The Nuclear Power Corporation of India Limited (NPCIL) has reported that malware attributed to North Korean threat actors was found on the administrative network of the Kudankulam Nuclear Power Plant. Although NPCIL has assured partners that the power plant is safe and that the malware has been neutralized, the attack raises questions about the security of India’s critical infrastructure systems.
On 28 October 2019, a threat analyst by the name of Pukhraj Singh disclosed a cyberattack on the Kudankulam Nuclear Power Plant on Twitter. After initially denying it, the Indian government confirmed the attack a day later. The Kudankulam Nuclear Power Plant (KNPP) is a joint venture between India and Russia and is in Tamil Nadu, India. Singh reportedly informed India’s National Cyber Security Coordinator of the breach a month earlier on 3 September 2019, and now details of the attack are being made public. The attack has been attributed to the Lazarus Group, a state-sponsored North Korean threat actor group that has been active since 2009 and has been responsible for a number of malware campaigns over the years. This attribution was based on the use of Dtrack malware, which Lazarus has used in past campaigns, including a string of Indian ATM attacks back in September.
Although the attackers did not gain access to the plant controls, they did access the plant’s administrative network and may have been able to exfiltrate sensitive information. Investigation by the IDAE revealed that the malware attack originated from a user who was connected to the administrative network, suggesting that the malware may have been delivered via a phishing attack on an employee. The Dtrack malware has been used in the past for politically motivated cyber-espionage campaigns. It is a Trojan malware variant that is capable of keylogging, retrieving browser history, gathering host information (IP addresses, available networks, etc.), listing running processes, and accessing files. A Dtrack malware sample recently uploaded to VirusTotal was found to contain hardcoded credentials for KNPP's internal network, meaning the malware was specifically configured to infiltrate the power plant's network and that KNPP was the intended target.
Although the motive for this attack is unclear, based on past Lazarus group activities, researchers believe the operation could have been espionage, reconnaissance, or staging for future operations. NCPIL has assured authorities that the power plant is safe and that necessary steps have been taken to prevent future incidents, however the attack has raised serious concerns about the risk of cyber attacks targeting nuclear power plants. If state sponsored cyber-attacks continue to escalate, the consequences could be dangerous and severe, with the potential to induce a core meltdown or cut power to millions of customers. This matter has caused even more apprehension in a country like India, which has many areas of high population density and rural villages that would be difficult to evacuate.
Given the destruction a cyber-related nuclear disaster could cause, cyber attacks targeting nuclear power facilities will likely be a focus of cyber security discussions in the coming years. We have already seen several successful cyber attacks, including this attack on the KNPP, targeting critical infrastructure this year. Although the consequences of these attacks have been relatively minor, experts worry that they are setting a dangerous precedence and that number and sophistication of cyber attacks targeting this sector could intensify. Smaller or older facilities that may not have as many cyber security controls in place are at an even greater risk.
Red Sky Alliance offers analytic tools like RedXray that can be used to assess these cyber security risks and identify potential issues. Red Sky Alliance is located in New Boston, NH. We are a Cyber Threat Analysis and Intelligence Service organization.
For questions, comments or assistance, please contact the lab directly at 1-844-492-7225, or email@example.com
 CPO Magazine