Cyble Nuclear Facilities SCADA ICS

CyberThreats Mushrooming over Global Nuclear Facilities

Sensitive data leaked on the Darkweb poses a massive risk to the Nuclear Sector

Introduction

Cyble Research & Intelligence Labs (CRIL) has been observing and reporting about parallel cyber hostilities extending among various nations since the beginning of the Russia-Ukraine conflict in February 2022.

Apparently, Threat Actors (TAs), Hacktivist Groups, and Malicious attackers too have leveraged this war to widen their attack surface, targeting the Critical Infrastructure (CI) Sector and leaking sensitive documents, Personally Identifiable Information (PII) of employees and clients in various underground forums.

We have observed several cyberattacks on the CI sector has been due to organizations involved in the value chain of this ecosystem and emerging vulnerabilities.

Amalgamated in CI Sector, Nuclear Industries are strategic to energy sufficiency and nuclear deterrence in the growing concerns of Energy and National Security. CRIL is observing a rise in cybercrime activities targeting Nuclear Industry across the world.

Over the years, similar cyberattacks on Nuclear Facilities have been observed. For instance, the Dtrack attack on the Indian Nuclear facility in 2019, the Monju Nuclear Plant of Japan in 2014, and the Stuxnet attack on the Iran Nuclear Plant in 2010.

These attacks indicate that cyber threats to personnel engaged with nuclear facilities, organizations involved in the supply chain of nuclear materials, and attacks on assets of nuclear facilities such as workstations, Programmable Logic Controller (PLC), Supervisory Control and Data Acquisition (SCADA), are getting more sophisticated with each passing day.

Impacted Regions

CRIL research indicates through the following geographical representation that organizations associated with Nuclear Infrastructure were affected due to recent data breaches in 2022.

            Figure 1- Geographical Representation of Impacted countries

Event Timeline

The figure below shows the timeline of the leaks and access observed over the cybercrime forums and Darkweb from February 2022 till date:

Figure 2- Timeline of Events

Details of Leaked documents

CountryRussia
Alleged Victim OrganisationJoint Institute for Nuclear Research
Alleged Data Content/ AccessSQL Dump, SMB Leaks, Private Gitlab, FTP Server Dump, Internal documents, Nuclotron Based Control and Diagnostics Systems (NICA) Booster Control and Diagnostic System, RDP Access to organizations associated with Nuclear Energy and Weapon Development

Screenshots:

February 2022 – 1
February 2022 – 2
June 2022

CountryTaiwan
Alleged Victim OrganisationTaiPower
Alleged Data Content/ AccessSource Code
Reference – Pelosi Taipei visit incites Cyberattacks on Taiwan

Screenshots:

August 2022 – 1
August 2022 – 2

CountryBrazil
Alleged Victim OrganisationElectric Utility Company in Nuclear Energy
Alleged Data Content/ AccessSensitive Internal Documents, Supply chain-related documents, Client Data, Personal Identifiable Information  (PII), Sensitive Blueprints and Diagrams, Financial Documents  

Screenshot:

September 2022

CountryIndonesia
Alleged Victim OrganisationIndonesia Nuclear Power Authority
Alleged Data Content/ AccessOperational and Strategic Plans, Employee Credentials, Personally Identifiable Information (PII), Private conversations

Screenshot:

September 2022

CountryIran
Alleged Victim OrganisationIran Atomic Energy Organisation
Alleged Data Content/ AccessEmail Systems, private conversations, confidential agreements, sensitive plans, confidential reports, Personally Identifiable Information  (PII)

Screenshots:

October 2022 – 1
October 2022 – 2
October 2022 – 3
October 2022 – 4

Note:

1. AEOI Statement on the Incident – Link )
2. Black Reward Hacktivist Group took claimed Responsibility for the attack

CountryThailand
Alleged Victim OrganisationThailand Institute of Nuclear Technology
Alleged Data Content/ AccessLogin ID, Passwords including admin credential, Personally Identifiable Information (PII), Admin Panels

Screenshots:

March 2022
October 2022

CountryIndia
Alleged Victim OrganisationNuclear Power Corporation of India (NPCIL)
Alleged Data Content/ AccessInternal Servers, VPN Access, RDP Access

Screenshot:

October 2022

CountrySouth Africa
Alleged Victim OrganisationKoeberg Nuclear Power Station
Alleged Data Content/ AccessEmployee Credentials  

Screenshot:

November 2022

Impact

Even though Nuclear Facilities are intended to be air-gapped, misconfigured networks, exposed assets, and vulnerable IT/OT devices with network and social engineering attacks can be considered critical elements when launching cyber-attacks.

Also, considering a large amount of confidential data and Personal Identifiable Information (PII) of critical sector organizations and employees working in Nuclear Facilities has been leaked on cybercrime forums. Hence, launching a successful cyberattack on these facilities might become more prevalent.

The recent fold of events on cybercrime forums indicates that the attackers can leverage this leaked information for further targeted attacks. The leaked information regarding types of devices, serial numbers, vendors, version details, firmware details, configuration details, network diagrams, tender documents, and employee details are a goldmine for attackers. These are key to developing specialized malware strains, reversing firmware to exploit zero-day vulnerabilities, and performing lateral movement within organizations dealing with nuclear infrastructure.

Conclusion

Safeguarding Nuclear Infrastructure from cyberattacks has been a concern for all nuclear nations for over a decade. However, the rise in data breaches in 2022 amplifies their worries due to the inherent risks associated with this data in the wrong hands.

Hence, it’s more imperative than ever before for the nuclear power industry to adopt a holistic approach in proactively identifying the underlying cyber threats emerging from deep and darkweb and mitigating them.

Recommendations

  • Implement proper network segmentation to prevent attackers from performing lateral movement and minimize exposure of critical assets over the internet.
  • Keep critical assets behind adequately configured and updated firewalls.
  • Utilize Software Bill of Materials (SBOM) to gain more visibility into assets.
  • Keeping software, firmware, and applications updated with the recent patches and mitigations released by the official vendor is necessary to prevent attackers from exploiting vulnerabilities.
  • Implementing proper access controls within the IT/OT network.
  • Organizations should always follow a strong password policy.
  • Regular Audits, Vulnerability, and Pentesting exercises are key in finding security loopholes that attackers may exploit.
  • Continuous monitoring and logging can help in detecting network anomalies early.
  • Implement Multi-Factor Authentication wherever possible.
  • Keep track of advisories and alerts issued by vendors and state authorities.
  • Cyber security awareness training programs for employees within the organization.
Scroll to Top