Cybercrime , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

Was North Korea Behind Attack at Indian Nuclear Power Plant?

South Korean Researchers Claim Kimsuky Group Was Conducting Espionage
Was North Korea Behind Attack at Indian Nuclear Power Plant?
India's Kudankulam Nuclear Power Plant (Source: The Hindu)

A nonprofit intelligence organization in South Korea claims that it has evidence that a recent malware attack at India’s Kundankulam Nuclear Power Plant was carried out by North Korea’s Kimsuky Group.

See Also: Live Panel | How Organizations Should Think About Zero Trust

IssueMakersLab, or IML, a Seoul-based group of malware analysts, claims in a series of tweets that Kimsuky Group attempted to steal information on the latest design of the “Advanced Heavy Water Reactor,” an Indian design for a next-generation nuclear reactor that burns thorium into in the fuel core.

IML says it closely follows activities of various group from North Korea involved in nation-state attacks. And it claims the Kimsuky Group in 2013 used a similar method to attack South Korean broadcasting stations and banking systems.

The research group did not immediately reply to a request for more information on the evidence regarding the attack at the nuclear plant.

Simon Choi, IML's founder, said he will describe his group’s findings soon at a security conference soon. “We have been monitoring the hackers since 2008. We were also keeping a close watch on hackers who made the attack on India’s nuclear plant,” Choi says.

The Motive

IML claims that the main motive behind the attack was to gain knowledge on thorium-based nuclear power.

“North Korea has been interested in the thorium based nuclear power, which can be used to replace the uranium nuclear power. India is a leader in thorium nuclear power technology. Since last year, North Korean hackers have continuously attempted to attack India’s nuclear plants to obtain that information,” IML says in a tweet.

Last week, the Nuclear Power Corp. of India confirmed that a PC at the Kudankulam Nuclear Power Plant was infected with malware.

The analysts at IML also claim that the accounts of many Indian nuclear scientists, including Anil Kakodkar, former Atomic Energy Commission chairman, and S.A. Bhardwaj, former chief of Atomic Energy Regulatory Board, were targeted for malware attacks.

“Hackers sent an email containing malware to the former chairman of the Atomic Energy Regulatory Board of India. He was also the technical director of Nuclear Power Corporation of India Limited as well as an expert on Advanced Heavy Water Reactor,” IML said.

Nuclear Power Corp. of India did not immediately reply to a request for comment on the IML report.

IML also claims that those targeted by North Korean hackers are top authorities in India’s nuclear energy sector. If they stole their credentials, hackers could then contact anyone in India's nuclear energy sector and portray a trusted relationship, they note. The hackers used a computer produced and used only in North Korea, the researchers say. “The IP used by one of the hackers was from Pyongyang in North Korea,” IML says in a tweet.

How the Malware Was Launched

IML claims malware was injected into North Korea’s propaganda website, Meari, and distributed via the website by exploiting a Google Chrome zero day vulnerability.

According to a blog by Kaspersky, the exploit of Google Chrome’s zero day vulnerability began at a North Korean website where the attackers injected malicious code. This loads a script from a third-party site that first checks to see if the system is suitable for infection and which browser the victim uses. “After verifying it’s found what it wanted, the exploit gains permission to read and write data to the device, which it immediately utilizes to download, decrypt, and run the malware. The latter can vary depending on the user,” Kaspersky says.

Other Attacks

The Kimsuky Group is believed to have been responsible for the Korea Hydro & Nuclear Power cyber terrorism attacks in 2014 in South Korea, according to The Guardian. The group uses spear-phishing emails, which are often designed with the purpose of stealing portal account information and attaching malicious code, according to news reports. The main targets of its attacks are government and military officials and news reporters.

DTrack, the malware that may have been used to infect a PC at the Indian nuclear power plant KKNPP, has historically used as an exfiltrate information tool. It’s essentially a remote access Trojan that takes control of a system, Kaspersky says.

IML says that the Kimsuky Group used DTrack to infiltrate the South Korean military's internal network in 2016 and steal classified information.

The Kimsuky Group has also targeted a wide range of entities, including diplomatic bodies of the United Nations Security Council like China, France, Belgium, Peru, and South Africa, The Guardian reports.

About the Author

Suparna Goswami

Suparna Goswami

Associate Editor, ISMG

Goswami has more than 10 years of experience in the field of journalism. She has covered a variety of beats including global macro economy, fintech, startups and other business trends. Before joining ISMG, she contributed for Forbes Asia, where she wrote about the Indian startup ecosystem. She has also worked with UK-based International Finance Magazine and leading Indian newspapers, such as DNA and Times of India.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.