The investigation team is closing in on the hacker who is threatening to release thousands of nuclear reactor data.
Authorities say they have traced the attack to multiple IP addresses in Shenyang, China.
They haven't ruled out North Korea's involvement since the city is close to the border.
Authorities believe the attack was planned for two years, and that more than one person is responsible.
They had discovered earlier in the week that the Twitter ID being used by the hacker was registered in the U.S.
South Korea has asked both Beijing and Washington for assistance in their probe.
The group of hackers has leaked documents on five separate occasions over the last week.
The most recent was on Tuesday, which included crucial information about nuclear technology.
They've threatened to release tens of thousands of additional documents related to the nation's nuclear reactors and destroy control systems if their demands are not met.
Halt operations at three of Korea's nuclear facilities by Christmas Day, or face the consequences.
Experts say such a leak could be detrimental.
"The hackers says they have about 100-thousand pieces of data. Even if that data is not highly classified, it can be reassembled, creating a huge chunk of new information. Then it becomes very dangerous."
In response to the recent security breach, the energy ministry conducted a two day-long cyber security drill this week on all of Korea's nuclear facilities.
The network security of power plants was reviewed as was protocol for shutting them down in the case of a malfunction.
The energy ministry raised its alert level against cyber attacks one notch to the third-highest level on a scale of five on Tuesday.
Connie Kim, Arirang News.