The cyber attack by suspected North Korea-based hackers on the Kudankulam Nuclear Power Plant in September was intended specifically for information theft and The Quint has now been told that the actors were able to steal technology-related data from the plant’s IT systems.
IssueMaker Labs, an expert group of malware analysts based in South Korea who have tracked the North Korean actors suspected to be behind the attack since 2008, told The Quint that the actors were backed by the North Korean government and stole data by deploying a malware designed for data theft.
“We have found that Nuclear Power Plant technology-related data has been taken,” Simon Choi, founder of IssueMaker Labs told The Quint.
The Lab had mentioned on Twitter on 2 November that North Korea has been interested in information about thorium-based nuclear power and since 2018 have continuously attempted to attack plants and individuals in several countries to obtain that information.
Adding to this, Choi said they found evidence that “the hackers of North Korea disguised as employees of Atomic Energy Regulatory Board (AERB) and Bhabha Atomic Research Centre of India (BARC) and sent hacking mails to their chairmen and other senior experts”. This includes nuclear scientists like Anil Kakodkar and former chairman of AERB, SA Bharadwaj.
IssueMakers Lab, which has shared substantial evidence on Twitter of North Korea’s role, said they also found evidence of more than one group of North Korean hackers working together to first conduct reconnaissance and subsequently deploy the malware.
India’s National Cyber Security Coordinator Lt. Gen. Rajesh Pant, responded to questions from The Quint stating that an “inquiry was in progress” on the matter.
Our inquiry is still in progress and we cannot comment on South Korean reports. Analysis of computer logs for forensics involves sifting terabytes of data and is a time consuming process.Lt. Gen. Rajesh Pant, National Cyber Security Coordinator
What Happened in Kudankulam?
The Nuclear Power Corporation of India Limited (NPCIL), which runs the plant in Tamil Nadu, on Wednesday, 30 October, confirmed that the “identification of malware in NPCIL system is correct”. This confirmation came after a denial on 29 October that “any attack on the Nuclear Power Plant Control System is not possible”.
Experts who had raised the alarm about a cyber breach on 3 September, however, clarified that there was no claim made that an attack had taken place on the critical control systems of the plant.
A nuclear power plant typically consists of two distinct networks. One network, known as the operation technology (OT), controls the actual running of the machine and reactors responsible for power generation. This part of the plant’s operations is air-gapped, meaning they are not connected to outside computers and was not breached.
The second is is information technology (IT) system which controls all other activities, including a vast trove of vital day-to-day administrative and personnel data. This IT system, which is connected to the internet, was the part of the nuclear plant that was compromised by the attack.
The NPCIL’s statement also clarified that the infected computer belonged to a user who was connected to the internet. This Internet network was “isolated from the critical internal network”, the press release said.
What We Knew About North Korea’s Suspected Involvement
The Quint had reported on 4 November that the South Korean malware analysts had shared evidence and analysis to buttress the claim that North Korea-based actors were indeed behind the cyber attack on the nuclear plant.
In a series of tweets since 30 October, the Lab has shared the following information:
- One of the hackers who attacked India's nuclear energy sector is using a North Korean self-branded computer produced and used only in the North Korea.
- The IP address used by one of the hackers was traced to Pyongyang, North Korea.
- A composite history of the malware deployed allegedly by North Korean “hacker group B” or ‘Dark Seoul’.
- A 16-digit string – dkwero38oerA^t@# – as the password that malware uses to compress a list of files on an infected PC. They have used the same password for multiple attacks since 2007.
- Verified the authenticity of the DTrack malware code used by the North Korean hackers. The experts claimed that the same malware was deployed on South Korean military's internal network in 2016 and had stolen classified information.
New Details About The Cyber Attack
The Quint has learnt new information that adds to what is known about the cyber attack so far. The information serves to provide greater clarity on who is behind the attack, how it was carried out, why they attacked India’s largest civilian nuclear plant and what the impact was.
Who Exactly Was Behind the Attack?
Choi, who has tracked the hacker group that allegedly attacked the nuclear plant for over a decade, said it was not one but two separate groups who worked together on this. Moreover, while the attack had been attributed to the Lazarus group, Choi said that technically the perpetrators are a separate group.
Choi said that “there are approximately seven hacker groups in North Korea. Generally we call the group which had attacked South Korea's government website in 2009 and Sony Pictures in 2014 as “Group A”, which is more commonly referred to as “Lazarus Group”.
“And there is “Group B” which generally attacks the Korean Army and have attacked Korean banks and networks in 2013. This group is the one that attacked KKNPP of India this time. This group is normally known as “Dark Seoul” or “Operation Troy” to people.”Simon Choi, founder, IssueMakers Lab
According to Choi “these two groups are controlled by North Korean government and they can be considered as one.”
“There is also a “Group C” which attacked Korea Hydro and Nuclear Power Co Ltd in 2014. This Group C started attacking India's nuclear power plant-related persons from last year,” he further added.
How Was It Carried Out?
Choi said that the evidence they gathered suggests the attack on KKNPP was carried out by Group B and C's association. He said that while Group C was involved in reconnaissance over the last one year and sending malware to senior nuclear scientists, Group B was the one to deploy the malware on the plant’s IT systems.
“When Group C gets authority by reconnaissance done on people associated with the nuclear power plant, they hand over this data collected to Group B,” Choi said.
So, how did Group C go about allegedly hacking senior scientists?
According to Choi, “The hackers of North Korea disguised as employees of AERB and BARC and sent the hacking mail to their chairmen and other senior experts.”
“Then Group B extorts the confidential documents from NPP system. So the malware found in NPP system is Group B's malware,” he added.
Why Did They Attack Kudankulam?
According to tweets put out by IssueMakers Lab, a strong assumption for the motive of the attack could be theft of information on thorium-based nuclear power.
“It looks like the KKNPP attack was not intended to cause destruction, only to extort the confidential data and reconnaissance. But if they intend to cause destruction, they would have done it by sending another malware.”Simon Choi, Founder, IssueMakers Lab
“We are not sure about their intention but it was dangerous situation. North Korea maybe wanted to collect the new NPP technology of India rather than destroying them and be opposed to India,” Choi told The Quint.
Corroborating this claim, Pukhraj Singh had told The Quint, “The remit of the actor was technology theft, but a motivated adversary hell-bent on power projection would have just waltzed in too.”
What Was The Impact?
The big question was, if North Korea-based actors have indeed launched a cyber attack whose remit was to steal intelligence and information, then were they successful in doing so?
Yes they were, according to Choi and other experts at Issue Makers Lab.
“We have found that NPP technology-related data has been taken. But we do not know what exactly has been taken from KKNPP.”Simon Choi, founder, IssueMakers Lab
Cybersecurity researcher Anand Venkatanaryanan told The Quint that “D-Track is a data-theft malware. Issue Maker Labs has been tracking North Korea for a long time. All the data points, malware reverse engineering and the analysis along with the IP address used point very clearly to the North Korean involvement.”
“While attribution in Cyber is hard, this is as good as it gets. If we needed more confirmation, we would need human spies within the North Korean security establishment,” Venkatanarayanan added.
Who Are IssueMaker Labs?
Established in 2008, the South Korea-based IssueMakers Labs operates as a non-profit intelligence organisation comprising an expert group of malware analysts. According to the Lab’s Twitter bio, the experts have been engaged in researching North Korea's cyber warfare capabilities since 2008.
They had provided intelligence on the hacker group behind the massive cyber attack on 20 March 2013 to track down malware and hacking organisations known as ‘Dark Seoul’ that had hit three broadcasting stations, a bank and financial institutions in South Korea. “This group is the one that attacked KKNPP of India this time,” Choi said.
Cybersecurity expert Pukhraj Singh, who was the first to raise alarm bells about the cyber attack at KKNPP, told The Quint said this of the South Korean organisation:
“IssueMaker Labs have an impeccable record and have tracked the actor and its campaigns for long and have generated an informed intelligence assessment and timelines of its evolution”.Pukhraj Singh, Cybersecurity Expert
Singh has served at the National Technical Research Organisation (NTRO), considered India’s version of the US National Security Agency (NSA).
The Lab’s website says that its members have spoken at major international hacking and security conferences such as BlackHat, DEFCON, CanSecWest, POC and ISEC. They have made it into the DEFCON CTF finals and are the winners of a variety of hacking contests.
(With inputs from Yujin Jung)