Earlier this week, on social media arrived rumors at the Kudankulam nuclear power plant in India was detected a malware. North Korean virus attacked nuclear power plant. Now representatives of the Indian Atomic Energy Corporation (Nuclear Power Corporation of India Ltd, NPCIL) have officially confirmed this information.
All started with the fact that the Indian information security researcher Pukhraj Singh wrote on Twitter that a few months ago he informed the Indian authorities about the Dtrack malware, which successfully penetrated the “extremely important sites” of the Kudankulam nuclear power plant. According to him, the malware managed to gain access at the level of a domain controller at a nuclear facility.
“So, it’s public now. Domain controller-level access at Kudankulam Nuclear Power Plant. The government was notified way back. Extremely mission-critical targets were hit”, — writes Pukhraj Singh.
The researcher’s tweet attracted a lot of attention, because several days ago at the same nuclear power plant one of the reactors unexpectedly stopped, and many decided that the attack was to blame.
Initially, the NPP administration denied that Kudankulam had been infected in any way by issuing a statement in which Singh’s tweets were called “false information” and the cyber attack was “impossible.”
But now, the Indian Atomic Energy Corporation has reported that statements by nuclear power representatives did not quite correspond to the truth, and a cyberattack did occur. The official version of NPCIL says that the malware penetrated the administrative network of the nuclear power plant, infecting one computer, but did not reach the critical internal network of the nuclear power plant, which is used to control nuclear reactors.
Moreover, NPCIL confirmed the information published by Singh, saying that in early September they really received a notification from the Indian CERT, when malware was only detected.
Recall that researchers associate the Dtrack malware with the notorious North Korean hack group Lazarus. Dtrack is commonly used for intelligence purposes and as a dropper for other malware, and ATMDtrack was aimed at Indian financial institutions.
An incomplete list of features of the detected Dtrack payload executables included:
- getting browser history;
- collection of host IP addresses, information about available networks and active connections;
- list of all running processes;
- list of all files on all available drives.
In addition, droppers contained tools for remote administration of the PC (Remote Administration Tool, RAT). The RAT executable file allows attackers to perform various operations on the host, such as downloading, downloading, launching files, and so on.
Interestingly, the malware sample that Singh drew attention to included hard-coded credentials for the Kudankulam NPP internal network. This suggests that the malware was specially created for distribution and work inside the power plant network.
However, it still remains unclear (officials haven’t commented on this at all) whether this attack was targeted or if the nuclear power plant was accidentally infected, which is also likely given the recent Dtrack activity in India.