min_ref1.pdf (882 KB)

Korean prosecutors reported that attackers sent 5,986 destructive-malware emails to 3,571 KHNP employees in December 2014, but only eight PCs were infected and five hard disks were initialized, with no impact to nuclear plant operations or safety. The intrusion preparation relied on phishing KHNP-related email accounts, collecting passwords, and stealing documents from employee, retiree, and contractor email accounts rather than directly exfiltrating core internal plant systems. Investigators said the malware and Hangul Word Processor exploit closely resembled Kimsuky-family tooling, and they linked activity to Chinese Shenyang IP ranges, a Korean VPN provider, and traces of North Korean and KPTC-assigned IP access to that VPN. The case mattered because the actor used leaked documents and public threats against nuclear infrastructure to create social anxiety after the destructive email attack largely failed.