31 October 2019

India’s largest nuclear power plant hit by North Korean Malware

India’s largest nuclear power plant hit by North Korean Malware

The network of Kudankulam Nuclear Power Plant (the largest nuclear power plant in India) located in the Indian state of Tamil Nadu was infected by a piece of malware linked by cybersecurity experts to North Korean hackers. First reports of an intrusion at Kudankulam plant surfaced on Monday after a Twitter user posted a VirusTotal link pointing to what appeared to be a variant of a recently discovered piece of malware named Dtrack, a backdoor trojan developed by the Lazarus Group, a hacking unit believed to be sponsored by North Korea.

The malware sample included hardcoded credentials that referenced KKNPP, the acronym for the Kudankulam Nuclear Power Plant. India-based cybersecurity expert Pukhraj Singh retweeted the message revealing that the attackers had gained domain control-level access at Kudankulam plant and that other extremely-mission targets were hit.

Shortly after the incident became public knowledge, KKNPP officials released their own statement denying that they've suffered any malware infection and describing the tweets as “false information”. They stressed that plant’s control systems “stand alone and not connected to outside cyber network and Internet”, therefore the cyberattack on the power plant was not possible.

However, just a day after KKNPP officials categorically denied the possibility of the access of outsiders to the internal networks as they were all isolated, NPCIL, the KNPP's parent company, admitted to the security breach. According to NPCIL’s statement, the organization was notified of the infection on September 4, 2019. An investigation into the matter revealed that the malware has hit one of the computers connected in the internet connected network that was used for administrative purposes and was isolated from the critical internal network.

According to a description of the Dtrack malware from antivirus maker Kaspersky, this trojan has an extensive set of capabilities, including keyboard capturing, the ability to retrieve browser history, collect host IP addresses, information about available networks and active connections, and to list all running processes and files on all available disk volumes. The first samples of the the Dtrack malware family were observed in attacks targeting South Korea in 2013 and as recently as early September this year Dtrack was used in campaign aimed at financial and research organizations in India. Analysis of the Dtrack code revealed similarities to an older campaign that had been linked to a North Korean threat actor known as Lazarus.

 

Back to the list

Latest Posts

New group of hackers targets businesses with backdoor malware in financially-motivated attacks

New group of hackers targets businesses with backdoor malware in financially-motivated attacks

The TA2101 gang used malicious emails to infect organizations in Germany, Italy, and the United States with backdoor, banking Trojan, or ransomware malware.
15 November 2019
APT33 hackers set up their own VPN network to thwart tracking

APT33 hackers set up their own VPN network to thwart tracking

APT33 used its private VPN network for reconnaissance of networks that are relevant to the supply chain of the oil industry.
14 November 2019
New unusual ransomware is hunting for enterprise servers

New unusual ransomware is hunting for enterprise servers

New PureLocker ransomware seems to have links to the malware provider used by Cobalt and FIN6 hacking groups.
13 November 2019
Featured vulnerabilities
Debian update for postgresql-common
Low Patched | 15 Nov, 2019
Cross-site scripting in Pimcore
Low Patched | 15 Nov, 2019
Multiple vulnerabilities in Pimcore
Medium Patched | 15 Nov, 2019