Cyber Incident Victim: Kudankulam Nuclear Power Plant
Date:
Sep 2019
Location:
India
Summary
Malware linked to North Korea's Lazarus Group was discovered on the administrative network of an Indian nuclear power plant, initially denied by officials but later confirmed by its parent organization. The Dtrack malware, designed for reconnaissance and data collection, contained hardcoded credentials specific to the facility's internal systems but did not compromise operational controls due to network isolation. The infection, detected through external analysis of a VirusTotal upload, was part of broader Lazarus campaigns targeting Indian financial institutions, suggesting accidental exposure rather than deliberate sabotage. Authorities were notified promptly, and investigations indicated the malware's capabilities included keylogging, process enumeration, and network mapping for potential espionage or payload delivery.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Kudankulam Nuclear Power Plant (KNPP) in India experienced a cybersecurity incident involving malware attributed to North Korea's Lazarus Group, first detected on September 4, 2019. India's Computer Emergency Response Team (CERT) notified the Nuclear Power Corporation of India Limited (NPCIL), KNPP's parent organization, of the intrusion on that date. Initial public awareness emerged two days after October 28, 2019, when Pukhraj Singh, a former analyst with India's National Technical Research Organization, identified a malware sample uploaded to VirusTotal containing hardcoded credentials specific to KNPP's internal network. This sample was configured to propagate within the plant's IT infrastructure. Singh's social media disclosure on October 28 triggered widespread attention, compounded by coincidental timing with an unrelated reactor shutdown at KNPP days earlier, which some erroneously linked to the cyber incident. KNPP initially denied any compromise on October 29, dismissing reports as "false information" and asserting cyberattacks were "not possible" against its systems.
NPCIL confirmed the breach on October 30, acknowledging malware presence in its administrative network while emphasizing isolation from the operational technology network controlling reactors. Analysis by Kaspersky identified the malware as Dtrack, a Lazarus Group backdoor trojan historically deployed in financial cyberespionage and reconnaissance operations. The variant contained capabilities for keylogging, harvesting browser histories, mapping network configurations, enumerating processes, and surveying files across disk volumes. Its design suggested intent for initial intrusion and payload delivery rather than direct sabotage. NPCIL's investigation determined the malware did not penetrate critical systems, with no disruption to nuclear operations. The incident marked a deviation from Lazarus Group's typical targeting patterns, which prior to 2019 focused predominantly on financial institutions, cryptocurrency exchanges, and geopolitical espionage rather than energy infrastructure. Security researchers assessed the KNPP infection might represent incidental collateral damage from broader Lazarus Group campaigns distributing Dtrack and its AMTDtrack variant across Indian networks during this period, rather than a deliberate attack on nuclear systems.