It has been uncovered by Electronic Times that the e-mail account information (IDs and passwords) of Korea Hydro & Nuclear Power (KHNP) employees had been circulated on an Internet information sharing website since five months before the hacking attack on KHNP and the disclosure of key data, such as nuclear power plant design drawings.
If the invasion to KHNP’s internal network had been made using KHNP employees’ IDs and passwords, not only that the traces of hacking are difficult to find, but also the hacker could have accessed the network without having to go through the complicated process of hacking KHNP network. There is also a likelihood that the attacker sent out e-mails containing malicious codes to the already disclosed e-mail addresses of KHNP employees without directly hacking the network and then planned additional crimes.
Electronic Times set out to find clues for the possibility of hacker’s internal network invasion immediately after the KHNP’s data leakage incident and secured a large amount of data containing KHNP employees’ IDs and passwords from an information sharing website Pastebin on the 23rd.
Of IDs and passwords of 4,885 people disclosed in this website, those of two people were for KHNP accounts (@khnp.co.kr). As a result of checking with KHNP, it was found that one of the two people was an employee of Muju Pumped Storage Power Station and the other was an employee working at the Uljin Thermoelectric Power Plant. These data were updated on July 1 and have been read by 583 people as of 17:00 on December 23.
Pastebin is a famous overseas website where everyone can freely upload and download various data and information. The cyber terrorists’ group that recently hacked Sony Pictures’ confidential information and pre-release movie files also disclosed the hacked data through Pastebin. As much as so, there is a possibility the 583 people that have read e-mail IDs and passwords of the 4,885 people included not only Korean Internet users, but also overseas criminals or hackers plotting a secondary crime.
The data list e-mail IDs and passwords of employees from Korea’s major enterprises and public institutes as well as people using famous web portals, such as Naver, Daum and Google. Although uploaded five months ago, this information is still exposed in Pastebin.
If the hacker had obtained this account in advance, it is possible that it took out KHNP data by accessing the company’s internal system through normal login process. In addition, it is presumed that the hacker have prepared additional cyber terrorism by sending e-mails containing malicious codes that are not easily detected to KHNP employees using the e-mail addresses, and thus infecting the employees’ PC.
“A possibility that the hacker has accessed KHNP system without leaving any traces by using the disclosed personal information cannot be ruled out,” said A, a security expert. “The attacker must have taken out internal documents from the operational network and created the malicious code, which was detected earlier this month, in order to access the nuclear power plant control network.”
At this, a KHNP insider said, “Although the IDs are of our employees, the passwords are different as KHNP password is comprised of nine digits.”
The attacker, which had been threatening the government by disclosing KHNP data four times, uploaded an additional drawing comprised of four files in Pastebin around 15:30 on the 23rd and announced the fifth data disclosure through Twitter. The additionally disclosed data are also a part of the schematic diagrams of Gori and Wolseong Nuclear Power Plants.
The attacker, which identified itself as a member of an anti-nuclear power plant group, mocked KHNP’s recent cyber response training situation and warned, “Evacuate residents living near nuclear power plants.”
Kim In-soon | insoon@etnews.com
