Security Experts:

Connect with us

Hi, what are you looking for?



Nuclear Power Plant in India Hit by North Korean Malware: Report

KKNPP hit by North Korean malware - Image credits: Reetesh Chaurasia

KKNPP hit by North Korean malware - Image credits: Reetesh Chaurasia

India’s largest nuclear power plant was reportedly hit recently by a piece of malware linked by experts to North Korean hackers, but officials said control systems were not compromised.

Reports of a breach at the Kudankulam Nuclear Power Plant located in the Indian state of Tamil Nadu emerged on Monday after a Twitter user posted a VirusTotal link pointing to what appeared to be a sample of a recently discovered piece of malware named Dtrack.

The malware was configured to use a hardcoded username and password combination that referenced KKNPP, the acronym for the Kudankulam Nuclear Power Plant.

India-based cybersecurity expert Pukhraj Singh reposted the tweet, revealing that attackers had gained domain controller-level access to the Kudankulam nuke plant and that other “extremely mission-critical targets” had also been hit.

Singh pointed to a tweet that he posted in early September, in which he said he had witnessed a “casus belli,” a Latin expression used to describe an event that is used to justify war. He later clarified that the other targets he had become aware of were even “scarier than KKNPP,” which is why he “went all hyperbolic about casus belli.”

Singh said he had learned of the intrusion at the Kudankulam plant from a third-party and he notified India’s National Cyber Security Coordinator on September 3, which allegedly acknowledged the issue.

However, some Indian officials have categorically denied that any kind of breach took place at the nuclear power plant. On the other hand, a statement from the Nuclear Power Corporation of India confirms that the plant was targeted by a cyberattack, but highlighted that control systems are not connected to the local network or the internet and claimed that an attack on the facility’s control systems “is not possible.” Singh also confirmed that there was no evidence of control systems being impacted.

The nuclear plant experienced many disruptions, including one in recent weeks, but officials cited by The Economic Times denied that the incident was caused by a cyberattack.

Researchers at Kaspersky recently uncovered the Dtrack remote access trojan (RAT) while investigating ATM attacks aimed at India, involving a piece of malware tracked as ATMDtrack. Analysis of the Dtrack code revealed similarities to an older campaign that had been linked to a North Korean threat actor known as Lazarus.

Indian nuke plant hit by North Korean Dtrack malware

Dtrack, which according to Kaspersky had been used to target financial and research organizations in India as recently as early September, allows attackers to collect and steal information from compromised systems, including keystrokes, browser history, IP addresses, network details, running processes, and files.

Related: Illegal Cryptocurrency Mining at Ukraine Nuclear Plant Exposed Sensitive Data

Related: Concerns Raised Over Malware in German Nuclear Plant

Related: South Korea Accuses North of Cyber-attacks on Nuclear Plants

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The North Korean APT tracked as TA444 is either moonlighting from its previous primary purpose, expanding its attack repertoire, or is being impersonated by...

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


FBI says a North Korea-linked threat group known as Lazarus and APT38 is behind the $100 million Horizon bridge cryptocurrency heist.