India’s Kudankulam Nuclear Power Plant initially denied an attack. On October 30, Nuclear Power Corporation of India Limited confirmed a cyber attack on its computer network. According to a statement, while malware was identified in NPCIL’s network, plant systems were not affected.
“The matter was immediately investigated by DAE specialists,” the NPCIL said in a statement. “The investigation revealed that the infected PC belonged to a user who was connected in the internet connected network used for administrative purposes. This is isolated from the critical internal network. The networks are being continuously monitored.”
Government officials were first alerted to the attacks by cyber-security analyst Pukhraj Singh on September 4. According to a series of tweets, Singh detected a cyber attack on NPCIL’s Kudankulam power plant in the southern state of Tamil Nadu.
The attack was then confirmed by the Indian Computer Emergency Response Team, an office within the Ministry of Electronics and Information Technology tasked with dealing with cyber security threats and strengthening security-related defence of the Indian Internet domain.
The NPCIL’s announcement came one day after officials at the Kudankulam Nuclear Power Plant denied a cyber attack on its systems. Rumors of an attack began circulating on October 28 after Spanish security company Hispasec Sistemas’ website VirusTotal published data indicating a malware known as Dtrack had infected a computer at the Kudankulam plant. However officials denied the attack in a statement.
“This is to clarify Kudankulam Nuclear Power Project (KKNPP) and other Indian Nuclear Power Plants Control Systems are stand-alone and not connected to outside cyber network and Internet,” the plant said in a statement. “Any cyberattack on the Nuclear Power Plant Control System is not possible. Presently, KKNPP Unit-1 and 2 are operating at 1000 MWe and 600 MWe respectively without any operational or safety concerns.”
Dtrack, the malware suspected in the attack, started to gain prominence in September thanks to a report released by Kaspersky Lab is a multinational cybersecurity and anti-virus provider. Experts believe the malware was created by Lazarus Group, a faction of North Korean hackers.
“The vast amount of Dtrack samples that we were able to find shows that the Lazarus group is one of the most active APT groups in terms of malware development,” wrote Kapersky analyst Konstantin Zykov. “They continue to develop malware at a fast pace and expand their operations. We first saw early samples of this malware family in 2013, when it hit Seoul. Now, six years later, we see them in India, attacking financial institutions and research centers. And once again, we see that this group uses similar tools to perform both financially-motivated and pure espionage attacks.”
In addition to enabling keylogging, Dtrack allows hackers to retrieve browser histories, gather host IP addresses, information about available networks and active connections, list all running processes, and list all files on all available disk volumes. The collected data is then stored in a password protected archive or sent directly to a server. Dtrack also allows hackers to perform various operations on a host, such as uploading/downloading and executing files.
Those systems susceptible to an attack are those with weak network security policies, weak password policies, and lack of traffic monitoring. In order to better protect their systems, possible targets are advised to tighten their network and password policies and to use traffic monitoring software and antivirus solutions.