A couple of weeks back, Kaspersky disclosed the existence of Dtrack malware that has affected research centers and enterprises across 15 states of India. Turns out, a nuclear power plant has been affected by it too.
Kudankulam Nuclear Power Plant (KNPP) of Tamil Nadu is the affected nuclear power plant. Officials at the KNPP initially denied the existence of the malware infection and claimed that a cyber attack on the powerplant is not possible. However, the Nuclear Power Corporation of India Ltd (NPCIL) confirmed the security breach.
“Identification of malware in NPCIL system is correct…The matter was immediately investigated by DAE specialists. The investigation revealed that the infected PC belonged to a user who was connected in the internet connected network used for administrative purposes.”, told NPCIL in a statement.
The malware infection got noticed by a Twitter user through a recent VirusTotal upload. This malware sample reportedly included hardcoded credentials for KNPP’s internal network.
Interesting potential DTRACK (CC @Mao_Ware )
Dumps the data mined output via manually mapped share over SMB to RFC1918 address with a statically encoded user/pass:
> net use \\10.38.1.35\C$ su.controller5kk /user:KKNPP\administrator
— く̱͕̘͚ず̡̭̠ (@a_tweeter_user) October 28, 2019
NPCIL emphasizes that the malware affected only the administrative network of the power plant and the critical internal network remains unaffected. Both these networks are isolated, according to NPCIL.
For those unaware of Dtrack, it is a Remote Access Trojan (RAT) capable of recording your keystrokes, retrieving browser history, uploading or downloading files and much more. Lazarus Group also has a similar malware named ATMDtrack, a malware targeting ATM credentials.
Considering the track record of the Lazarus Group, this is more likely to be an accidental infection as ZDNet points out since the group is more interested in financial institutions rather than industries. I hope the Indian government takes the necessary steps to prevent such malware attacks in the future.