The network of one India’s nuclear power plants was infected with malware created by North Korea’s state-sponsored hackers, the Nuclear Power Corporation of India Ltd (NPCIL) confirmed today.
News that the Kudankulam Nuclear Power Plant (KNPP) might have been infected with a dangerous strain of malware first surfaced on Twitter on Monday.
Pukhraj Singh, a former security analyst for India’s National Technical Research Organization (NTRO), pointed out that a recent VirusTotal upload was actually linked to a malware infection at the KNPP.
The particular malware sample included hardcoded credentials for KNPP’s internal network, suggesting the malware was specifically compiled to spread and operate inside the power plant’s IT network.
MALWARE LINKED TO NORTH KOREA’S LAZARUS GROUP
Several security researchers identified the malware as a version of Dtrack, a backdoor trojan developed by the Lazarus Group, North Korea’s elite hacking unit.
Singh’s tweet and revelation immediately went viral because just days before, the same power plant had an unexpected shutdown of one of its reactors — with many users conflating the two unrelated incidents as one.
Initially, KNPP officials denied that they’ve suffered any malware infection, issuing a statement to describe the tweets as “false information,” and that a cyber-attack on the power plant was “not possible.”
NOT ACTUALLY A BIG DEAL
According to an analysis of the Dtrack malware from Russian antivirus maker Kaspersky, this trojan includes features for:
keylogging,
retrieving browser history,
gathering host IP addresses, information about available networks and active connections,
listing all running processes,
listing all files on all available disk volumes.
As evident from its features, Dtrack is usually used for reconnaissance purposes and as a dropper for other malware payloads.
