South Korea's spy agency lowered the country's cyber attack alert Monday as affected websites returned to normal after suffering outages in a series of assaults that have cast suspicion on North Korea.
Dozens of South Korean and U.S. websites, including those of the White House and South Korea's presidential Blue House, were targeted in the so-called denial-of-service attacks, in which floods of computers try to connect to a single site at the same time to overwhelm the server.
But there have been no new web attacks since the last wave launched Thursday evening. South Korea's National Intelligence Service said in a statement that it lowered the alert level because the attacks are fizzling out, but added it will keep a close watch for any signs of fresh assaults.
North Korea is suspected of involvement. The spy agency told lawmakers last week that a North Korean military research institute had been ordered to destroy the South's communications networks, local media reported.
The agency said in a statement Saturday that it has "various evidence" of North Korean involvement, but cautioned it has yet to reach a final conclusion.
South Korean media reported in May that North Korea was running an internet warfare unit that tries to hack into U.S. and South Korean military networks to gather confidential information and disrupt service.
Hackers had 'intimate knowledge' of network
The Chosun Ilbo newspaper reported Friday that the North has between 500 and 1,000 hacking specialists. Yonhap news agency also reported Sunday that the North has stolen personal information of at least 1.65 million South Koreans since 2004.
On Monday, Kim Hong-sun, head of South Korea's top antivirus software developer, AhnLab, said the hackers must have "intimate knowledge of South Korea's equipment, software and network environment," but he declined to speculate on who might have been responsible.
South Korean police are also analyzing a sample of the tens of thousands of infected computers.
An Chan-soo, a senior police officer investigating the cyber attacks, said Sunday that investigators had obtained 27 computers infected with malicious computer code, known as malware, in an attempt to trace the "contamination paths" of the programs that launched the attacks.
Such programs can give hackers remote access to computers without the owners' knowledge.
Tens of thousands of computers infected
An gave no details about who the computers belonged to, other than that they were from South Korean individuals. He said South Korea is also seeking to obtain hard disks and other information on six foreign servers whose files update malware programs.
An did not say where the foreign servers were located.
The state-run Korea Communications Commission has said tens of thousands of computers were infected. The commission says it has identified and blocked five internet protocol, or IP, addresses in five countries used to distribute computer viruses that caused the wave of website outages, which began in the U.S. on July 4.
They were in Austria, Georgia, Germany, South Korea and the U.S., a commission official said. He spoke on condition of anonymity because he is not authorized to speak to the media on the record.
The identity of the IP addresses themselves, however, does not clarify much. It is likely the hackers used the addresses to disguise themselves — for instance, by accessing the computers from a remote location. IP addresses can also be faked or masked, hiding their true location.