Wednesday's concerted cyber attack against South Korean broadcasters and banks originated from an IP address in China, but the identity of the hackers cannot be confirmed, officials said on Thursday.
"Unidentified hackers used a Chinese IP address to contact servers of the six affected organisations and plant the malware which attacked their computers," said Park Jae-Moon, director of network policy at South Korea's communications regulator.
Immediate suspicion for Wednesday's attack that targeted three major TV broadcasters, two banks and an Internet service provider, focused on North Korea.
Pyongyang had been blamed for previous cyber attacks in 2009 and 2011 that had also targeted financial institutions and government agencies.
The Korea Communications Commission (KCC) stressed that tracking down the IP source to China did not explain who was behind the attack, which might simply have been routed through the Chinese address from elsewhere.
"At this stage, we're still making our best efforts to trace the origin of attacks, keeping all kinds of possibilities open," Park said.
Wednesday's crash came days after North Korea accused South Korea and the United States of being behind a "persistent and intensive" hacking assault that took a number of its official websites offline for nearly two days.
It also came at a time of heightened military tensions on the Korean peninsula, following Pyongyang's nuclear test in February.