North Korean malware detected in India's Kudankulam nuclear facility

Critical internal network of the plant remained safe from the malware, the company claims

One of India's biggest nuclear power facilities was compromised by malware in an attack believed to have been the work of a North Korean hacking group.

The Nuclear Power Corporation of India (NPCIL) admitted yesterday that one of the computers at its Kudankulam nuclear power plant (KKNPP) had been attacked by malware.

The malware, however, did not affect the critical internal network of the plant, NPCIL claimed, but the company only confirmed the attack following strong denials.

"Identification of malware in NPCIL system is correct," A.K. Nema, Associate Director and Appellate Authority, NPCIL, belated admitted in a statement.

"The matter was conveyed by CERT-In [Indian Computer Emergency Response Team] when it was noticed by them on 4 September 2019," he added.

According to Nema, the matter was investigated by DAE cyber security specialists, who found that the compromised computer was connected to the internet and was being used only for administrative work only.

He also added the virus infection was isolated from the critical internal network of the plant.

A day earlier, KKNPP senior official R Ramdoss had rejected social media reports, which claimed that domain controller-level access at KKNPP has been compromised.

Ramdoss said that all nuclear power plant control systems in the county were "standalone" and were not connected to the internet or any cyber network outside.

The infiltration of the KKNPP computer systems was disclosed on Monday by Pukhraj Singh, a cyber security pro who has worked with India's National Technical Research Organisation (NTRO) and other global security teams.

In a Twitter post, Singh claimed that Kudankulam plant was under a cyber attack. He said that the attack was first identified by a third party, who informed him about it.

He then reported the breach to the National Cyber Security Coordinator Lt Gen Rajesh Pant on 3^rd September.

On Monday, VirusTotal also uploaded a data dump that pointed to a breach in KKNPP's systems.

Cyber security experts identified the malware as DTrack, a backdoor Trojan developed by North Korean hacking group Lazarus.

According to cyber-security firm Kaspersky, hackers are currently using DTrack to attack financial institutions in India. Its earlier version ATMDtrack was developed to hack ATMs machines in India.

So far, Kaspersky has identified at least 180 versions of DTrack virus. The main capabilities of this Trojan are:

• Retrieving browser history;
• Keylogging;
• Collecting host IP addresses;
• Listing all files existing on available disk volumes;
• Listing all running processes.

This is not the first incident of alleged state-backed hackers attempting to infiltrate nuclear power plants.

In 2016, Germany's Gundremmingen power plant, run by the German utility RWE, discovered numerous malware infections in its core systems.

An investigation by security experts revealed that hackers used W32.Ramnit and Conficker worms, which were likely introduced to the plant during the retrofit of data visualisation software associated with equipment for moving nuclear fuel rods.

Last year, hackers targeted a petrochemical plant in Saudi Arabia to trigger explosion in it. However, a bug in the attackers' computer code inadvertently shut down the plant's production systems, thus preventing a significant damage.