Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyberwarfare

Nuclear Power Plant in India Hit by North Korean Malware: Report

KKNPP hit by North Korean malware - Image credits: Reetesh Chaurasia

KKNPP hit by North Korean malware - Image credits: Reetesh Chaurasia

India’s largest nuclear power plant was reportedly hit recently by a piece of malware linked by experts to North Korean hackers, but officials said control systems were not compromised.

Reports of a breach at the Kudankulam Nuclear Power Plant located in the Indian state of Tamil Nadu emerged on Monday after a Twitter user posted a VirusTotal link pointing to what appeared to be a sample of a recently discovered piece of malware named Dtrack.

The malware was configured to use a hardcoded username and password combination that referenced KKNPP, the acronym for the Kudankulam Nuclear Power Plant.

India-based cybersecurity expert Pukhraj Singh reposted the tweet, revealing that attackers had gained domain controller-level access to the Kudankulam nuke plant and that other “extremely mission-critical targets” had also been hit.

Singh pointed to a tweet that he posted in early September, in which he said he had witnessed a “casus belli,” a Latin expression used to describe an event that is used to justify war. He later clarified that the other targets he had become aware of were even “scarier than KKNPP,” which is why he “went all hyperbolic about casus belli.”

Singh said he had learned of the intrusion at the Kudankulam plant from a third-party and he notified India’s National Cyber Security Coordinator on September 3, which allegedly acknowledged the issue.

However, some Indian officials have categorically denied that any kind of breach took place at the nuclear power plant. On the other hand, a statement from the Nuclear Power Corporation of India confirms that the plant was targeted by a cyberattack, but highlighted that control systems are not connected to the local network or the internet and claimed that an attack on the facility’s control systems “is not possible.” Singh also confirmed that there was no evidence of control systems being impacted.

The nuclear plant experienced many disruptions, including one in recent weeks, but officials cited by The Economic Times denied that the incident was caused by a cyberattack.

Advertisement. Scroll to continue reading.

Researchers at Kaspersky recently uncovered the Dtrack remote access trojan (RAT) while investigating ATM attacks aimed at India, involving a piece of malware tracked as ATMDtrack. Analysis of the Dtrack code revealed similarities to an older campaign that had been linked to a North Korean threat actor known as Lazarus.

Indian nuke plant hit by North Korean Dtrack malware

Dtrack, which according to Kaspersky had been used to target financial and research organizations in India as recently as early September, allows attackers to collect and steal information from compromised systems, including keystrokes, browser history, IP addresses, network details, running processes, and files.

Related: Illegal Cryptocurrency Mining at Ukraine Nuclear Plant Exposed Sensitive Data

Related: Concerns Raised Over Malware in German Nuclear Plant

Related: South Korea Accuses North of Cyber-attacks on Nuclear Plants

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cyberwarfare

WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...

Cyberwarfare

Russian espionage group Nomadic Octopus infiltrated a Tajikistani telecoms provider to spy on 18 entities, including government officials and public service infrastructures.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cyberwarfare

Several hacker groups have joined in on the Israel-Hamas war that started over the weekend after the militant group launched a major attack.

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...