Cyber Incident Victim: Korea Hydro and Nuclear Power
Date:
Dec 2014
Location:
South Korea
Summary
South Korean authorities attributed a cyberattack on Korea Hydro and Nuclear Power to North Korean actors, citing malware similarities to known North Korean tools like kimsuky and traced network activity to northeastern China near the North Korean border. The attackers compromised non-critical systems via phishing emails targeting employees, exfiltrating personal data of over 10,000 workers and partial reactor blueprints, which were subsequently leaked alongside threats to sell proprietary nuclear reactor information. Demands included reactor shutdowns and financial payments, with hackers posing as anti-nuclear activists on social media to disseminate stolen technical documents and escalate pressure through claims of possessing undisclosed malware and sensitive export-related nuclear data.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The cyber incident targeting Korea Hydro and Nuclear Power (KHNP) began with a large-scale phishing campaign in December 2014, when attackers sent 5,986 malicious emails to 3,571 employees of the nuclear operator. This campaign delivered malware identified by South Korean authorities as sharing identical composition and operational characteristics with the "kimsuky" malware historically linked to North Korean state-sponsored hackers. The malware was compiled on a Korean-language configured system, a detail consistent with the 2014 Sony Pictures attack attributed to North Korea. Between December 15, 2014, and March 2015, attackers operating under the Twitter pseudonym "Who am I = No Nuclear Power" – claiming affiliation with an "anti-nuclear reactor group from Hawaii" – conducted six separate data leaks. Initial releases included personal information of 10,799 KHNP employees alongside technical documents such as reactor design specifications, hot water system blueprints from the Kori nuclear plant, and operational manuals for Monte Carlo simulations. The attackers simultaneously issued demands for monetary payment and the shutdown of three specific reactors, threatening "destruction" if unmet.
South Korean investigators traced attack-related internet traffic to IP addresses in northeastern China near the North Korean border, prompting formal collaboration requests with Chinese authorities. By March 2015, the Seoul Central District Prosecutor's Office publicly attributed the intrusion to North Korea based on malware forensic analysis and network tracing. Attackers escalated threats via Twitter, claiming possession of 9,000 additional undetected malware samples within KHNP systems and access to sensitive data on South Korea's indigenous reactor program. They explicitly threatened to sell this proprietary nuclear technology to buyers in Northern Europe, Southeast Asia, and South America, stating such action would undermine President Park Geun-hye's nuclear export initiatives. While South Korean officials maintained that only "non-critical" operational networks were compromised, the breach exposed significant volumes of personnel data and technical documentation. The attackers' persistent demands for reactor shutdowns and financial concessions remained unresolved at the time of the March 12, 2015, government disclosure, with no public confirmation of further data releases beyond the initial leaks.