The Nuclear Power Corporation of India Ltd (NPCIL) confirmed that one of India’s nuclear power plant network was infected with malware which is created by North Korea’s state-sponsored hackers.
The rumour that the Kudankulam Nuclear Power Plant (KNPP) was infected with a dangerous malware strain first came on Twitter on Monday. Pukhraj Singh, a former security analyst for India’s National Technical Research Organization (NTRO), stated that a recent VirusTotal upload was actually linked to a malware infection at the KNPP.
The malware sample included hardcoded credentials for KNPP’s internal network which indicates that the malware was explicilty compiled to spread and operate inside the power plant’s IT network.
Malware linked to North Korea’s Lazarus Group
Many security researchers recognized the malware as a version of Dtrack which is a backdoor trojan developed by North Korea’s hacking unit named Lazarus Group.
Singh’s tweet and the disclosure became viral as few days ago, the same power plant had an unexpected shutdown of one of its reactors. Many users integrate the two unrelated incidents as one.
Initially, KNPP officials contradicted that they have suffered any malware infection by issuing a statement describing the tweets as “false information,” and that it was impossible to conduct a cyber-attack on the power plant.
However, NPCIL, which is the parent company of KNPP admitted in another statement that the malware was identified.
NPCIL said the malware only infected its administrative network and that it did not reach its critical internal network which is the one used to control the power plant’s nuclear reactors. They said the two networks were isolated.
Besides, NPCIL also confirmed statements made by Singh on Twitter and that they received notification from CERT India on September 4, when the malware was first spotted. They had also investigated the incident during the time of the report.
On analysis of the Dtrack malware from Kaspersky, it is found that this trojan includes features for
- Retrieving browser history,
- Gathering host IP addresses, information about available networks and active connections,
- Listing all running processes,
- Listing all files on all available disk volumes.
It is clear by looking at these features that Dtrack is usually used for reconnaissance purposes and as a dropper for other malware payloads.
Previous Dtrack samples were normally found in politically-motivated cyber-espionage operations, and in attacks on banks using a customised version of Dtrack, called AMTDtrack which was also found last month.
The Lazarus Group or any other North Korean hacker group usually does not targets the energy and industrial sector. If they do so, they went after proprietary intellectual property, rather than sabotage.
Most of North Korea’s offensive hacking efforts were focused on getting insight into diplomatic relations, tracking former North Korean citizens who fled the country, or hacking banks and cryptocurrency exchanges to obtain funds for the Pyongyang regime to raise funds for its weapons and missile programs.
It is believed that the KNPP incident is more or less an accidental infection, rather than a well-planned operation. Kaspersky has reported last month that the Lazarus Group were found to be spreading Dtrack and AMDtrack versions across India, targeting its financial sector.