Indian Nuke Plant’s Network Reportedly Hit by Malware tied to N.Korea (Oct 29, 2019)
A cyber attack on India’s Kudankulam Nuclear Power Plant has been reported to be linked to the North Korean malware “Dtrack”. This development comes from former analyst Pukhraj Singh of India's National Technical Research Organization (NTRO) which was then reported India's National Cyber Security Coordinator on September 4. Dtrack has been connected to North Korea’s Lazarus Group via another malware used by the group called “DarkSeoul”. it was used to to wipe hard drives in South Korean media companies and banks in 2013. The attack on the power plant used Windows SMB network drive share with hard-coded credentials to steal files. The attack did not focus on reactor controls but instead focused on research and technical data.
Recommendation: With the critical nature using power plants as an example, it must be ensured that control systems such as the one for the power plant are isolated from any network used by the organisation. These systems should also be air-gapped to prevent threat actors getting access to these systems. Thankfully in the case of Kudankulam, they took the necessary precautions. With this focus on isolation of the systems, actors are resorting to different methods of infection. Actors have been known to drop USB drives near facilities in the hope of employees inserting them into company computers to infect systems. Therefore, it is crucial that your company has policies in place that forbid employees from using unknown USB drives, and only a limited number of personnel should have access to such sensitive systems.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.