North Korean hackers did this to India?
A non-profit intelligence organisation in South Korea has shared “evidence” online claiming that the malware attack on the administrative network of Tamil Nadu’s Kudankulam Nuclear Power Plant (KNPP) was done from North Korea. Issue Makers Lab (IML) also claimed that the North Korean hackers targeted several top Indian nuclear scientists, including former Atomic Energy Commission chairman and ex-BARC director Anil Kakodkar and former chief of Atomic Energy Regulatory Board S A Bhardwaj through “malware-laced’ emails.
“Through them, hackers can contact anyone in India’s nuclear energy sector with trusted relationship,” the Seoul-based group said. The South Korean intelligence group also said that “one of the hackers is using a North Korean self-branded computer produced and used only in North Korea. And the IP used by one of the hackers was from Pyongyang, North Korea. This is more valuable than malware,” it wrote. In its tweets, IML seems to suggest that the purpose of the malware attack was “espionage”.
“North Korea has been interested in the thorium-based nuclear power, (sic) which to replace the uranium nuclear power. India is a leader in thorium nuclear power technology. Since last year, North Korean hackers have continuously attempted to attack to obtain that information,” IML wrote. On being contacted, Department of Atomic Energy (DAE) spokesperson Ravi Shankar told TOI that “Considering the sensitivity of the matter, DAE will first check the veracity of such tweets and will then respond.”
Kakodkar told TOI, “I have to first figure out what are in the tweets and then I will be in a position to respond.” IML founder Simon Choi told TOI that they will talk about the findings soon at a security conference. “We have been monitoring North Korean hackers since 2008. We were watching the hacker that made the attack,” he said. North Korea’s Kimsuky Group attempted to steal information on the latest design of advanced heavy water reactor (AHWR), an Indian design for a next-generation nuclear reactor that burns thorium into the fuel core, IML had tweeted in April.
Given India’s vast resources of thorium, a successful development of AHWR technology could significantly alter the potential of civil nuclear power in India. Union minister for atomic energy Jitendra Singh had earlier told Lok Sabha that AHWR technology will be functional by 2020s. The South Korean intelligence group has been making revelations about the North Korean hackers through a series of tweets since October 31, just a day after Nuclear Power Corporation of India Ltd (NPCIL) confirmed “the identification of malware in NPCIL system is correct”.
NPCIL, in an official statement on October 30, said the matter was investigated by the DAE. “There are generally two networks in such facilities, one for regular use and one for nuclear equipment. These two networks are completely segregated. It appears like the administrative IT network or the domain controller was compromised. It does not mean that the reactor is impacted,” said cybersecurity expert Pukhraj Singh, one of the first to raise concern about the cyber attack at KNPP after a third-party contacted him.
According to IML, their analysis reveals that there were multiple hackers, including “hacker group B”, which uses a 16-digit password – dkwero38oerA^t@# – to compress a list of files on an infected PC. They have used the same password for multiple attacks since 2007, it wrote. One of the attackers also included a group that infiltrated the South Korean military’s internal network in 2016 and stole classified information, it added.
Singh told TOI that the purpose of the malware appeared to be information theft, but the same modus operandi could have been used to deploy a destructive wiper, the purpose of which, he added, is to wipe out the content of a hard drive it infects.
“THIS IS IT. The espionage toolchain linked to a destructive wiper. The intrusions weren’t destructive because the actor decided against it. We were at its mercy. It’s not about airgaps or how awesomely safe reactors are, it’s about the complete absence of a deterrence strategy,” he wrote on Twitter, while quoting a tweet from IML that analyses the malware used to make the attack on KNPP.