Sensitive data leaked on the Darkweb poses a massive risk to the Nuclear Sector
Introduction
Cyble Research & Intelligence Labs (CRIL) has been observing and reporting about parallel cyber hostilities extending among various nations since the beginning of the Russia-Ukraine conflict in February 2022.
Apparently, Threat Actors (TAs), Hacktivist Groups, and Malicious attackers too have leveraged this war to widen their attack surface, targeting the Critical Infrastructure (CI) Sector and leaking sensitive documents, Personally Identifiable Information (PII) of employees and clients in various underground forums.
We have observed several cyberattacks on the CI sector has been due to organizations involved in the value chain of this ecosystem and emerging vulnerabilities.
Amalgamated in CI Sector, Nuclear Industries are strategic to energy sufficiency and nuclear deterrence in the growing concerns of Energy and National Security. CRIL is observing a rise in cybercrime activities targeting Nuclear Industry across the world.
Over the years, similar cyberattacks on Nuclear Facilities have been observed. For instance, the Dtrack attack on the Indian Nuclear facility in 2019, the Monju Nuclear Plant of Japan in 2014, and the Stuxnet attack on the Iran Nuclear Plant in 2010.
These attacks indicate that cyber threats to personnel engaged with nuclear facilities, organizations involved in the supply chain of nuclear materials, and attacks on assets of nuclear facilities such as workstations, Programmable Logic Controller (PLC), Supervisory Control and Data Acquisition (SCADA), are getting more sophisticated with each passing day.
Impacted Regions
CRIL research indicates through the following geographical representation that organizations associated with Nuclear Infrastructure were affected due to recent data breaches in 2022.
Event Timeline
The figure below shows the timeline of the leaks and access observed over the cybercrime forums and Darkweb from February 2022 till date:
Details of Leaked documents
| Country | Russia |
| Alleged Victim Organisation | Joint Institute for Nuclear Research |
| Alleged Data Content/ Access | SQL Dump, SMB Leaks, Private Gitlab, FTP Server Dump, Internal documents, Nuclotron Based Control and Diagnostics Systems (NICA) Booster Control and Diagnostic System, RDP Access to organizations associated with Nuclear Energy and Weapon Development |
Screenshots:
| Country | Taiwan |
| Alleged Victim Organisation | TaiPower |
| Alleged Data Content/ Access | Source Code |
Screenshots:
| Country | Brazil |
| Alleged Victim Organisation | Electric Utility Company in Nuclear Energy |
| Alleged Data Content/ Access | Sensitive Internal Documents, Supply chain-related documents, Client Data, Personal Identifiable Information (PII), Sensitive Blueprints and Diagrams, Financial Documents |
Screenshot:
| Country | Indonesia |
| Alleged Victim Organisation | Indonesia Nuclear Power Authority |
| Alleged Data Content/ Access | Operational and Strategic Plans, Employee Credentials, Personally Identifiable Information (PII), Private conversations |
Screenshot:
| Country | Iran |
| Alleged Victim Organisation | Iran Atomic Energy Organisation |
| Alleged Data Content/ Access | Email Systems, private conversations, confidential agreements, sensitive plans, confidential reports, Personally Identifiable Information (PII) |
Screenshots:
Note:
1. AEOI Statement on the Incident – Link )
2. Black Reward Hacktivist Group took claimed Responsibility for the attack
| Country | Thailand |
| Alleged Victim Organisation | Thailand Institute of Nuclear Technology |
| Alleged Data Content/ Access | Login ID, Passwords including admin credential, Personally Identifiable Information (PII), Admin Panels |
Screenshots:
| Country | India |
| Alleged Victim Organisation | Nuclear Power Corporation of India (NPCIL) |
| Alleged Data Content/ Access | Internal Servers, VPN Access, RDP Access |
Screenshot:
| Country | South Africa |
| Alleged Victim Organisation | Koeberg Nuclear Power Station |
| Alleged Data Content/ Access | Employee Credentials |
Screenshot:
Impact
Even though Nuclear Facilities are intended to be air-gapped, misconfigured networks, exposed assets, and vulnerable IT/OT devices with network and social engineering attacks can be considered critical elements when launching cyber-attacks.
Also, considering a large amount of confidential data and Personal Identifiable Information (PII) of critical sector organizations and employees working in Nuclear Facilities has been leaked on cybercrime forums. Hence, launching a successful cyberattack on these facilities might become more prevalent.
The recent fold of events on cybercrime forums indicates that the attackers can leverage this leaked information for further targeted attacks. The leaked information regarding types of devices, serial numbers, vendors, version details, firmware details, configuration details, network diagrams, tender documents, and employee details are a goldmine for attackers. These are key to developing specialized malware strains, reversing firmware to exploit zero-day vulnerabilities, and performing lateral movement within organizations dealing with nuclear infrastructure.
Conclusion
Safeguarding Nuclear Infrastructure from cyberattacks has been a concern for all nuclear nations for over a decade. However, the rise in data breaches in 2022 amplifies their worries due to the inherent risks associated with this data in the wrong hands.
Hence, it’s more imperative than ever before for the nuclear power industry to adopt a holistic approach in proactively identifying the underlying cyber threats emerging from deep and darkweb and mitigating them.
Recommendations
- Implement proper network segmentation to prevent attackers from performing lateral movement and minimize exposure of critical assets over the internet.
- Keep critical assets behind adequately configured and updated firewalls.
- Utilize Software Bill of Materials (SBOM) to gain more visibility into assets.
- Keeping software, firmware, and applications updated with the recent patches and mitigations released by the official vendor is necessary to prevent attackers from exploiting vulnerabilities.
- Implementing proper access controls within the IT/OT network.
- Organizations should always follow a strong password policy.
- Regular Audits, Vulnerability, and Pentesting exercises are key in finding security loopholes that attackers may exploit.
- Continuous monitoring and logging can help in detecting network anomalies early.
- Implement Multi-Factor Authentication wherever possible.
- Keep track of advisories and alerts issued by vendors and state authorities.
- Cyber security awareness training programs for employees within the organization.
