The network of Kudankulam Nuclear Power Plant (the largest nuclear power plant in India) located in the Indian state of Tamil Nadu was infected by a piece of malware linked by cybersecurity experts to North Korean hackers. First reports of an intrusion at Kudankulam plant surfaced on Monday after a Twitter user posted a VirusTotal link pointing to what appeared to be a variant of a recently discovered piece of malware named Dtrack, a backdoor trojan developed by the Lazarus Group, a hacking unit believed to be sponsored by North Korea.
The malware sample included hardcoded credentials that referenced KKNPP, the acronym for the Kudankulam Nuclear Power Plant. India-based cybersecurity expert Pukhraj Singh retweeted the message revealing that the attackers had gained domain control-level access at Kudankulam plant and that other extremely-mission targets were hit.
Shortly after the incident became public knowledge, KKNPP officials released their own statement denying that they've suffered any malware infection and describing the tweets as “false information”. They stressed that plant’s control systems “stand alone and not connected to outside cyber network and Internet”, therefore the cyberattack on the power plant was not possible.
However, just a day after KKNPP officials categorically denied the possibility of the access of outsiders to the internal networks as they were all isolated, NPCIL, the KNPP's parent company, admitted to the security breach. According to NPCIL’s statement, the organization was notified of the infection on September 4, 2019. An investigation into the matter revealed that the malware has hit one of the computers connected in the internet connected network that was used for administrative purposes and was isolated from the critical internal network.
According to a description of the Dtrack malware from antivirus maker Kaspersky, this trojan has an extensive set of capabilities, including keyboard capturing, the ability to retrieve browser history, collect host IP addresses, information about available networks and active connections, and to list all running processes and files on all available disk volumes. The first samples of the the Dtrack malware family were observed in attacks targeting South Korea in 2013 and as recently as early September this year Dtrack was used in campaign aimed at financial and research organizations in India. Analysis of the Dtrack code revealed similarities to an older campaign that had been linked to a North Korean threat actor known as Lazarus.