A South Korean nuclear company became the source of headlines when it fell victim to an attack that resulted in the leak of company information, including employee information and plant blue prints. While the affected company, Korea Hydro and Nuclear Power Co (KHNP), has stated that the leaked data was “non-critical,” the incident continues to garner attention, especially with the looming deadline set by the attacker group.
Based on reports, the attackers sent an email to KHNP employees with an .HWP (Korean word processor) attachment labeled as “control program.” Opening the file triggers a chain of routines involving information theft and hard disk destruction via MBR wiper malware.
Using social media accounts, they began posting links to popular file hosting sites, which housed the stolen data. The attacks are suspected to originate from North Korea, given as the exchanges observed in the social accounts use local expressions. The disclosed data ranged from employee information to educational material to blue prints.
They also used these accounts to communicate with KHNP and to a broader extent, the public. For example, there were posts involving demands for a ransom. They also announced that they will continue to disclose data until the company shuts down several plants by Christmas Day. The group has also defaced the KHNP website.
This MBR wiper attack comes at the heels of the Sony hack, where MBR wiper malware also played a prominent role. MBR wiper attacks may not be as prominent in the threat landscape as other malware, but this doesn’t diminish its destructiveness. The malware destroyed personal computers in the KHNP.
The attackers also threatened to destroy the nuclear plant’s system should the plant’s management refuse to shut it down. It is possible for the attackers to physically damage or destroy the plant by causing system malfunction.
Both the Sony attack and the 2013 South Korean cyber attacks have shown just how crippling MBR wiper malware can be when used in attacks, especially those involving high profile targets.
We are currently looking further into this attack and we will update this entry if needed.
Like it? Add this infographic to your site: 1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).