What would happen if someone hacked into a nuclear facility and spoofed a nuclear missile attack, forcing a retaliatory strike and threatening the lives of millions? The roadmap was laid out back in 1983, thanks to none other than Matthew Broderick and Ally Sheedy. While the movie “Wargames” reflected the heightened nuclear annihilation fears that ran rampant in the 1980s (“The Day After,” anyone? “Red Dawn”?), the threat of a cyber-nuclear security incident is perhaps more relevant today than ever before. And there are real-life examples that provide a practical foundation for those fears — from Stuxnet in 2010 to an Indian nuclear power plant breach in 2019.
In December 2014, Korea Hydro and Nuclear Power (KHNP) in South Korea suffered a significant cybersecurity incident that was ultimately blamed on their neighbors to the north. While the attack did not result in cyber-physical damage, it was yet another example of the danger nation-state actors pose to critical infrastructure and a confirmation that people are often the weakest link in the cyber chain.
The Korea Hydro and Nuclear Power attack
Attacks on nuclear facilities have long been a concern for obvious reasons, but these fears are usually centered around the threat of physical attacks, which have spurred regulation like the Energy Policy Act of 2005. However, as nuclear facilities and other plants become more automated and an increasing number of assets go online, cybersecurity is a growing concern. Look no further than Stuxnet in 2010, where a malicious computer worm targeted the supervisory control and data acquisition (SCADA) systems of Iranian nuclear facilities. This cyber weapon caused physical damage, destroying the centrifuges Iran was using to enrich uranium. Most reports pin the Stuxnet attack on motivated nation-state actors — specifically U.S. and Israeli intelligence agencies.
On Dec. 23, 2014, the Korea Hydro and Nuclear Power announced that its computer systems had been hacked. As so many attacks do, the KHNP breach began with a spear-phishing email sent to thousands of current and former plant employees. The email contained a malicious attachment that, when opened, infected the employee’s computer with malware, providing the hackers a foothold into KHNP’s internal network.
The threat actors were able to steal sensitive data, including designs and manuals for nuclear reactors, as well as noncritical data such as employee emails and training manuals. They then posted on Twitter: “Unless you stop operating the nuclear power plants until Christmas and give us $10 billion, we will continue to release the secret data related to the facility.”
KHNP initially denied that any sensitive data had been compromised, but later acknowledged that some data had been stolen. The South Korean government launched an investigation, with the U.S. Federal Bureau of Investigation (FBI) reportedly assisting.
The attack was ultimately attributed to a hacker group known as Kimsuky or DarkHotel, believed to be associated with the North Korean government. This was based on similarities to previous attacks and the use of a command-and-control server known to be used by the group. Pyongyang denied any involvement, but this was likely another example of the strained relations between the two countries.
While the attack did not result in any physical damage to KHNP’s nuclear reactors or other infrastructure, it did raise concerns about the security of South Korea’s critical infrastructure and the vulnerability of nuclear power plants to cyberattacks.
Managing nuclear cyber threat
As Stuxnet and other previous attacks have proven, the cyber-nuclear threat is very real, and likely escalating with nation-state actors continuing to target critical infrastructure. Hackers can not only compromise key technical information, as they did in the KHNP strike, but they can also impact physical operations — a scary thought when it comes to the nuclear sector. But, as with many critical industries, nuclear plants are not always as prepared as they could be.
According to the Nuclear Threat Initiative: “Across the nuclear sector worldwide, the technical capacity to address the cyber threat is extremely limited, even in countries with advanced nuclear power and research programs. Measures to guard against the cyber-nuclear threat are virtually nonexistent in states with new or emerging nuclear programs. Expertise in the field of nuclear cybersecurity is in short supply, and the International Atomic Energy Agency (IAEA), which provides countries with assistance and training in this area, does not have the resources necessary to address the growing threat.”
The KHNP attack led to increased awareness of the importance of cybersecurity in the nuclear industry and prompted KHNP and other companies to improve their security measures. The U.S. has taken some recent steps to harden the cyber stance of its nuclear facilities. The Cybersecurity and Infrastructure Security Agency offers several resources on their website, and updated their Nuclear Sector Cybersecurity Framework Implementation Guidance in 2020.
The KHNP incident also highlighted the need for international cooperation in responding to nuclear cyber threats. Although the information can be sensitive, it’s essential for the nuclear community to build relationships and assist each other as they try to mitigate the rising threat. The cost of doing otherwise is just too great. Even the computer in “Wargames” eventually concluded that mutually assured destruction is not the answer.