Was Hack on Indian Nuclear Plant Used to Test Cyber Intrusion Abilities?

Sam Spencer @Spence9022
October 31, 2019 18:09 UTC

The Nuclear Power Corporation of India has confirmed the discovery of malware on its network. According to a statement, the infection was found on a central computer that was not connected to the more sensitive internal systems.

Cybersecurity experts have linked the harmful code to North Korea’s Lazarus Group. The hacker unit uses a spectrum of vector attacks to steal funds for the administration. Pukhraj Singh, a former researcher at India’s National Technical Research Organization (NTRO), indicated via social media that the malware could be traced back to a recent VirusTotal finding.

Dubbed Dtrack, the version uploaded to the platform was specifically coded to target the institution’s IT infrastructure. An analysis of the virus reveals that it was set up to collect data on the facility’s network. The version relies on the Windows SMB Protocol file-sharing permissions to bypass security systems.

Dtrack is primarily configured as spyware and can collect keystrokes, list available files, and record browser history. It can additionally download other malware payloads.

There are numerous strains of Dtrack malware in the wild. Investigators recently stumbled upon a bunch of them on Indian ATMs. They were programmed to read user card information.

Questions pertaining to the latest attack on industrial systems linger because the Lazarus Group does not typically target such systems. Its most notable hacking campaigns have been tied to major crypto heists, some of which have led to hundreds of millions in losses.

Lazarus Hacker Unit Has Been Tied to Some Major Heists

The Lazarus hacker unit is said to be sponsored by the North Korean regime. It is tasked with finding loopholes on computer networks to steal funds, mine cryptocurrencies, and spy on foreign administrations.

The syndicate is believed to have been behind the audacious 2016 Bangladesh bank heist, which led to a loss of over $81 million. Its hackers were able to find loopholes in the SWIFT international money transfer system. This allowed them to use bank employee credentials to send money to the Philippines-based Rizal Commercial Banking Corporation.

The funds were laundered via the country’s casino industry, which is exempted from complying with anti-money laundering laws.

Are Hackers Targeting India Nuclear Facilities for Testing?

Some analysts believe that the latest finding could be purely coincidental because it’s hard to discern the purpose of the attempt. That said, however, some intrusions targeting nuclear power plants have been found to be used for reconnaissance purposes in preparation for the main attack and in some cases for testing purposes. Initial infection techniques include spear-phishing, water-hole domain exploits, and computer-based systems exploitation.

Hackers usually employ spyware to initially gain critical information about the inner workings of a station and determine which sections to infect. Reusing malware code developed by other hacker groups helps erase digital fingerprints, obscuring the source of the attack.

In some instances, power facilities have been targeted to test hacking abilities and simulate similar attacks on related environments. Breaching nuclear facilities is the ultimate cyber threat because there is the potential to take down entire power grids in the event of an all-out cyber-war. As such, hackers, especially state-sponsored actors, are likely to continue probing such sectors.

This article was edited by Gerelyn Terzo.

More of: indiamalware
Sam Spencer @Spence9022

Sam Spencer is a tech, sports, and political news writer at CCN Markets. He also dabbles in cryptocurrencies, and has worked as a crypto investment analyst for over a year now. You can connect with him on Twitter at @Spence9022 and via email samspencer899@gmail.com.