Friday, June 14, 2024

North Korean Hackers Attack Indian Nuclear Power Plant [KKNPP] Using Dtrack Malware – What Happened Till Date

India’s largest nuclear power station, Kudankulam Nuclear Power Plant was hit with a cyber-attack earlier this year. Initially, the Kudankulam Nuclear Power Project has denied the cyber-attack that took place.

The news circle’s on twitter for the last couple of days after the security researcher Pukhraj Singh notified about the incident that took place.

Pukhraj Singh said that “Domain controller-level access at Kudankulam Nuclear Power Plant. The government was notified way back. Extremely mission-critical targets were hit.” He also added that he notified the incident to National Cyber Security Coordinator( NCSC) on Sep 4.

The intrusion was detected by a third-party cybersecurity company and the company contacted Pukhraj Singh who notified the incident to NCSC and the IoCs shared by the third-party cybersecurity company to NCSC.

On September 23, Kaspersky reported about the DTrack spy malware, the malware attributed to Lazarus hacker group from North Korea.

Kudankulam Cyber Attack Denied Initially

The Kudankulam Nuclear Power Plant officials denied the attack initially saying some false information being circulated.

Training Superintendent and Information officer of Kudankulam Nuclear Power Plant (KKNP) said that the power station network was not connected to the Internet, so the cyberattack is not possible.

According to the notice from KKNP, on 29/10/2019, states that “This is to clarify Kudankulam Nuclear Power Plant(KNPP) and other Indian Power Plant Control Systems are stand-alone and not connected to outside cyber network and internet. Any cyber-attack on the Nuclear Power Plant Control System is not possible,”

Kudankulam Cyber Attack

The report is almost correct, Pankaj tweeted about the compromise of the domain controller and not the Industrial control system.

Domain controller (DC) – It is the server that handles security authentication requests within a Windows domain network.

Industrial control system (ICS)- Integration of hardware and software to support critical infrastructure.

Dtrack – A Lookup

Dtrack malware designed to spy on the victim machines, it includes following payload executables to extract sensitive information from the infected machines.

  • Keylogging
  • Retrieve browser history
  • Gather host IP addresses, information about available networks and active connections,
  • List all running processes,
  • List all files on all available disk volumes.

The malware also includes additional modules that allow an attacker to gain remote access to the system and can upload/download or execute files.

The Dtrack malware attributed to infamous North Korean state-sponsored Lazarus Group hacking known for conducting large scale attacks targeting government, military, financial, manufacturing, publishing, media, entertainment, and international shipping companies, as well as critical infrastructure.

Here is the Dtrack data collection break down.

Press Release Confirming the Incident

Congress MP Shashi Tharoor demanded an explanation from the government on Twitter: “This seems very serious. If a hostile power can conduct a cyber attack on our nuclear facilities, the implications for India’s national security are unimaginable. The Government owes us an explanation.”

Initially, it was denied, but some senior officials said that an internal audit confirmed that an incident occurred a d the hackers gained access to the plant’s administrative network.

NPCIL released a statement yesterday confirming the cyber attack and the infected computer belongs to the user who connected to the Internet of administrative purposes.

Kudankulam Cyber Attack

The report also confirms that the attack limited within the administrative network and the critical systems are air-gapped that are isolated from the administrative networks.

“Identification of malware in the NPCIL system is correct. The matter was conveyed by CERT-In when it was noticed by them on September 4, 2019.”

By compromising the IT infrastructure attackers may try to penetrate to the other computer connected within the network and to steal information such as access controls, safety measures, and other details.

Nowadays Cybersecurity is a vital part of the process and infrastructure industry operations. From the past few years, cyber-attack tactics have increased and massive data is being grabbed and misused by many black hat people across many industries.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates


Latest articles

Sleepy Pickle Exploit Let Attackers Exploit ML Models And Attack End-Users

Hackers are targeting, attacking, and exploiting ML models. They want to hack into these...

SolarWinds Serv-U Vulnerability Let Attackers Access sensitive files

SolarWinds released a security advisory for addressing a Directory Traversal vulnerability which allows a...

Smishing Triad Hackers Attacking Online Banking, E-Commerce AND Payment Systems Customers

Hackers often attack online banking platforms, e-commerce portals, and payment systems for illicit purposes.Resecurity...

Threat Actor Claiming Leak Of 5 Million Ecuador’s Citizen Database

A threat actor has claimed responsibility for leaking the personal data of 5 million...

Ascension Hack Caused By an Employee Who Downloaded a Malicious File

Ascension, a leading healthcare provider, has made significant strides in its investigation and recovery...

AWS Announced Malware Detection Tool For S3 Buckets

Amazon Web Services (AWS) has announced the general availability of Amazon GuardDuty Malware Protection...

Hackers Exploiting MS Office Editor Vulnerability to Deploy Keylogger

Researchers have identified a sophisticated cyberattack orchestrated by the notorious Kimsuky threat group.The...
Guru baran
Guru baran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles