North Korea Blamed for Nuclear Power Plant Data Breach


South Korean investigators yesterday announced that North Korea is believed to have been responsible for a series of recent leaks of data on South Korea's nuclear power plants, Yonhap News reports.

Last week, a hacker demanded an undisclosed sum of money to prevent the release of sensitive information on the power plants. The same hacker had already published information on the plants five times over the past few months.

The South Korean special investigation team stated that the attacks are "believed to have been caused by an (unidentified) group of North Korean hackers" with the aim of "causing social unrest and agitating the people."

Prosecutor Choi Yun-soo said the hackers gained access to the information by hacking officials' email accounts, not through any breach of Korea Hydro and Nuclear Power's (KHNP) systems. "A total of 94 [pieces of] data were compromised," he said. "But they are mostly for training and education and far from critical."

The prosecutors told Reuters the attackers sent 5,986 phishing emails containing malware to 3,571 KHNP employees between December 9 and 12, 2014.

"We've learned that the malicious code used in the email attack in December was similar to what North Korean hackers usually employee," a member of the investigation team told Yonhap News. "Multiple Internet protocol addresses used for the attacks were found to be based in North Korea."

Because the attackers also used a U.S.-based social networking service and IP addresses based in China, the team said it will continue the probe in cooperation with Washington and Beijing.

In response, the North Korean state-run website Uriminzokkiri called the accusation "a false judgement by an idiot," and added, "The probe team has only an elementary-level reasoning ability that it should blame North Korea for the leaks of data on South Korean nuclear power plants simply because the incidents happened at a similar time with the hacking on Sony Pictures."

U.S. government officials linked last year's cyber attack on Sony Pictures to North Korea due in part to the fact that one of the command and controls servers for the attack was also used in previous cyber attacks on South Korea, and that the malware used against Sony was similar to the malware used to target South Korean TV stations and banks in 2013.

TrapX general manager Carl Wright told eSecurity Planet by email that regardless of who may have been behind the attack, it's important to understand that advanced persistent threats (APTs) can lie dormant on a network for months or years at a time. "This is especially critical in nuclear power SCADA networks where they can be stealthily monitoring activity before ultimately springing to life and wreaking havoc across a network," he said.

"This can include exfiltrating and/or destroying critical data or, in the case of ... Stuxnet, actually disabling industrial equipment that is used to enrich uranium," Wright added. "Even worse, in a nuclear power plant, it is not unreasonable for us to see a scenario that could result in injury or potentially the loss of life."

Many organizations fail to consider the fact, Wright said, that there's nothing a network perimeter security solution can do once an APT has successfully penetrated a network. "While perimeter security is still very important, organizations need to start implementing security solutions that reside inside the network and can monitor advanced malware as it moves laterally," he said.

"Nuclear plants typically have closed networks such that the SCADA operations are isolated from any external connection," Wright adeded. "We know, however, that one infected USB memory stick or one connected laptop that had previously been compromised, can break the entire security plan."