Skip to main content

Hackers Target Indian Nuclear Power Plant – Everything We Know So Far.. !!





A story has been making the rounds on the Internet since yesterday about a cyber attack on an Indian nuclear power plant.

Due to some experts commentary on social media even after lack of information about the event and overreactions by many, the incident received factually incorrect coverage widely suggesting a piece of malware has compromised "mission-critical systems" at the Kudankulam Nuclear Power Plant.

Relax! That's not what happened. The attack merely infected a system that was not connected to any critical controls in the nuclear facility.

Here we have shared a timeline of the events with brief information on everything we know so far about the cyberattack at Kudankulam Nuclear Power Plant (KKNPP) in Tamil Nadu.

From where this news came?


The story started when Indian security researcher Pukhraj Singh tweeted that he informed Indian authorities a few months ago about an information-stealing malware, dubbed Dtrack, which successfully hit "extremely mission-critical targets" at Kudankulam Nuclear Power Plant.

According to Pukhraj, the malware managed to gain domain controller-level access at the nuclear facility.


What is the Dtrack malware (linked to the North Korean hackers)?


According to a previous report published by researchers at Kaspersky, Dtrack is a remote access Trojan (RAT) intended to spy on its victims and install various malicious modules on the targeted computers, including:

  • keylogger,
  • browser history stealer,
  • functions that collect host IP address, information about available networks and active connections, list of all running processes, and also the list of all files on all available disk volumes.

Dtrack allows remote attackers to download files to the victim's computer, execute malicious commands, upload data from the victim's computer to a remote server controlled by attackers, and more.

According to the researchers, Dtrack malware was developed by the Lazarus Group, a hacking group believed to be working on behalf of North Korea's state spy agency.

How did the Indian Government respond?


Immediately after Pukhraj's tweet, many Twitter users and Indian opposition politicians, including Congress MP Shashi Tharoor, demanded an explanation from the Indian Government about the alleged cyberattack — which it never disclosed to the public.


In response to the initial media reports, the Nuclear Power Corporation of India (NPCIL), a government-owned entity, on Tuesday released an official statement, denying any cyber attack on the control system of the nuclear power plant.

"This is to clarify Kudankulam Nuclear Power Plant (KNPP) and other Indian Nuclear Power Plants Control are stand-alone and not connected to outside cyber network and Internet. Any cyber-attack on the Nuclear Power Plant Control System is not possible," the NPCIL statement reads.

To be honest, the statement is factually correct, except the "not possible" part, as Pukhraj was also talking about the compromise of the administrative IT network, not the critical systems that control the power plant.

Indian Government later acknowledged the cyberattack, but...


However, while primarily addressing false media reports and rumors of Stuxnet like malware attack, the NPCIL, intentionally or unintentionally, left an important question unanswered:

If not control systems, then which systems were actually compromised?
When the absolute denial backfired, NPCIL on Wednesday released a second statement, confirming that there was indeed a cyberattack, but it was limited only to an Internet-connected computer used for administrative purposes, which is isolated from any mission-critical system at the nuclear facility.

"Identification of malware in the NPCIL system is correct. The matter was conveyed by CERT-In when it was noticed by them on September 4, 2019," the NPCIL statement reads.

"The investigation revealed that the infected PC belonged to a user who was connected to the Internet-connected network. This is isolated from the critical internal network. The networks are being continuously monitored."

Though North Korean hackers developed the malware, the Indian Government has not yet attributed the attack to any group or country.

What could attackers have achieved?


For security reasons, control processing technologies at nuclear power plants are typically isolated from the Internet or any other computers that are connected to the Internet or external network.

Such isolated systems are also termed as air-gapped computers and are common in production or manufacturing environments to maintain a gap between the administrative and operational networks.

Compromising an Internet-connected administrative system doesn't allow hackers to manipulate the air-gapped control system. Still, it certainly could allow attackers to infect other computers connected to the same network and steal information stored in them.

If we think like a hacker who wants to sabotage a nuclear facility, the first step would be collecting as much information about the targeted organization as possible, including type of devices and equipment being used in the facility, to determine the next possible ways to jump through air gaps.

The Dtrack malware could be the first phase of a bigger cyber-attack that, fortunately, get spotted and raised the alarm before causing any chaos.

However, it has not yet been revealed, by researchers or the Government, that what kind of data the malware was able to steal, analysis of which could be helpful to shed more light on the gravity of the incident.

Comments

Popular posts from this blog

Applications and Threats Content Release Notes

  Threat Intelligence Report Top Attacks and Breaches The biochemical systems at an Oxford university research lab currently studying the Covid-19 pandemic has been  breached . Clinical research was not affected by the incident. Breached systems include machines used to prepare biochemical samples, and hackers are currently attempting to  sell  their access to those machines. Twitter has permanently  suspended  multiple accounts found to be part of four disinformation campaign networks, most likely operated by state-sponsored actors associated with Iran, Russia and Armenia. The Iranian infrastructure was previously used to disrupt the 2020 US presidential campaign discourse. Gmail accounts of global pro-Tibet organizations have been  targeted  by the Chinese APT TA413, an espionage group known for its operations against civil dissidents. The campaign leverages a customized malicious Mozilla Firefox browser extension to gain control over the victims’ Gmail accounts. Npower, a British ga

Cisco Releases Security Updates for Cisco ASA 5506-X, 5508-X, 5516-X and Firepower// Cisco Bug IDs: CSCvp36425

A vulnerability in the cryptographic driver for Cisco Adaptive Security Appliance Software (ASA) and Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to cause the device to reboot unexpectedly. The vulnerability is due to incomplete input validation of a Secure Sockets Layer (SSL) or Transport Layer Security (TLS) ingress packet header. An attacker could exploit this vulnerability by sending a crafted TLS/SSL packet to an interface on the targeted device. An exploit could allow the attacker to cause the device to reload, which will result in a denial of service (DoS) condition. Note:  Only traffic directed to the affected system can be used to exploit this vulnerability. This vulnerability affects systems configured in routed and transparent firewall mode and in single or multiple context mode. This vulnerability can be triggered by IPv4 and IPv6 traffic. A valid SSL or TLS session is required to exploit this vulnerability. Cisco has rel

Site-to-site IPsec VPN with two FortiGates

In this example, you will allow transparent communication between two networks that are located behind different FortiGates at different offices using route-based IPsec VPN. The VPN will be created on both FortiGates by using the VPN Wizard's   Site to Site - FortiGate   template. In this example, one office will be referred to as HQ and the other will be referred to as Branch. 1. Configuring the HQ IPsec VPN On the HQ FortiGate, go to  VPN > IPsec Wizard . Select the  Site to Site  template, and select  FortiGate . In the  Authentication  step, set  IP Address  to the IP of the Branch FortiGate (in the example,  172.20.120.135 ). After you enter the gateway, an available interface will be assigned as the  Outgoing Interface . If you wish to use a different interface, select it from the drop-down menu. Set a secure  Pre-shared Key . In the  Policy & Routing  step, set the  Local Interface . The  Local Subnets  will be added automatically. Set  Remote