Spear-phishing and malware at the root of the intrusion.From November 2015 to June 2016, hackers targeted researchers at the University of Toyama’s Hydrogen Isotope Research Center, the University told Japanese media.
Officials said the attacker managed to steal files on multiple occasions, taking both research data and the personal details of nuclear scientists.
Malware infection occurred after spear-phishing attack
According to University officials, the attackers sent spear-phishing emails to several researchers working at its nuclear research laboratory.
Investigators tracked down the first malicious email to November 24, 2015. A researcher’s computer was compromised in late November with a malware strain that collected data from his workstation and sent it to an online server.
Officials say the malware first exfiltrated data from the University’s network in December 2015. They say the attackers created over 1,000 archived files, which they then sent via an encrypted channel to their online server. Because the files and the transfers were encrypted, investigators don’t know what the attackers stole during this initial attack.
Attackers stole data in December 2015, March 2016, and June 2016
The attackers then collected another series of files, which they also compressed in smaller archives and exfiltrated in March 2016.
For this transfer, investigators say they were able to determine that the attackers collected data related to research into how to remove contaminated water discharged from the Fukushima No. 1 nuclear power plant.
When the attackers stole a third batch of files, in June, an external entity noticed the suspicious data transfers and notified the research lab.
Attacker posed as a Tokyo university student
A subsequent investigation revealed that the attackers posed as a Tokyo university student who asked one of the Toyama researchers to answer some questions. The questions were delivered via a malware-laced document attached to the email.
Investigators believe the attacker managed to steal over 59,000 files in total. They also say the malware samples they analyzed were pre-programmed to search the victim’s computer for the term IAEA, which is the UN’s International Atomic Energy Agency.
Last week, Yukiya Amano, head of IAEA, revealed that an unknown entity also targeted a German nuclear power plant with a disruptive cyber-attack in 2014.
Toyama University is world leader in tritium research
The University of Toyama’s Hydrogen Isotope Research Center is one of the world leaders in tritium research.
Tritium, also know as Hydrogen-3, is a radioactive isotope of hydrogen that is an important fuel for controlled nuclear fusion, but also a key component of hydrogen bombs.
Besides information on the lab’s tritium research, investigators said the attacker also stole the personal details of 1,493 researchers with whom Toyama researchers kept in contact.