India’s largest nuclear power plant was reportedly hit recently by a piece of malware linked by experts to North Korean hackers, but officials said control systems were not compromised.
Reports of a breach at the Kudankulam Nuclear Power Plant located in the Indian state of Tamil Nadu emerged on Monday after a Twitter user posted a VirusTotal link pointing to what appeared to be a sample of a recently discovered piece of malware named Dtrack.
The malware was configured to use a hardcoded username and password combination that referenced KKNPP, the acronym for the Kudankulam Nuclear Power Plant.
India-based cybersecurity expert Pukhraj Singh reposted the tweet, revealing that attackers had gained domain controller-level access to the Kudankulam nuke plant and that other “extremely mission-critical targets” had also been hit.
Singh pointed to a tweet that he posted in early September, in which he said he had witnessed a “casus belli,” a Latin expression used to describe an event that is used to justify war. He later clarified that the other targets he had become aware of were even “scarier than KKNPP,” which is why he “went all hyperbolic about casus belli.”
Singh said he had learned of the intrusion at the Kudankulam plant from a third-party and he notified India’s National Cyber Security Coordinator on September 3, which allegedly acknowledged the issue.
However, some Indian officials have categorically denied that any kind of breach took place at the nuclear power plant. On the other hand, a statement from the Nuclear Power Corporation of India confirms that the plant was targeted by a cyberattack, but highlighted that control systems are not connected to the local network or the internet and claimed that an attack on the facility’s control systems “is not possible.” Singh also confirmed that there was no evidence of control systems being impacted.
The nuclear plant experienced many disruptions, including one in recent weeks, but officials cited by The Economic Times denied that the incident was caused by a cyberattack.
Researchers at Kaspersky recently uncovered the Dtrack remote access trojan (RAT) while investigating ATM attacks aimed at India, involving a piece of malware tracked as ATMDtrack. Analysis of the Dtrack code revealed similarities to an older campaign that had been linked to a North Korean threat actor known as Lazarus.
Dtrack, which according to Kaspersky had been used to target financial and research organizations in India as recently as early September, allows attackers to collect and steal information from compromised systems, including keystrokes, browser history, IP addresses, network details, running processes, and files.