North Korean malware has reportedly infected a computer at a nuclear power plant in India.
The company that runs the Kudankulam Nuclear Power Plant confirmed on Wednesday that a computer at the site had been hit with malware. “The investigation revealed that the infected PC belonged to a user who was connected in the internet connected network used for administrative purposes,” the Nuclear Power Corporation of India Limited said in a statement.
Fortunately, the malicious code never spread to the industrial control systems that directly manage the nuclear power plant’s processes. “This is isolated from the critical network,” the company added. The “investigation also confirms that the plant systems are not affected.”
News of the infection first came to light on Monday when Indian cybersecurity analyst Pukhraj Singh said a third party had alerted him to an intrusion at the power plant’s IT network. He then notified government cyber authorities on Sept. 3, which sparked the investigation.
So, it’s public now. Domain controller-level access at Kudankulam Nuclear Power Plant. The government was notified way back. Extremely mission-critical targets were hit. https://t.co/rFaTeOsZrw pic.twitter.com/OMVvMwizSi
— Pukhraj Singh (@RungRage) October 28, 2019
According to Singh, a sample of the Windows-based malware was also uploaded to VirusTotal, which uses various antivirus engines to scan a file for malicious processes. The scan links the sample to a spyware strain known as “Dtrack,” a remote access Trojan that can be used to take over an infected device and steal files from the system.
“If successfully implemented, the spyware is able to list all available files and running processes, key logging, browser history, and host IP addresses, including information about available networks and active connections,” according to antivirus firm Kaspersky Lab. It can also be used to download other malicious code.
Dtrack has also been connected to a North Korean state-sponsored hacking group known as Lazarus, which was blamed for the 2014 Sony Pictures breach and the WannaCry ransomware outbreak. According to Kaspersky Lab, Dtrack’s computer code shares similarities with past malware attacks that have also been tied to the North Korean hacking group.
The Dtrack infections have hit financial institutions and research centers in India, Kaspersky Lab said in report last month. At the time, the company said it had uncovered 180 Dtrack malware samples.
How the spying tool ended up on a nuclear power plant’s computer system remains unclear. But it raises the disturbing prospect that North Korea hackers managed to steal critical files on the plant’s operations, even though access to the industrial control systems was never achieved.
In response to the breach, the Nuclear Power Corporation of India Limited says it’s continuing to monitor the power plant’s networks. As a safeguard, the industrial control systems that manage the power plant’s processes operate without any access to the outside internet.