3 November 2019

Indian nuke plant’s network reportedly hit by malware tied to N. Korea

by Sean Gallagher

A former analyst for India’s National Technical Research Organization (NTRO) has tied a malware report published by VirusTotal to a cyber attack on India’s Kudankulam Nuclear Power Plant. The malware, identified by researchers as North Korea’s Dtrack, was reported by Pukhraj Singh to have gained “domain controller-level access” at Kudankulam. The attack has been reported to the government.

So, it’s public now. Domain
controller-level access at Kudankulam Nuclear Power Plant. The
government was notified way back. Extremely mission-critical targets

The attack likely did not affect reactor controls, but it may have targeted research and technical data. The attack apparently focused on collection of technical information, using a Windows SMB network drive share with credentials hard-coded into the malware to aggregate files to steal. Dtrack was tied to North Korea’s Lazarus threat group by researchers based on code shared with DarkSeoul, a malware attack that wiped hard drives at South Korean media companies and banks in 2013.


Singh alluded to the attack in a September 7 tweet, in which he wrote, “I just witnessed a casus belli in the Indian cyberspace and it sucks at every level.” He said that he did not discover the intrusion himself but learned of it from “a third party.” Singh passed on the information to India’s National Cyber Security Coordinator on September 4, and the third party shared the indicators of compromise “over the preceding days.” Kaspersky later identified the malware involved as Dtrack, Singh said.
Over reaction

Officials at Kudankulam have said that the plant is safe from cyber attack because the control systems network is isolated from the plant’s administrative networks, but they have not addressed what data may have been stolen. In a press release, the training superintendent and information officer for the Kudankulam Nuclear Power Project (KKNPP) said that the plant “and other Indian Nuclear Power Plants Control Systems are standalone and not connected to outside cyber network and Internet… Any Cyber attack on the Nuclear Power Plant Control System is not possible.” The official said that both of the plant’s reactors are currently up and running “without any operational or safety concerns.”

The KKNPP is India’s largest nuclear facility and has been a source of controversy since construction began in 2002. Its activation was delayed for nearly a decade by protests from local fishermen and other activists. A collaboration with Russia’s Atomstroyexport (a subsidiary of Rosatom, Russia’s government-owned nuclear energy technology company), KKNPP is planned to operate six reactors eventually—but only two are active, and the plant has had numerous safety issues. The plant currently lacks an offsite spent nuclear fuel storage facility, which prompted a court battle to have the plants shut down until one was built.

There have been over 70 shutdowns since the reactors went active in 2013. And on October 19, the plant’s second reactor was shut down due to a fault in the reactor’s steam generation, according to KKNPP officials. The shutdown was not related to the malware attack, officials asserted.

Ars Technica · by Sean Gallagher · October 29, 2019

No comments: