Skip to main content

Indian Nuclear Power Plant Hacked ? Everything that we know up till now.


A story has been making the rounds on the Internet since yesterday about a cyber attack on an Indian nuclear power plant.

Due to some experts commentary on social media even after lack of information about the event and overreactions by many, the incident received factually incorrect coverage widely suggesting a piece of malware has compromised "mission-critical systems" at the Kudankulam Nuclear Power Plant.

Relax! That's not what happened. The attack merely infected a system that was not connected to any critical controls in the nuclear facility.

Here we have shared a timeline of the events with brief information on everything we know so far about the cyberattack at Kudankulam Nuclear Power Plant (KKNPP) in Tamil Nadu.

From where this news came?


The story started when Indian security researcher Pukhraj Singh tweeted that he informed Indian authorities a few months ago about an information-stealing malware, dubbed Dtrack, which successfully hit "extremely mission-critical targets" at Kudankulam Nuclear Power Plant.
According to Pukhraj, the malware managed to gain domain controller-level access at the nuclear facility.


What is the Dtrack malware (linked to the North Korean hackers)?


According to a previous report published by researchers at Kaspersky, Dtrack is a remote access Trojan (RAT) intended to spy on its victims and install various malicious modules on the targeted computers, including:

  • keylogger,
  • browser history stealer,
  • functions that collect host IP address, information about available networks and active connections, list of all running processes, and also the list of all files on all available disk volumes.

Dtrack allows remote attackers to download files to the victim's computer, execute malicious commands, upload data from the victim's computer to a remote server controlled by attackers, and more.

According to the researchers, Dtrack malware was developed by the Lazarus Group, a hacking group believed to be working on behalf of North Korea's state spy agency.

How did the Indian Government respond?


Immediately after Pukhraj's tweet, many Twitter users and Indian opposition politicians, including Congress MP Shashi Tharoor, demanded an explanation from the Indian Government about the alleged cyberattack — which it never disclosed to the public.


In response to the initial media reports, the Nuclear Power Corporation of India (NPCIL), a government-owned entity, on Tuesday released an official statement, denying any cyber attack on the control system of the nuclear power plant.
Web Application Firewall

"This is to clarify Kudankulam Nuclear Power Plant (KNPP) and other Indian Nuclear Power Plants Control are stand-alone and not connected to outside cyber network and Internet. Any cyber-attack on the Nuclear Power Plant Control System is not possible," the NPCIL statement reads.

To be honest, the statement is factually correct, except the "not possible" part, as Pukhraj was also talking about the compromise of the administrative IT network, not the critical systems that control the power plant.

Indian Government later acknowledged the cyberattack, but...


However, while primarily addressing false media reports and rumors of Stuxnet like malware attack, the NPCIL, intentionally or unintentionally, left an important question unanswered:

If not control systems, then which systems were actually compromised?
When the absolute denial backfired, NPCIL on Wednesday released a second statement, confirming that there was indeed a cyberattack, but it was limited only to an Internet-connected computer used for administrative purposes, which is isolated from any mission-critical system at the nuclear facility.

"Identification of malware in the NPCIL system is correct. The matter was conveyed by CERT-In when it was noticed by them on September 4, 2019," the NPCIL statement reads.

"The investigation revealed that the infected PC belonged to a user who was connected to the Internet-connected network. This is isolated from the critical internal network. The networks are being continuously monitored."

Though North Korean hackers developed the malware, the Indian Government has not yet attributed the attack to any group or country.

What could attackers have achieved?


For security reasons, control processing technologies at nuclear power plants are typically isolated from the Internet or any other computers that are connected to the Internet or external network.

Such isolated systems are also termed as air-gapped computers and are common in production or manufacturing environments to maintain a gap between the administrative and operational networks.

Compromising an Internet-connected administrative system doesn't allow hackers to manipulate the air-gapped control system. Still, it certainly could allow attackers to infect other computers connected to the same network and steal information stored in them.

If we think like a hacker who wants to sabotage a nuclear facility, the first step would be collecting as much information about the targeted organization as possible, including type of devices and equipment being used in the facility, to determine the next possible ways to jump through air gaps.

The Dtrack malware could be the first phase of a bigger cyber-attack that, fortunately, get spotted and raised the alarm before causing any chaos.

However, it has not yet been revealed, by researchers or the Government, that what kind of data the malware was able to steal, analysis of which could be helpful to shed more light on the gravity of the incident.
Source: The Hacker News

Comments

Popular posts from this blog

10 Best Forum Software For Webmasters

10 Best Forum Software For Webmasters Do you want to create your online discussion forum or online community where people can discuss about their favorite topics? In this article, you can see 10 best forum software (scripts for setting up discussion forums) that can be used free of cost. Although some scripts are paid but rest of these forum scripts are free to use.You only need to buy hosting space and domain name for your website and after then you can install any of these forum scripts to start your own discussion forums on the internet. Online discussion forums generate huge page views because thousands of people want to join online discussion forums to ask questions or share knowledge. Some of online marketers join forums to discuss about their products with community members. You don't need to acquire any kind of technical skill to run a professional discussion forums because these days, almost all web hosting providers offer one click script installer which h...

|Bypass Symlink on 2013 Server With Different .htaccess and Methods by Sen Haxor |

Hi, Guys,  Please a wonderfull tutorial provided bt Sem;\  Today I gonna Explain how to bypass Symlink on 2013 Server With Different .htaccess and Methods. So let's Get Started :) Note: This method is not applicable for Godaddy, Bluehost, Hostgator and Hostmonstor Servers. For This First You Need the Following Files : 1 -> Sen Haxor CGI Shell 2 -> sen.zip 3 -> passwd-bypass.php 4 -> Turbo Brute force Cpanel 5 - > Port.py First Before Starting to symlink we need to create php.ini and ini.php to Disable Safe mode and Disabled Functions on the server . Use the Following Code : Make a php.ini with the following code safe_mode=Off And ini.php with <? echo ini_get("safe_mode"); echo ini_get("open_basedir"); include($_GET["file"]); ini_restore("safe_mode"); ini_restore("open_basedir"); echo ini_get("safe_mode"); echo...

How to Hack WhatsApp using just a GIF

A picture is worth a thousand words, but a GIF is worth a thousand pictures. Today, the short looping clips, GIFs are everywhere—on your social media, on your message boards, on your chats, helping users perfectly express their emotions, making people laugh, and reliving a highlight. But what if an innocent-looking GIF greeting with Good morning, Happy Birthday, or Merry Christmas message hacks your smartphone? Well, not a theoretical idea anymore. WhatsApp has recently patched a critical security vulnerability in its app for Android, which remained unpatched for at least 3 months after being discovered, and if exploited, could have allowed remote hackers to compromise Android devices and potentially steal files and chat messages. WhatsApp Remote Code Execution Vulnerability The vulnerability, tracked as  CVE-2019-11932 , is a double-free memory corruption bug that doesn't actually reside in the WhatsApp code itself, but in an open-source GIF image parsing library that What...