The Nuclear Power Corporation of India Limited (NPCIL) has confirmed that administrative systems at its Kudankulam Nuclear Power Plant, located in the southern Indian state of Tamil Nadu, were infected by malware but critical operations at the plant were not affected.
After initially refuting claims of a malware infection at the nuclear power plant, the public sector organisation admitted to having suffered a malware infection on Wednesday, stating that the infection was limited to the administrative network that was isolated from the critical internal network.
"Identification of malware in NPCIL system is correct. The matter was conveyed by CERT-In when it was noticed by them on September 4, 2019.
"The matter was immediately investigated by DAE [Department of Atomic Energy] specialists. The investigation revealed that the infected PC belonged to a user who was connected in the interet connected network used for administrative purposes. This is isolated from the critical network. The networks are being continuously monitored. Investigation also confirms that the plant systems are not affected," it said.
The possibility of internal systems at the nuclear power plant being infected by highly-intrusive malware was first stated by Pukhraj Singh, a former security analyst at India’s National Technical Research Organization (NTRO), on Twitter last week.
The malware that infected administrative systems at the Kudankulam Nuclear Power Plant is believed to be a variant of DTrack which, according to Kaspersky Lab, dates back to 2013 and was developed by the Lazarus Group that reportedly works for North Korea.
DTrack malware that infected the nuclear power plant features a RAT as well
In a recent blog post, the security firm explained that DTrack is a powerful spyware and features various functionalities such as keylogging, retrieving browser history, listing running processes, listing all files on all available disk volumes, gathering host IP addresses, and gathering information about available networks and active connections.
It added that the malware's dropper also contains a remote access Trojan (RAT) which, when executed, performs various functions such as uploading files to infected computers, downloading files from infected computers, executing processes on the victim’s host, making target files persistent with auto-execution on the victim’s host start, dumping all disk volume data and uploading it to a host controlled by criminals, and dumping disk volume and uploading it to a host controlled by criminals.
"The vast amount of Dtrack samples that we were able to find shows that the Lazarus group is one of the most active APT groups in terms of malware development. They continue to develop malware at a fast pace and expand their operations.
"We first saw early samples of this malware family in 2013, when it hit Seoul. Now, six years later, we see them in India, attacking financial institutions and research centres. And once again, we see that this group uses similar tools to perform both financially-motivated and pure espionage attacks," Kaspersky Lab added.
Commenting on the malware infection affecting India's largest nuclear power plant, Andrea Carcano, co-founder and CPO at Nozomi Networks, said that the consequences of not investing in industrial cyber security could be numerous and severe, particularly if a nuclear power station is targeted.
"Dtrack malware may usually be used for reconnaissance purposes but the information gathered from infected industrial and critical infrastructure plants could be used for other malicious purposes.
"It is imperative that critical infrastructure organisations put plans in place to prevent malicious attacks, and the cyber security community comes together to share expertise and knowledge on identifying and providing solutions to cybersecurity challenges. Applying artificial intelligence and machine learning detection and response enables organisations to monitor for malware and rapidly respond to remove malicious code," she added.