Malware attack on Indian nuclear plant: Dtrack, created by North Korea's state-sponsored Lazarus group, detected

Officials have confirmed that a VirusTotal upload at the Kudankulam Nuclear Power Plant that happened recently was linked to a malware infection.


Computer networks at India's largest nuclear power plant were infected with a dangerous strain of malware that takes it origin from the infamous Lazarus group in North Korea. The Nuclear Power Corporation of India Ltd (NPCIL), which runs the country's nuclear power plants, confirmed that the Kudankulam Nuclear Power Plant (KNPP) in the southern state of Tamil Nadu was infected with malware created by North Korea's state-sponsored hackers.

Security and cybercrime experts said the malware was a version of Dtrack, a backdoor trojan developed by North Korea's Lazarus Group, which has been in the spotlight for carrying out daring hack missions in various international organisations.

Days before the official admission that the administrative network was infected with malware, one of the reactors at the power plant had unexpectedly shut down. Though rumours of a cyber attack floated on Monday, the authorities had denied any such issue. KNPP officials said news on malware infection was "false information," and that a cyber-attack on the power plant was not possible. However, two days after the scare, the officials have confirmed that a VirusTotal upload that happened recently was linked to a malware infection.

The Wall Street Journal said the NPCIL was first alerted of the malicious software in its system on September 4. This led to a detailed investigation by the Department of Atomic Energy. It was revealed in the probe that the infected personal computer was part of the company's network for administrative purposes. "This is isolated from the critical internal network," the agency said.

The attack on the Kudankulam power plant appeared like a targeted attack, the WSJ said, citing an expert. The malware was designed specifically to penetrate the Kudankulam plant, Sergio Caltagirone, director of threat intelligence at Dragos, said, according to the report. NPCIL said the malware did not impact the critical internal network that controls the plant's nuclear reactors.

What is Dtrack malware?

The malware created by the elite hacking unit of North Korea is essentially used for reconnaissance and as a dropper for other malware payloads, according to ZDNet. It is a favourite of the hackers who engage in politically-motivated cyber-espionage operations. However, it was detected last month that there was a custom version of Dtrack, known as AMTDtrack.

north korea missile launch
A rocket is fired during a drill by anti-aircraft units of the Korean People's Army (KPA) in this undated photo released by North Korea's Korean Central News Agency (KCNA) in Pyongyang November 3, 2015 Reuters

Russian anti-virum firm Kaspersky said in a report in September that India was targeted by a malware suit that the North Korea hackers used to penetrate into the systems of banks, financial firms and research organisations. The US Treasury recently sanctioned the Lazarus Group after it was found that it was carrying out cyber-attacks on banks, ATM networks, gambling sites, online casinos and cryptocurrency exchanges. It is suspected that the state-sponsored hacking group's mandate is to raise funds for the totalitarian regime's ambitious and secretive weapons and missile programmes.