On Monday 28, 2019, news began emerging on Twitter that the Kudankulam Nuclear Power Plant (KNPP) might have been infected with a dangerous strain of malware. Pukhraj Singh, a former security analyst for India's National Technical Research Organization (NTRO) and researcher closely following the matter, concluded that a recent VirusTotal upload was linked to a malware infection at the KNPP. Initially, the KNPP denied that they had suffered a security incident. Matters were not helped by the station experiencing a shutdown of one of the reactors leading to the public to conclude incorrectly that malware incident was related to the shutdown.
Initially, the power plant responded saying the incident amounted to “false information”, however, in a separate statement released on October 30, the power plant admitted they had indeed suffered a cybersecurity incident. While the power plant stuck its head in the sand numerous researchers were analyzing the sample uploaded to VirusTotal. Several researchers that the malware used was DTrack a custom trojan developed and deployed by the Lazarus Group. For those needing a reminder, Lazarus is probably North Korea’s top state-sponsored hacking group responsible for the theft of millions of dollars.
In the statement released by the power utility, it was confirmed that the researchers were indeed correct and the malware was DTrack. NPCIL said the malware only infected its administrative network, but did not reach its critical internal network, the one used to control the power plant's nuclear reactors. NPCIL said the two networks were isolated. In addition, NPCIL confirmed statements made by Singh on Twitter; that they received notification from CERT India back on September 4, when the malware was first spotted, and that they investigated the matter at the time of the report.
In Kaspersky’s analysis of DTrack researcher’s determined that the trojan was primarily used for reconnaissance and when a high-value target was infected the malware could later be used to drop other custom malware strains depending on their objectives. As to the reconnaissance role of DTrack, researchers noted it had the following features:
- retrieving browser history,
- gathering host IP addresses, information about available networks and active connections,
- listing all running processes,
- listing all files on all available disk volumes.
Researchers concluded with regards to DTrack and Lazarus that,
“The vast amount of Dtrack samples that we were able to find shows that the Lazarus group is one of the most active APT groups in terms of malware development. They continue to develop malware at a fast pace and expand their operations. We first saw early samples of this malware family in 2013, when it hit Seoul. Now, six years later, we see them in India, attacking financial institutions and research centers. And once again, we see that this group uses similar tools to perform both financially-motivated and pure espionage attacks.”
Not the Regular Modus Operandi
In the past, Lazarus mainly operated by either targeting financial institutions to steal vast amounts of funds or pure cyber espionage. They were not known to target industrial complexes and power stations. They had in the past done so but rarely, and these instances were mainly to try and steal intellectual property. Is this a new face to North Korean cyber operations? The simple answer, and the one spy novel writers won’t like, is probably not. The vast majority of Lazarus’ actions center around financial gain for the embargoed countries weapon development programs. A secondary objective seen is that of tracking and keeping tabs on North Korean defectors.
Finding known APT groups malware on a network is a serious security breach, doubly so on a nuclear power station. However, despite how easy it is to overreact in these situations hoping that this is not the sequel to Chernobyl, this infection is probably an accidental infection. The nuclear power plant in all likelihood was not the target of the campaign currently been conducted by Lazarus Group. India, however, is in the middle of a storm regarding a Lazarus campaign. This campaign has been primarily targeting Indian financial institutions.
Indian banks are currently under siege by Lazarus using DTrack as well as ATMDTrack a piece of malware based on DTrack which actively targets ATMs. This campaign is traditionally within Lazarus’ wheelhouse with Kaspersky attributing the campaign to Lazarus stating,
“When we first discovered ATMDtrack, we thought we were just looking at another ATM malware family because we see new ATM malware families appearing on a regular base. However, this case proved once again that it is important to write proper YARA rules and have a solid working attribution engine because this way you can uncover connections with malware families that have appeared in the past. One of the most memorable examples of this was the WannaCry attribution case. Now we can add another family to the Lazarus group’s arsenal: ATMDtrack and Dtrack.”
While not the world ending cyber incident better suited to the pages of a spy novel, the incident does raise important questions. Perhaps, one of the more important questions that can be asked relates to the power utility’s initial denial of the incident. These questions become more important as if the utility and India’s CERT knew about the incident in September why wait till it is discovered by other researchers? Why then try and discredit the work done by a security researcher and label his work “False Information” when it was known to be the truth. This will not be an incident remembered for North Korean cyber aggression but rather how not to respond to cyber incidents.