A former analyst for India’s National Technical Research Organization (NTRO) has tied a malware report published by VirusTotal to a cyber attack on India’s Kudankulam Nuclear Power Plant. The malware, identified by researchers as North Korea’s Dtrack, was reported by Pukhraj Singh to have gained “domain controller-level access” at Kudankulam. The attack has been reported to the government.
The attack likely did not affect reactor controls, but it may have targeted research and technical data. The attack apparently focused on collection of technical information, using a Windows SMB network drive share with credentials hard-coded into the malware to aggregate files to steal. Dtrack was tied to North Korea’s Lazarus threat group by researchers based on code shared with DarkSeoul, a malware attack that wiped hard drives at South Korean media companies and banks in 2013.