On 2nd January 2014 a Systems Administrator at the Monju fast breeder reactor facility in Japan noticed suspicious connections emanating from a machine in the control room, coinciding with what was a seemingly routine software update to a free media player. Among other items, staff training documents and more than 40,000 emails were stored on the machine and thought to be harvested by the attacker. The Japanese Atomic Energy Agency is investigating further.
The attack appears to have been the result of the attackers having compromised the ‘GOM Player’ update server and having it act as a ‘watering hole’, meaning that machines which access the site are delivered malware. Gom Player originates in South Korea and in some parts of Asia it is a popular alternative to Windows Media Player. It is unclear whether every machine trying to download an update received this malware or whether only machines which fitted a certain profile were infected. Technical analysis of the implant on the compromised machine has shown it to be a variant of a Trojan which has been in the wild for some years now and continues to be effective. The ‘Gh0st RAT’ has been used extensively in attacks linked to the Chinese state, though it is important to remember that the code is publicly available and can be modified and used by anyone. The targeting of a Japanese nuclear facility however, is consistent with Chinese state intelligence requirements. If this is the work of a Chinese group then we feel the targeting may go much further than the Civil Nuclear sector and thus be of interest to the wider Energy Sector and industry as a whole.
In order to inform the Energy Sector and beyond about this attack, we have compiled a technical summary of the attack and have provided a number of Indicators Of Compromise (IOCs) which can be used to aid detection. It is likely that the attackers would redeploy their implant against other targets, albeit with a delivery mechanism more tailored to the location of the intended victims.
The full analysis can be found in our Threat Advisory.