In a recent report, researchers revealed that cybercriminals were targeting and breaching the nuclear sector systems of multiple nations. According to a post by Cyble Research & Intelligence Labs (CRIL), a string of cyberattacks has been noticed impacting Taiwan, Iran, Brazil, Indonesia, Russia, and South Africa. These cyberattacks have been observed since February this year following the outbreak of the ongoing war between Russia and Ukraine.
It is speculated that cybercriminals and hacktivists are using the Russo-Ukrainian war to leverage their attacks in targeting the critical infrastructure of several nuclear-enabled nations. Some of the targeted entities were as follows:
- The source code from the ‘TaiPower’ organization from Taiwan.
- Email data, private chats, confidential agreements, plans, reports, and personally identifiable information (PII) from the ‘Iran atomic energy organization’ from Iran.
- From the Brazilian organization ‘Electric utility company in nuclear energy’ documents such as client data, PII, blueprints, diagrams, financial documents, and supply chain data were stolen.
- From the ‘Koeberg nuclear power station’ in South Africa, employee credentials were leaked.
- India was targeted by breaching the systems of the ‘Nuclear power corporation of India (NPCIL).’
- Thailand suffered a cyberattack on its systems from the ‘Thailand institute of nuclear technology’ wherein PII, admin panels, and login details including admin credentials were breached.
- The ‘Indonesian nuclear power authority’ suffered a breach of operational and strategic plans, employee credentials, PII, and private chats.
- Russian organization the ‘Joint institute for nuclear research’ was targeted with SQL dump, SMB, private GitLab, FTP server dump, internal documents, nucloton-based control, and diagnostic system data and RDP access to the organization linked with nuclear and weapon development getting breached.
In their report, CRIL researchers uploaded the stolen nuclear power-related documents between February and November this year. Russia was targeted in February, Taiwan in August, Brazil in September, Iran, India, Thailand, Indonesia in October, and South Africa in November. They pointed out that despite nuclear facilities being under extreme surveillance with absolute cybersecurity measures out in place, hackers are entering the critical infrastructure space to widen its impact.
Cybercriminals and hacktivist groups may be violating misconfigured networks, exposed assets, and vulnerable IT/ OT devices using social engineering attacks keeping the target activity in view. So far, enormous nuclear power data has been leaked on the cybercrime forum which makes it imperative to delete the data and fill the loopholes allowing cybercriminals to enter its facility. Some suggestions CRIL researchers made were:
- Opt for Software bill of materials (SBOM) for better visibility into assets.
- Incorporating adequate network segmentation to reduce lateral movement.
- Store critical assets within updated firewalls that are adequately configured.
- Make sure all the software, firmware, and applications are updated with the most recent patches.
- Keep an eye out on vendor and state advisories.
- Monitor access control within the IT/ OT networks.
- Maintain the required caution in password hygiene.
- Opting for multi-factor authentication if not done already.
- Regularly auditing and pentesting to detect loopholes in the security systems.
- Check network anomalies by frequently logging in.
- Train and opt for cybersecurity awareness drills for staff.
