Cyber Incident Victim: Nuclear Power Corporation of India Ltd.
Date:
Sep 2019
Location:
India
Summary
Malware associated with North Korea's Lazarus Group was discovered on the administrative network of an Indian nuclear power plant, though it did not breach the isolated critical control systems. The Dtrack malware, designed for reconnaissance and deploying additional payloads, included capabilities such as keylogging, harvesting network data, and file enumeration. The infection was initially reported by a former security analyst after identifying hardcoded plant credentials in a malware sample, prompting denial from plant officials before the parent organization confirmed the breach. Investigations revealed the incident likely resulted from broader Lazarus Group activity targeting India's financial sector, with the nuclear plant's compromise appearing accidental rather than a deliberate sabotage attempt.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
The Kudankulam Nuclear Power Plant (KNPP) in India experienced a cybersecurity incident involving malware linked to North Korea's Lazarus Group, first publicly disclosed via Twitter on September 30, 2019. Former Indian National Technical Research Organization analyst Pukhraj Singh identified a malware sample uploaded to VirusTotal containing hardcoded credentials specific to KNPP's internal network, indicating deliberate targeting of the plant's IT infrastructure. Security researchers attributed the malware to Dtrack, a reconnaissance trojan historically associated with North Korean state-sponsored hackers. This disclosure occurred shortly after an unrelated reactor shutdown at KNPP, leading to initial public confusion about potential sabotage. KNPP officials initially denied any breach, dismissing reports as "false information" and asserting cyberattacks were "not possible" due to network isolation measures.
On October 30, 2019, the Nuclear Power Corporation of India Limited (NPCIL), KNPP's parent organization, confirmed the malware infection while clarifying its limited impact. NPCIL stated the malware compromised only the administrative network and did not penetrate the isolated critical internal network controlling nuclear reactors. The organization acknowledged receiving an alert from India's Computer Emergency Response Team (CERT-In) on September 4, 2019, prompting an immediate investigation. Analysis by Kaspersky revealed Dtrack's capabilities included keylogging, harvesting browser histories, mapping networks, enumerating processes, and scanning files—functionality consistent with cyberespionage operations. The Lazarus Group had recently targeted Indian financial institutions with customized Dtrack variants like AMTDtrack, suggesting KNPP's infection might have been incidental rather than a deliberate industrial sabotage attempt. Historical Lazarus activities focused primarily on financial theft, diplomatic espionage, and tracking defectors, with no precedent for destructive attacks on energy infrastructure. NPCIL maintained no operational systems were affected, attributing the breach to administrative network vulnerabilities without disclosing specific remediation actions beyond initial containment.