked a Chinese internet protocol address to one of the banks affected.
South Korea has set up a team of computer security experts from the government, military and private sector to identify the hackers and is preparing to deal with more possible attacks, presidential spokesperson Yoon Chang-jung told reporters on Friday. He didn't elaborate on the possibility of more attacks.
Determining who's behind a digital attack is often difficult. But North Korea is a leading suspect for several reasons. It has unleashed a torrent of threats against Seoul and Washington since punishing UN sanctions were imposed for Pyongyang's 12 February nuclear test.
It calls ongoing routine US-South Korean military drills a threat to its existence. Pyongyang also threatened revenge after blaming Seoul and Washington for a separate internet shutdown that disrupted its own network last week. Seoul alleges six cyber attacks by North Korea on South Korean targets since 2009.
If the attack was in fact carried out by North Korea, it may be a warning to Seoul that Pyongyang is capable of breaching its computer networks with relative ease.
The cyber attack did not affect South Korea's government, military or infrastructure, and there were no initial reports that customers' bank records were compromised.
But it disabled cash machines and disrupted commerce in this tech-savvy, internet-dependent country, renewing questions about South Korea's internet security and vulnerability to hackers.
The attack disabled some 32 000 computers at broadcasters YTN, MBC and KBS, as well as three banks. The broadcasters said their programming was never affected, and all ATMs were back online.
All three of the banks that were hit were back online and operating regularly on Friday. It could be next week before the media companies have fully recovered.
A malicious code that spread through the server of one target, Nonghyup Bank, was traced to an IP address in China, the state-run Korea Communications Commission said in an announcement of initial findings. Regulators said all six attacks appeared to come from "a single organisation". The investigation is continuing into the shutdown at the five other firms.
An IP address can be an important clue as to the location of an internet-connected computer but can easily be manipulated by hackers operating anywhere in the world.
The Chinese IP address identified by the South Korean communications regulator belongs to an internet services company, Beijing Teletron Telecom Engineering, according to the website tracking and verification service Whois.
A woman who answered the telephone number listed on Beijing Teletron's website denied the company was involved in the cyber attack. She refused to identify herself or provide further information.
Wednesday's cyber attack does not fit the mould of previous attacks blamed on China. Chinese hacking, either from Beijing's cyber-warfare command or freelance hackers, tends to be aimed at collecting intelligence and intellectual property - not at disrupting commerce.
China is home to a sizable North Korean community, both North Koreans working in the neighbouring nation and Chinese citizens of ethnic ancestry who consider North Korea their motherland.