The Nuclear Power Corporation of India Limited (NPCIL) has acknowledged today that malware attributed by others to North Korean state actors had been found on the administrative network of the Kudankulam Nuclear Power Plant (KKNPP). The admission comes a day after the company issued a denial that any attack would affect the plant's control systems.
In a press release today, NPCIL Associate Director A. K. Nema stated, "Identification of malware in NPCIL system is correct. The matter was conveyed by CERT-In [India's national computer emergency response team] when it was noticed by them on September 4, 2019."
That matches the date threat analyst Pukhraj Singh said he reported information on the breach to India's National Cyber Security Coordinator.
"The matter was immediately investigated by [India Department of Atomic Energy] specialists," Nema stated in the release. "The investigation revealed that the infected PC belonged to a user who was connected to the Internet connected network used for administrative purposes. This is isolated from the critical internal network. The networks are being continuously monitored."
Lazarus in the house
It's not clear if data was stolen from the KKNPP network. But the nuclear power plant was not the only facility Singh reported being compromised. When asked by Ars why he called the malware attack a "casus belli"—an act of war—Singh, a former analyst for India's National Technical Research Organization (NTRO), said, "It was because of the second target, which I can't disclose as of now."
The malware in question, named Dtrack by Russian malware protection company Kaspersky, has been used in widespread attacks against financial and research centers, based on Kaspersky data collected from over 180 samples of the malware. Dtrack shares elements of code from other malware attributed to the Lazarus threat group, which, according to US Justice Department indictments, is a North Korean state-sponsored hacking operation. Another version of the malware, ATMDtrack, has been used to steal data from ATM networks in India.
DTrack appears to be an espionage and reconnaissance tool, gathering data about infected systems and capable of logging keystrokes, scanning connected networks, and monitoring active processes on infected computers. The malware may have been delivered by an "in-memory implant," Singh said, though he added that he is waiting for confirmation from other sources. He added that he had not seen any data indicating whether data had been stolen from the KKNPP network. "I didn't have the full indicators," Singh said.
While the attack may not have given direct access to nuclear power control networks, it could have been part of an effort to establishRead More – Source