On April 28, 2022, a North Korean hacker (operator) recruited an active officer in exchange for virtual currency to steal military secrets and attempted to hack the battlefield network, and it was revealed that he tried to use PoisonTap during the investigation. Let’s analyze whether these events pose a threat to nuclear facilities. PoisonTap is a tool coded in the Node.js language to Raspberry Pi Zero and weaponized. When connected to a target PC with a USB or Thunderbolt port, the target PC can be occupied in about a minute. PoisonTap materials include Raspberry Pi Zero, a USB expansion port that can be connected to the target PC, a space where the code can operate (code about 12 MB), and Node.js (weaponizable code), which can be made without much difficulty. PoisonTap’s functionality allows cookies and sessions to be stolen through hijacking and allows remote access by exposing internal routers to the outside. Some of the reasons why PoisonTap occurred are that network devices connect directly to the computer without any conditions. And one of the big problems of this vulnerability is the design problem of the Internet itself, so it is difficult to block or defend technically. It is difficult to protect if it is simply a software problem because it is different from how to fix it through software code modification. According to the PoisonTap principle analysis, it connects the PoisonTap to the target PC based on the network’s characteristics (subnets of lower-priority network devices are given higher priority than gateways of higher-priority network devices). The HTML+Javascript generated while being connected becomes a backdoor that can be connected anytime. In other words, by creating a Websocket that can be connected to the web browser itself at any time, an attacker can connect to the target PC at any time. In such a threat, PoisonTap is used to break in and install a web backdoor on the target PC to make it continuously accessible and attack even if the PoisonTap is disconnected. This problem is believed to be an insider threat not only to military units but also to nuclear facilities that are closed networks. PoisonTap can be brought into major nuclear areas in cooperation with insiders with general maintenance of USB equipment. Ordinary workers often leave their laptops or leave them for a while by inserting a screen-saver password. In addition, because there is no communication with the outside, actions that do not seal USB ports and enter deep sleep mode (network connection) can be exposed as cyber threats to nuclear facilities using PoisonTap by malicious insiders.

• Dongseok Lee(Korea Institute of Nuclear Nonproliferation and Control (KINAC))