North suspected in nuke hacking

Suspicions snowballed Thursday that North Korea was behind the recent hacking into South Korea’s nuclear power plants as an investigation traced the cyberattack’s origin to a Chinese city that has long served as a hub for North Korean hackers.An investigation was launched after an unidentified hacking group released online documents detailing blueprints from the nation’s nuclear power plants. The hackers, who call themselves an “antinuclear power group,” hacked into the network of the Korea Hydro and Nuclear Power Corporation (KHNPC) and released the files on five different occasions starting Dec. 15.A joint government investigation team led by the Seoul Central District Prosecutors’ Office said Thursday that the hackers sent emails containing about 300 different types of malware using email accounts of retired KHNPC employees.“The hackers used Internet protocol [IP] addresses from Shenyang, China, and sent thousands of emails to hundreds of workers at the KHNPC on Dec. 9,” said an official from the joint investigation team. “The emails had various titles that were related to the company’s work.”The official said investigators are questioning the retired workers whose email accounts were used in the cyberattacks. They believe the hackers hijacked the accounts to send the malware.The investigation team is analyzing the malware to find out if it spread into the operational networks of the nuclear plants. Some of the malware was designed to destroy hard disks, a tactic used in cyberattacks on media companies and financial institutions in 2013.The investigators suspect that the sender of the emails is the same person or group that released blueprints and other documents of the nuclear plants earlier this month. A prosecution source said the emails were sent using a similar method employed when the nuclear plant documents were posted online by the hacking group.According to the source, the emails were sent from about 20 IP addresses provided by three virtual private network (VPN) companies. A VPN company allows a user to make connections to private and public networks such as the Internet secure.When the hackers posted key nuclear plant documents online, they used IP addresses provided by the same VPN services.Prosecution sources also said the IP addresses used to send the emails with malware attachments and those used to make public the nuclear plant documents over the past weeks both made access to the Internet from Shenyang, China. The capital city of Liaoning Province is known as a stronghold of hackers deployed by North Korea’s Reconnaissance General Bureau. South Korean authorities say the North has dispatched agents to Shenyang for years to stage cyberattacks against the South.According to the prosecution, the hackers’ group used IP addresses from Shenyang to make 200 connections to the Internet. After posting its first warning on Dec. 15, the hackers’ group made public 24 files including blueprints from the nuclear plants as well as a confidential thermal-hydraulic system analysis, Safety and Performance Analysis Code, known as SPACE. The prosecutors asked for cooperation from Chinese authorities to confirm the subscriber information from the Chinese VPN providers.“The culprits joined the service two years ago,” a prosecution source said. “It appeared that they had planned this meticulously for a long time.”While the official from the investigation team said Thursday, “We cannot confirm nor deny the North’s involvement in the case,” the minister of justice spoke more strongly about a possible link to Pyongyang.Justice Minister Hwang Kyo-ahn said Wednesday that South Korean authorities are investigating a suspicion that North Korea is the culprit. He made the comment at a Legislation and Judiciary Committee meeting at the National Assembly.In addition to the digital footprints leading to Shenyang, speculation about the North’s connection grew because the hackers used a North Korean colloquial expression in their postings.Meanwhile, no anomalies were reported at the nuclear plants as of Thursday afternoon despite the hackers’ warning that their operations would be stopped. Starting Wednesday, the government and the KHNPC started emergency monitoring of the situation. The hackers’ group threatened that the three nuclear reactors in Gori and Wolseong must be shut down by Christmas or they would reveal more files and carry out a second attack.“It will be a Fukushima,” they warned, referring to the disaster at Japan’s Fukushima Daiichi nuclear power plant prompted by an earthquake and tsunami in March 2011.The Ministry of Trade, Industry and Energy and the KHNPC said they will continue the emergency watch until Friday 2 p.m., which is midnight Thursday in New York, since the hackers earlier said they were based in the United States. The KHNPC also said it conducted a drill on Wednesday for the worst possible scenario. The nuclear plant operator said even if the digital network that controls the reactors is manipulated by hackers, the system can be put into analog mode and workers can manually shut down the reactors.BY JUNG HYO-SIK, SER MYO-JA [myoja@joongang.co.kr]