How did malware land on nuclear plant computers?
- December 5, 2019
- Posted by: Kerry Tomlinson, Archer News
- Categories: Archer News, Cyberattack, Cyberattack, Hacking, Industrial Control System Security, Posts with image, Power Grid, Power Grid
You don’t want to see malware on computers of a nuclear plant.
It’s a sign that attackers can get in and cause trouble at a sensitive location.
And yet the sneaky malware Dtrack landed on the network of the Kudankulam nuclear plant in India.
Researchers are mapping out Dtrack’s path and some say it started with a phishing email.
The newest malware on the radar of analyst Gabriela Nicolao of Deloitte Argentina is Dtrack, discovered on computers at India’s largest nuclear plant.
“We all should be concerned about that because bad things can happen,” Nicolao told Archer News in an interview in Buenos Aires. “If things go wrong in a nuclear facility, it can have a really big impact in the real life.”
Luckily, as Nicolao explained at a conference in Argentina in November, the Dtrack malware did not get onto the machines actually controlling the nuclear plant, only onto the administrative computers.
But the incident leaves questions about how the malware got into this sensitive facility.
How Did Dtrack Get in?
Researchers from Issue Makers Lab in South Korea say the hackers are a group they call Kimsuky, hailing from North Korea.
Their first line of attack?
Phishing emails, pretending to be from employees of Indian nuclear energy organizations like the Atomic Energy Regulatory Board and the Bhabha Atomic Research Centre, Issue Makers Lab said.
The researchers posted an email on Twitter that appears to be one of the phishing lures
“We are sorry to bother you. From U.S, sent us one regulatory document. This is not publicated. We hope you check this document and give us your opinion,” the email reads, encouraging the recipient to click on the attachment.
Cybersecurity professional Yash Kadakia from India told Archer News that he analyzed the server the attackers hacked to send out their phishing lures.
He found that they sent phishing emails to more than a dozen people in five agencies including India’s space and nuclear programs.
Their targets include S A Bhardwaj, former chairman of India’s Atomic Energy Regulatory Board, and Anil Kakodkar, former chairman of the country’s Atomic Energy Commission.
The phishing continued for about two years, Issue Makers Lab said.
At some point, someone with ties to the nuclear plant clicked, according to Kadakia, and the email downloaded Dtrack onto his or her computer.
Then, when that person connected to the Kudankulam network for “administrative purposes,” said the Indian government, Dtrack went live on plant computers.
Cyber intelligence analyst Pukhraj Singh announced the incident in cryptic tweet on September 7, and the Indian government later confirmed it in a press release on October 30.
How Does Dtrack Work?
The malware gathers up information and sends it to another computer, in this case, another computer inside the nuclear plant’s network, Nicolao said.
Then, Dtrack sucks out the info and sends it back to the attackers.
“Dtrack is a piece of malware that has a lot of functionality,” she said.
This was likely a targeted attack, according to Nicolao, because the attackers used credentials from the plant in their code.
All in the Family
Researchers have found other versions of Dtrack as well.
In September, Kaspersky reported that hackers they call the Lazarus group are using a form of Dtrack as a spy tool in India and using its cousin, ATMDtrack, to steal card numbers from Indian ATMs.
Kaspersky connects the Lazarus group to attacks on South Korea, the U.S. and other countries.
The company’s researchers also found connections to the DarkSeoul campaign in 2013, where attackers hit 30,000 computers in South Korean TV stations and banks, preventing people from accessing money.
“It seems that they reused part of their old code to attack the financial sector and research centers in India,” wrote Kaspersky’s Konstantin Zykov.
Some of the tools used in the infamous WannaCry ransomware attack of 2017 have “strong links” to the Lazarus group, according to Symantec.
“The vast amount of Dtrack samples that we were able to find shows that the Lazarus group is one of the most active APT [advanced persistent threat] groups in terms of malware development,” Zykov said.
Although Dtrack can’t take over nuclear reactors, it can still cause harm.
The Asia Times reports the Dtrack attackers were after India’s fuel yields at the plant, part of a plan to assess the country’s nuclear capabilities, both civilian and military.
And once the attackers know how the plant works, they can come back for more, including trying to take control of the machines themselves.
“This is a reconnaissance tool,” Nicolao said. “Meaning that it may be the first step of a bigger attack.”
The Indian government said its critical internal network — the computers that run the nuclear equipment, are protected because they are not connected to the Internet.
They call this an “air-gapped” system, because there is no computer connection to the network, only “air.”
But security experts say even air-gapped systems can be compromised.
They point to the 2010 Stuxnet attack, where the Stuxnet malware was brought in to an Iranian nuclear facility on a thumb drive and destroyed hundreds of centrifuges.
India’s government is making changes, strengthening cybersecurity, according to news reports.
A wise move, if reports of other attacks on nuclear researchers are correct.
In April, the Kimsuky hackers tried to steal information on designs for India’s new nuclear reactor that burns thorium, Issue Makers Lab said.
In January, they tried to attack researchers at the Belgian Nuclear Research Centre, the lab said.
In November, auditors found errors in how the U.S. Department of Energy manages cybersecurity at its nuclear facilities.
“Without improvements to address the weaknesses identified in our report, the Department’s information systems and data may be at a higher-than-necessary risk of compromise, loss, and/or modification,” the Office of the Inspector General said in the report.
Nuclear plants everywhere can also use the information learned to keep Dtrack out — and industrial controls safe.
For example, Nicolao said the indicators of compromise — pieces of data that help identify the attack — are helpful.
“With that information, we can protect ourselves,” she said.
Main image: Kudankulam nuclear power plant in Kudankulam, India. Image: Google Maps