A cyberattack that wiped the hard drives of computers belonging to banks and broadcasting companies in South Korea this week was set off by a logic bomb in the code, according to a security firm in the U.S.

The logic bomb dictated the date and time the malware would begin erasing data from machines to coordinate the destruction across multiple victims, according to Richard Henderson, a threat researcher for FortiGuard Labs based in Vancouver, the research division of the security firm Fortinet.

The attack, which struck machines on March 20, wiped the hard drives and master boot record of at least three banks and two media companies simultaneously. The attacks reportedly put some ATMs out of operation, preventing South Koreans from withdrawing cash from them.

The malware consisted of four files, including one called AgentBase.exe that triggered the wiping. Contained within that file was a hex string (4DAD4678) indicating the date and time the attack was to begin – March 20, 2013 at 2pm local time (2013-3-20 14:00:00). As soon as the internal clock on the machine hit 14:00:01, the wiper was triggered to overwrite the hard drive and master boot record on Microsoft Windows machines and then reboot the system.

Once the machine rebooted, users saw a message on their screens that read, "Boot device not found. Please install an operating system on your hard disk."

The malware also included a module for deleting data from remote Linux machines. The malware searched for remote connections and used stored credentials to access Linux servers and wipe their master boot record.

"That implies they weren’t just looking to attack desktops; they were looking to attack stuff on the infrastructure side as well," Henderson says.

The security firm Trend Micro has also revealed that on March 19, its researchers spotted a phishing email that was sent to South Korean organizations and purported to come from a bank. It came with a malicious attachment that contained a Trojan. This suggests the malware may not have been on machines more than a day before the wiping mechanism was triggered.

"On March 19, we saw the first indications of this attack, where South Korean organizations received a spam message that contained a malicious attachment," the company wrote on its blog. "The message posed as coming from a bank. The attachment is actually a downloader, which downloaded 9 files from several different URLs."

There has been some confusion about whether or not a hacking group calling itself WhoIs was behind the attacks. Reuters reported that a web site owned by the technology firm LG was also hacked in the attack. A screenshot showing a message left behind by the WhoIs group on a hacked machine (right) has been attributed by some security firms and media outlets to the same hackers who attacked the banks and media outlets. But LG has since denied to Reuters that it had been hacked, and there is no known connection between the WhoIs team and the hacks in South Korea.

"I firmly believe the WhoIs defacement was either a coincidence attack or an attempt by that group to jump on when the time bomb detonated in order to tie their names to the attacks," Henderson said.