North Korean hackers attacked the Tamil Nadu nuclear plant, the leading nuclear scientists: South Korean intelligence group
NEW DELHI: A nonprofit intelligence organization has shared evidence online claiming that the malware attack on the administrative network of the Kudankulam Nuclear Power Plant (KNPP) in Tamil Nadu was carried out from North Korea. Issue Makers Lab (IML) also claimed that North Korean hackers attacked several nuclear scientists in India, including the former president of the Atomic Energy Commission and former director of BARC and former head of the Atomic Energy Regulatory Board SA Bhardwaj through emails attacked by malware. Through them, hackers can contact anyone in India's nuclear power sector with a relationship of trust, said the Seoul-based group.
The South Korean intelligence group also said that one of the hackers is using a North Korean own-brand computer produced and used only in North Korea. And the IP used by one of the hackers was from Pyongyang, North Korea. This is more valuable than malware, he wrote.
In its tweets, IML seems to suggest that the purpose of the malware attack was espionage. “North Korea has been interested in thorium-based nuclear energy, (sic) that replaces uranium nuclear energy. India is a leader in thorium nuclear energy technology. Since last year, North Korean hackers have continually tried to attack to get that information, ”IML wrote.
North Korea has been interested in thorium-based nuclear energy, which replaces uranium nuclear energy. Ind ... https://t.co/g4dUBr3Mkn - IssueMakersLab (@issuemakerslab) 1572680497000
Upon being contacted, the Atomic Energy Department (DAE) spokesman Ravi Shankar told TOI that Given the delicacy of the matter, DAE will first verify the truthfulness of those tweets and then respond. Kakodkar told TOI: I have to think first to find out what's in the tweets and then I'll be able to respond.
IML founder Simon Choi told TOI they will talk about the findings soon at a security conference. We have been monitoring North Korean hackers since 2008. We were seeing the hacker who carried out the attack, he said.
The North Korean Kimsuky Group attempted to steal information about the latest design of the advanced heavy water reactor (AHWR), an Indian design for a next-generation nuclear reactor that burns thorium in the fuel core, IML had tweeted in April.
Given the vast resources of thorium in India, a successful development of AHWR technology could significantly alter the potential of civil nuclear energy in India. The Union's atomic energy minister, Jitendra Singh, had told Lok Sabha that AHWR technology will be operational by 2020.
The South Korean intelligence group has been making revelations about North Korean hackers through a series of tweets since October 31, just one day after Nuclear Power Corporation of India Ltd (NPCIL) confirmed the Malware identification in the NPCIL system is correct. NPCIL, in an official statement on October 30, said the matter was investigated by the DAE.
“In general, there are two networks in such facilities, one for regular use and one for nuclear equipment. These two networks are completely segregated. It seems that the IT administrative network or the domain controller was compromised. It does not mean that the reactor is affected, ”said cybersecurity expert Pukhraj Singh, one of the first to express concern about the cyber attack on KNPP after a third party contacted him.
According to IML, his analysis reveals that there were multiple hackers, including hacker group B, which uses a 16-digit password - dkwero38oerA ^ t @ # - to compress a list of files on an infected PC. They have used the same password for multiple attacks since 2007, he wrote. One of the attackers also included a group that infiltrated the internal network of the South Korean army in 2016 and stole classified information, he added.
Singh told TOI that the purpose of the malware seemed to be the theft of information, but the same modus operandi could have been used to implement a destructive cleaner, whose purpose, he added, is to remove the contents of a hard drive that infects.
THAT'S IT. The spy tool chain linked to a destructive cleaner. The intrusions were not destructive because the actor decided not to. We were at your mercy. It's not about airgaps or how incredibly safe the reactors are, it's about the total absence of a deterrent strategy, he wrote, while citing an IML tweet that analyzes the malware used to attack KNPP.
THAT'S IT. The spy tool chain linked to a destructive cleaner. The intrusions were not destructive because the ... https://t.co/TYpXP9iGz8 - Pukhraj Singh (@RungRage) 1572755169000