The South Korean government issued a report today blaming North Korea for network intrusions that stole data from Korea Hydro and Nuclear Power (KHNP), the company that operates South Korea's 23 nuclear reactors. While the government report stated that only "non-critical" networks were affected, the attackers had demanded the shutdown of three reactors just after the intrusion. They also threatened "destruction" in a message posted to Twitter.
In many ways, the cyber-attack bears hallmarks of the attack on Sony Pictures last year: the hackers have demanded an unspecified amount of money, claimed to be part of an activist group, and are threatening the release of more data if their demands—which include the shut-down of three nuclear plants—are not met. The malware used in the attack was spread in a wave of 5,986 phishing attacks, sent in e-mails to 3,571 KHNP employees. And the first release of data included personal information on 10,799 KHNP employees.
According to a statement issued today by the Republic of Korea's Seoul Central District Prosecutor's Office, "The malicious codes used for the nuclear operator hacking were the same in composition and working methods as the so-called 'kimsuky' malware that North Korean hackers use." The malware was compiled, like that used in the Sony attack, on a computer that was configured for the Korean language.