Malware files emailed to nuclear plant workers

Authorities investigating the hack into South Korea’s nuclear plants reported on Friday that the emails containing malware sent to workers over a four-day period were intended to destroy internal files.

The discovery came after it was earlier reported that emails with malware were sent to hundreds of workers at Korea Hydro and Nuclear Power Corporation (KHNP) on Dec. 9 using email accounts of retired employees. It is believed that the hackers hijacked the accounts to send the malware.

It has been confirmed that the email accounts of 55 retired workers were used to send 211 emails with malware attachments, according to prosecutors.

The investigation team said the emails contained malware designed to destroy hard disks rather than to steal internal information from hacked servers.

The finding gives weight to suspicions that the blueprints detailing the domestic nuclear power plants were leaked before Dec. 9, as it appears that the destructive emails were aimed at corrupting files in the servers. The hackers, who call themselves an “antinuclear power group,” hacked into the KHNP network and released documents on five different occasions starting Dec. 17. The documents detailed blueprints related to the country’s Gori and Wolseong nuclear plants.

Suspicions that North Korea was behind the recent hacking into South Korea’s nuclear plants snowballed after investigators traced the origin of the cyberattack to Shenyang, in China’s Liaoning Province, a city that has long served as a hub for North Korean hackers.

In addition to the digital footprints traced back to Shenyang, suspicions about a possible North Korea connection have also grown, particularly because the hackers used North Korean colloquialisms in their posts.

The investigation team also discovered that the hackers used the same IP addresses to send the emails with malicious attachments and post hacked internal information online. The leaked data included floor maps and cooling systems.

A senior government official said on Friday that it was reasonable to suspect that North Korea is the culprit in the cyberattack against KHNP, citing a tactic typically used by the regime.

“The way in which these hackers carried out the campaign, by releasing one bit of information at a time and more in the next few days, is typical of the way North Korea engages in psychological warfare,” said the official, who requested anonymity.

“Having watched what has unfolded so far, it is difficult to suspect someone else besides Pyongyang for what has been done. … As far as I know, the government has ground to believe it was perpetrated by North Korea.”

The government and KHNP have been monitoring the situation since Wednesday. The hackers’ group previously warned that if the three nuclear reactors in the Gori and Wolseong nuclear plants were not shut down by Dec. 25, they would post more files and carry out a second attack.

BY KANG JIN-KYU, SHIN YONG-HO [jkkang2@joongang.co.kr]