|
Post by Admin on Oct 31, 2019 21:08:44 GMT
The network of one of India's nuclear power plants was infected with malware created by North Korea's state-sponsored hackers, the Nuclear Power Corporation of India Ltd (NPCIL) confirmed today. News that the Kudankulam Nuclear Power Plant (KNPP) might have been infected with a dangerous strain of malware first surfaced on Twitter on Monday. Pukhraj Singh, a former security analyst for India's National Technical Research Organization (NTRO), pointed out that a recent VirusTotal upload was actually linked to a malware infection at the KNPP. The particular malware sample included hardcoded credentials for KNPP's internal network, suggesting the malware was specifically compiled to spread and operate inside the power plant's IT network. MALWARE LINKED TO NORTH KOREA'S LAZARUS GROUP Several security researchers identified the malware as a version of Dtrack, a backdoor trojan developed by the Lazarus Group, North Korea's elite hacking unit. Singh's tweet and revelation immediately went viral because just days before, the same power plant had an unexpected shutdown of one of its reactors -- with many users conflating the two unrelated incidents as one. Initially, KNPP officials denied that they've suffered any malware infection, issuing a statement to describe the tweets as "false information," and that a cyber-attack on the power plant was "not possible." "Identification of malware in NPCIL system is correct," the statement started. NPCIL said the malware only infected its administrative network, but did not reach its critical internal network, the one used to control the power plant's nuclear reactors. NPCIL said the two networks were isolated. Previous Dtrack samples have been usually spotted in politically-motivated cyber-espionage operations, and in attacks on banks -- with a custom version of Dtrack, named AMTDtrack also being discovered last month. Historically, the Lazarus Group or any other North Korean hacker group, have rarely gone after targets in the energy and industrial sector. When they did, they went after proprietary intellectual property, rather than sabotage. Most of North Korea's offensive hacking efforts have been focused on attaining insight into diplomatic relations, tracking former North Korean citizens who fled the country, or hacking banks and cryptocurrency exchanges to gather funds for the Pyongyang regime to raise funds for its weapons and missile programs.
|
|
|
Post by Admin on Oct 31, 2019 23:09:09 GMT
In a press release today, NPCIL Associate Director A. K. Nema stated, "Identification of malware in NPCIL system is correct. The matter was conveyed by CERT-In [India's national computer emergency response team] when it was noticed by them on September 4, 2019." That matches the date threat analyst Pukhraj Singh said he reported information on the breach to India's National Cyber Security Coordinator. "The matter was immediately investigated by [India Department of Atomic Energy] specialists," Nema stated in the release. "The investigation revealed that the infected PC belonged to a user who was connected to the Internet connected network used for administrative purposes. This is isolated from the critical internal network. The networks are being continuously monitored." Lazarus in the house It's not clear if data was stolen from the KKNPP network. But the nuclear power plant was not the only facility Singh reported being compromised. When asked by Ars why he called the malware attack a "casus belli"—an act of war—Singh, a former analyst for India's National Technical Research Organization (NTRO), said, "It was because of the second target, which I can't disclose as of now." The malware in question, named Dtrack by Russian malware protection company Kaspersky, has been used in widespread attacks against financial and research centers, based on Kaspersky data collected from over 180 samples of the malware. Dtrack shares elements of code from other malware attributed to the Lazarus threat group, which, according to US Justice Department indictments, is a North Korean state-sponsored hacking operation. Another version of the malware, ATMDtrack, has been used to steal data from ATM networks in India. DTrack appears to be an espionage and reconnaissance tool, gathering data about infected systems and capable of logging keystrokes, scanning connected networks, and monitoring active processes on infected computers. The malware may have been delivered by an "in-memory implant," Singh said, though he added that he is waiting for confirmation from other sources. He added that he had not seen any data indicating whether data had been stolen from the KKNPP network. "I didn't have the full indicators," Singh said. While the attack may not have given direct access to nuclear power control networks, it could have been part of an effort to establish a persistent presence on the nuclear plant's networks. As a paper published in May by the International Committee of the Red Cross on the human cost of cyber operations pointed out, “the majority of the computer devices in the world are only one or two steps away from a trusted system that a determined attacker could compromise." Lukasz Olejnik, a security researcher who co-authored the paper, noted that "preemptive compromise of trusted systems would make attacks significantly easier," and that establishing a persistent presence on a network could aid in things such as supply-chain attacks—attempts to use software update processes or other potential opportunities to move to isolated networks to deliver an attack in the future. That's similar to the route demonstrated by Stuxnet, the malware attributed to US and Israeli intelligence that managed to jump an "air gap" into Iranian nuclear enrichment equipment controls. While the administrative network of KKNPP was likely not a good route for such an attack given standards for nuclear control systems security, it certainly could provide information about maintenance operations that would be useful for espionage—or for a future attempted cyber-attack.
|
|