North Korean Hackers Attack Indian Nuclear Power Plant [KKNPP] Using Dtrack Malware – What Happened Till Date

India’s largest nuclear power station, Kudankulam Nuclear Power Plant was hit with a cyber-attack earlier this year. Initially, the Kudankulam Nuclear Power Project has denied the cyber-attack that took place.

The news circle’s on twitter for the last couple of days after the security researcher Pukhraj Singh notified about the incident that took place.

Pukhraj Singh said that “Domain controller-level access at Kudankulam Nuclear Power Plant. The government was notified way back. Extremely mission-critical targets were hit.” He also added that he notified the incident to National Cyber Security Coordinator( NCSC) on Sep 4.

The intrusion was detected by a third-party cybersecurity company and the company contacted Pukhraj Singh who notified the incident to NCSC and the IoCs shared by the third-party cybersecurity company to NCSC.

On September 23, Kaspersky reported about the DTrack spy malware, the malware attributed to Lazarus hacker group from North Korea.

Kudankulam Cyber Attack Denied Initially

The Kudankulam Nuclear Power Plant officials denied the attack initially saying some false information being circulated.

Training Superintendent and Information officer of Kudankulam Nuclear Power Plant (KKNP) said that the power station network was not connected to the Internet, so the cyberattack is not possible.

According to the notice from KKNP, on 29/10/2019, states that “This is to clarify Kudankulam Nuclear Power Plant(KNPP) and other Indian Power Plant Control Systems are stand-alone and not connected to outside cyber network and internet. Any cyber-attack on the Nuclear Power Plant Control System is not possible,”

The report is almost correct, Pankaj tweeted about the compromise of the domain controller and not the Industrial control system.

Domain controller (DC) – It is the server that handles security authentication requests within a Windows domain network.

Industrial control system (ICS)- Integration of hardware and software to support critical infrastructure.

Dtrack – A Lookup

Dtrack malware designed to spy on the victim machines, it includes following payload executables to extract sensitive information from the infected machines.

• Keylogging
• Retrieve browser history
• Gather host IP addresses, information about available networks and active connections,
• List all running processes,
• List all files on all available disk volumes.

The malware also includes additional modules that allow an attacker to gain remote access to the system and can upload/download or execute files.

The Dtrack malware attributed to infamous North Korean state-sponsored Lazarus Group hacking known for conducting large scale attacks targeting government, military, financial, manufacturing, publishing, media, entertainment, and international shipping companies, as well as critical infrastructure.

Here is the Dtrack data collection break down.

Press Release Confirming the Incident

Congress MP Shashi Tharoor demanded an explanation from the government on Twitter: “This seems very serious. If a hostile power can conduct a cyber attack on our nuclear facilities, the implications for India’s national security are unimaginable. The Government owes us an explanation.”

Initially, it was denied, but some senior officials said that an internal audit confirmed that an incident occurred a d the hackers gained access to the plant’s administrative network.

NPCIL released a statement yesterday confirming the cyber attack and the infected computer belongs to the user who connected to the Internet of administrative purposes.

The report also confirms that the attack limited within the administrative network and the critical systems are air-gapped that are isolated from the administrative networks.

“Identification of malware in the NPCIL system is correct. The matter was conveyed by CERT-In when it was noticed by them on September 4, 2019.”

By compromising the IT infrastructure attackers may try to penetrate to the other computer connected within the network and to steal information such as access controls, safety measures, and other details.

Nowadays Cybersecurity is a vital part of the process and infrastructure industry operations. From the past few years, cyber-attack tactics have increased and massive data is being grabbed and misused by many black hat people across many industries.

You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates