In December 2014, the Democratic People’s Republic of Korea (DPRK or North Korea) cyber group Kimsuky conducted an attack on the Republic of Korea’s (ROK or South Korea) Korea Hydro and Nuclear Power (KHNP), leaking personal information of 10,000 employees, reactor blueprints, manuals, electricity charts, radiation methods and more. At the time of the attack, KHNP was the sole operator of the ROK’s nuclear power plants, which supplied about 35 percent of the ROK’s electricity through its 23 nuclear reactors. While the attack did not directly affect power plant control systems, the case was the first time North Korea had targeted a civilian-controlled nuclear element of its critical infrastructure and prompted major revisions to ROK cybersecurity policy.
Despite the impact of the 2014 KHNP hack on South Korea, it has figured minimally in English-language cybersecurity literature. This case study analyzes this incident, shedding light on Kimsuky’s apparent intent and motivations, the incident’s significance, subsequent ROK policy changes, and areas for further improvement in ROK cyber policy. These findings highlight the need for the ROK government to implement better information-sharing mechanisms, allow for private sector input into cybersecurity policies, and adopt a proactive cybersecurity approach.
Methodology
This case study was conducted in three phases: 1) scoping interviews with cybersecurity experts to probe the viability of the research and scope of the topic; 2) open-source research and formal interviews with Dr. So Jeong Kim (Senior Research Fellow at the Institute for National Security Strategy (INSS)), Martyn Williams (Senior Fellow with the Stimson Center’s 38 North Program), and Sungjae Lee (Principal Analyst at Mandiant/Google Cloud, based in Seoul), which yielded new evidence and insights into the case; and 3) analysis of secondary sources to contextualize DPRK threat actors’ motivations, outline the key factors that influenced subsequent ROK policy changes, and identify areas for further improvement in ROK cybersecurity policy.[1] As with most research regarding cyber operations and the DPRK, the scarcity of publicly available information posed a challenge, making expert insights particularly important. This was especially true for the period from 2014 to 2022 when the Moon Jae-in administration in South Korea was reluctant to publicly attribute cyber operations to North Korea for political purposes.
The Case: The 2014 KHNP Hack
In 2013, North Korea used the DARKSEOUL malware to paralyze ROK broadcasting stations, banks and government sites after its long-term espionage campaign, Operation Troy. The malfunction of high-profile systems, as well as subsequent stolen information, led to public alarm and awareness of DPRK cyber threats. KHNP, among other companies, recognized the cyber vulnerabilities that the incident revealed, and KHNP took precautionary steps to defend against potential cyberattacks on its nuclear reactors, such as separating its internal computer network from the Internet, dividing nuclear plant control systems from internal computer networks, installing sealed USB ports of nuclear power plant controls, and restricting both systems’ access to the Internet.
In December 2014, however, despite those precautionary steps, KHNP was hacked. Kimsuky used a Twitter account named “president of anti-nuclear reactor group” to post sensitive documents and blueprints from KHNP and threatened to leak more information unless specific reactors in Gori and Wolseong were shut down by Christmas. KHNP claimed that the intrusion did not compromise the safety of its reactors and that the leaks did not contain core technology information.
While Kimsuky only stole non-critical data, any cyberattack on public utilities, transport, and power systems is treated as a national security concern. As such, ROK President Park Geun-hye ordered inspections of the safety systems at all national infrastructure facilities.
According to subsequent reporting, Kimsuky hackers most likely hijacked the email accounts of retired KHNP employees and sent emails with malware to current employees. The emails used 20 IP addresses provided by three VPN companies based in Shenyang, the capital of Liaoning Province in China and a long-time hub for DPRK hackers. The same IP addresses were later used to post the stolen documents on social media. The Seoul Central District Prosecutors’ Office led a joint government investigation and released an official statement: “The malicious codes used for the nuclear operator hacking were the same in composition and working methods as the so-called ‘kimsuky’ that North Korean hackers use,” attributing the attack to the DPRK.
The emails included an attachment labeled “control program” formatted as a Hangul Word Processor (HWP) file, which the ROK government and companies widely use. Kimsuky exploited a previously unknown vulnerability—also called a zero-day—in HWP (CVE-2015-6585), which made it possible for malicious HWP documents to install copies of a backdoor called HANGMAN onto infected systems. Backdoors allow adversaries to infiltrate systems from a remote server, upload and download files, access file system management, gather information, update configurations, and Secure Socket Layer (SSL) encrypt its communication protocol.
When victims opened the .HWP attachment, a master boot record (MBR) wiper named TROJ_WHAIM.A malware was deployed to KHNP systems. Wipers are a type of malware that delete data beyond recovery, and an MBR wiper specifically deletes information from the MBR structure. The TROJ_WHAIM.A malware overwrote specific types of files, destroyed hard disks, and automatically ran every time the system restarted.
The MBR-wiping behavior of TROJ_WHAIM.A resembled the routine triggered by the MBR wiper in the 2014 Sony hack, which is widely attributed to the DPRK.[2] The similarities between the behavior of the two malwares led to the monitoring of KHNP systems from a joint government investigation team through the end of 2014, previewing consequential shifts in ROK cybersecurity policies and the importance of this incident.
DPRK Cyber Activity Motives
Assessing DPRK motives for its cyber operations against ROK targets requires an examination of its numerous attacks. Below is a table of notable DPRK cyberattacks in South Korea between 2013 and 2016 to help understand DPRK motives.
Notable DPRK Cyberattacks in South Korea from 2013 – 2016.
Date | Targets | Description |
March 2013 | Three major broadcasters:
Three banks: Shinhan, Nonghyup, Jeju Two insurance firms |
After a four-year espionage campaign, Operation Troy, Kimsuky conducted a disruptive attack:
Did not compromise bank customers’ records. |
April – September 2013 | ROK think tanks:
ROK government: |
DPRK hackers infected machines using spear phishing emails that were meant to steal passwords, security details, HWP documents and other information. |
March – August 2014 | Seoul Metro’s servers | North Korea infiltrated and leaked data of a subway operator that, at the time, served more than five million passengers per day. |
December 2014 | KHNP | Kimsuky hackers likely hijacked the email accounts of retired KHNP employees and sent emails with malware to current employees to steal sensitive but non-critical information. |
October 2015 | National Assembly, Ministry of Unification, Presidential Office | ROK National Intelligence Service (NIS) attributed the hack to the DPRK Reconnaissance General Bureau, the country’s intelligence agency.
NIS discovered DPRK IP addresses behind hacking attempts, two of which succeeded in infiltrating National Assembly members’ personal computers. |
July 2016 | ROK government officials, journalists, and professors who specialize in DPRK affairs. | A DPRK organization hacked into email accounts using spear phishing that tricked victims into providing passwords.
At least 56 email accounts were compromised. |
September 2016 | Daewoo Shipbuilding and Marine Engineering | DPRK actors stole classified documents concerning the design and performance of ROK naval vessels, Aegis weapons systems, submarine missile technology, and more.
That incident occurred around the time North Korea began constructing a new generation of submarines. |
From one angle, DPRK cyber activity from 2013 through 2016 indicates a keen interest in the collection of sensitive diplomatic, technical and security information. However, as 38 North’s Martyn Williams suggests, the 2013 Operation Troy and the 2014 subway operator hack were high-profile attacks that the government could not hide from the public.[3] These operations were likely intended for just that purpose—to cause public alarm—as they had little practical impact beyond that.
The KHNP hack appears to have had dual motivations of both espionage and causing public alarm. Kimsuky stole electricity charts, radiation estimates, reactor designs, nuclear plant blueprints, and a confidential thermal-hydraulic system analysis known as the Safety and Performance Analysis Code (SPACE). The detailed technical information on the design and operation of nuclear reactors could help North Korea move closer to achieving its long-standing goal of building a domestic nuclear power program. By posting the stolen documents online, Kimsuky was able to demonstrate the success of the operation and raise concerns about the facilities’ vulnerabilities. If KHNP had not taken precautionary cybersecurity measures in 2013, more impact could have been possible.
ROK Policy Changes
While the KHNP hack is not nearly as well-known in the United States as the 2014 Sony attack, the aftermath drew great attention in South Korea and triggered a significant transformation in ROK cyber policy. According to INSS’ Dr. So Jeong Kim,[4] the KHNP hack was one of two DPRK attacks that prompted ROK authorities to revisit its cyber policy, the other being the 2016 Bank of Bangladesh SWIFT attack.[5] She shared three reasons the KHNP hack was especially impactful: 1) it heightened concerns that cyber actors could cause a major nuclear incident in South Korea; 2) the targeting of a civilian-controlled facility highlighted how nation-state attacks are not confined to the military realm; and 3) targeting critical infrastructure revealed the vulnerability of ROK power systems.
Google Cloud’s Sungjae Lee agreed that the 2014 KHNP hack raised the ROK government’s cybersecurity awareness, citing the leak of the plant blueprints and the malware’s MBR wiper capability, which could have enabled a denial-of-service attack on critical infrastructure.[6]
Recognizing the gravity of these attacks, the government swiftly implemented crucial changes, establishing several policy, academic and structural changes, including the Cybersecurity Training and Education Center (CSETC). The CSETC hosts academic conferences on cybersecurity and provides training to improve technology-related information-sharing.
Additional policies were implemented in 2015 as well. For the first time, the Office of the President appointed a cybersecurity advisor under the new National Cybersecurity Status Building Measures. South Korea established the Financial Security Institute (FSI), which operates an information-sharing and analysis center, employs a specialized security system to detect cyber threats to the financial sector, and identifies potential vulnerabilities in the financial environment. The ROK National Assembly enacted the Act on the Promotion of Cybersecurity Industry, which directed the Minister of Science and Information and Communication Technology to create a plan every five years to better create an environment in which individuals can use information and communication methods safely and strengthen the economic competitiveness of the industry.
Dr. Kim believes that the KHNP hack brought cybersecurity to the attention of the ROK’s highest levels of political leadership. For instance, the July 2014 National Security Strategy identified cyberattacks as serious threats but did not outline policy goals or suggest changes. By 2019, South Korea had issued a National Cybersecurity Strategy, which identified specific cyberspace tasks and goals.
Additionally, KHNP also signed an agreement with the US Utilities Service Alliance in December 2021 to cooperate in developing innovative solutions that enhance nuclear power plant safety and performance. The deal provides for safety exchanges, maintenance technology and equipment sharing, and formal collaboration on improving safety practices and performance.
Policy Implications Going Forward
South Korea’s policy changes after the KHNP hack have significantly improved the country’s cybersecurity posture. Yet, there are three areas where further improvement in ROK cybersecurity policy and culture is necessary: 1) information-sharing requirements and agreements, 2) private sector engagement in cybersecurity policymaking, and 3) a proactive approach to cybersecurity.
First, information-sharing is crucial for researchers, analysts, and the government to confront ongoing intrusions, develop defense mechanisms, prevent future similar attacks, as well as to help identify the DPRK’s underlying motivations. Despite information-sharing initiatives like CSETC conferences and trainings, structural impediments remain. For instance, there is a lack of cyber incident reporting requirements, so when an incident occurs in South Korea, private companies are generally unwilling to share details for fear of exposing valuable internal information to competitors.
Requiring timely sharing of cyber incidents could help create a culture of greater openness in South Korea, which could lead to more public discussion and analysis of cyberattacks. Simultaneously, the ROK and US governments should encourage more agreements like the one signed by KHNP and the US Utilities Service Alliance to better engage the private sector in information-sharing.
Currently, South Korea does not have a system that allows private companies to provide input on cybersecurity policymaking, especially because the government oversees a majority of ROK’s critical infrastructure, such as energy, water and transportation. However, in 2021, there was a four percent decrease in DPRK cyberattacks on the ROK public sector and a 13 percent increase in attacks against the private sector compared to 2020. This trend will likely persist as North Korea continues to increase its cybercrime operations to help fund its weapons program because the targets of cybercrime are typically individuals or the private sector. And in 2023, Kimsuky demonstrated increased focus on its cryptocurrency-related cyber activity. Thus, considering the private sector’s experience and information when updating cybersecurity policies is becoming increasingly important.
Finally, South Korea remains reactive on cybersecurity. It needs to be more proactive in developing policies because cyberspace is a constantly changing threat environment that provides inherent advantages to attackers and requires defenders to not only respond to attacks, but also try to anticipate how that threat may evolve. After Operation Troy, KHNP instituted defensive measures. After the KHNP hack, CSETC was established. Learning from past incidents and updating policies in response are important, but they are insufficient to prevent future intrusions on their own. South Korea should adopt its own version of the US’s Defend Forward Strategy, which entails persistent engagement with adversaries, information-sharing with allies and partners about cyber threats, providing assistance to allies in need or under attack, attributing attacks to malicious actors, and imposing costs to punish adversaries.
Conclusion
The 2014 KHNP hack marked a pivotal turning point for ROK cyber policy. While North Korea’s Kimsuky was successful in stealing sensitive information and publicly demonstrating the vulnerabilities of the ROK nuclear energy industry to cyberattacks, it also served as a wake-up call to ROK authorities about the need to bolster its cybersecurity and cyber defense capabilities. The policies, strategies and institutions that were established after the KHNP hack are a testament to its importance. Nevertheless, as the cyber threat is constantly evolving, there is more to do. South Korea must take further steps to facilitate information-sharing, allow private sector engagement in cybersecurity policymaking, and become more proactive in its approach to cyber defense.