Attackers continue leaking critical internal documents from the KHNP, while threatening to begin “Secondary destruction” unless the investigations are stopped and the powerplants shut down by Christmas. The attackers have already leaked critical documents, including the blueprints of the Gori and Weolseong nuclear powerplants.
The KHNP is under fire for the attacks. They weren’t aware of any compromise until the leaks went public. Furthermore, even after realizing that they were compromised by December 18th, they didn’t release any information about the situation. Previous to the leaks, the KHNP suffered an Advanced Persistent Threat attack which exploited a vulnerability in Haansoft Office’s word processor, resulting in the destruction of a few hard drives. The malware, contained in a malicious email attachment, destroyed the MBR on hard disks and caused the word “Who am I” to be printed on screen after a reboot. This attack was kept from the public until the police investigations began.
It also appears that the KHNP employed poor security practices. Though their network had been airgapped, contractors had been provided with the administrator username and password to their internal network by the KHNP. The attacker may have simply compromised one of the contractors, gaining access to the KHNP’s network with ease.
On December 21st, the KHNP announced that there was no evidence of a “hack”.
The timeline of the leaks is as follows.
Dec.15th 11:41 The attacker(Jenia John) creates a facebook account, which he uses to announce the compromise.
Dec.15th 18:57 the attacker sends off thousands of emails that contain malware from the email address “kdfifj1029@hotmil.com”
Dec.15th 20:01 the first leaks begin. Personal information of the KHNP employees are made public on a new Naver blog under a new Naver account, ‘tlsrk112’.
Dec.16th. The attacker takes to Twitter. The blueprints of the Weolseong and Gori nuclear powerplants are first leaked. The radioactivity evaluation report on residents near the powerplant is also leaked. Under the Twitter account of “John_kdfifj1029”, the attacker tweets “KHNP Hacked!”, and links to the leaked blueprints. The blueprints are hosted on Dropbox.
Dec.18th. 15:22 The attacker sends an email to ETnews, telling the newspaper to check on his blog for more information about the compromise. He claims to be the head of the Korean branch of an Anti-Nuclear society.
Dec.18th 17:40 ETnews contacts KHNP, asking if the leaks were real. The KHNP only then realizes that they had been compromised. The police is contacted, and investigations begin.
Dec.18th 18:02 “John” posts “a warning to KHNP” to Twitter, and links to the Naver blog. on 18:30, the blog is taken down by the police.
Dec.19th 03:30 The attacker posts more internal documents. The new leaks include the blueprints of the Cooling system valves, screenshots of KHNP’s internal control software such as the K-REDAP, Secret Classification protocol, internal phone lines, and the phone numbers of employees.
Dec.19th The attacker posts another tweet. After claiming that he is a part of the “Who am I” hacker group, he states that “The virus could begin working at any minute”, “I have left no evidence of a breach, so don’t bother looking for it”, “The best Christmas present would be a safe environment without radioactivity”, and “I urge all residents who live near the nuclear powerplants to never come near the powerplants for the next few months”.
Dec.21st The attacker posts another tweet, leaking more information and mocking the kHNP. He states that “more than 100,000 documents are ready to be leaked.”, “investigators, you are working hard. But if you want to investigate, do it properly”, “If you are going to excuse the KHNP, stop the investigation”, “Shut down the 1st and 3rd reactors of the Gori powerplant as well as the 2nd reactor in Weolseong by Christmas. If my demands are not met, I will leak all the documents and begin secondary destruction.”. The leaked information includes the final safety check report on the 3rd and 4th reactors of the Weolseong powerplant, the blueprints for the air conditioning system of the 1st and 2nd reactor of the Gori powerplant and The MCNP version 5 user manual.
sources
http://news.chosun.com/site/data/html_dir/2014/12/21/2014122100329.html
http://www.huffingtonpost.kr/2014/12/22/story_n_6363930.html
http://www.etnews.com/20141221000027
hojunester 