How Malware Detected at India’s Nuclear Power Plant Could Have Been Prevented

The Nuclear Power Corporation of India Limited (NPCIL) recently confirmed that there was a cyberattack on the Kudankulam Nuclear Power Plant (KKNPP) in Tamil Nadu, India, in September. The nuclear power plant’s administrative network was breached in the attack, however the malware did not reach its critical internal network used to control power plant’s nuclear reactors. The NPCIL would have been able to detect and prevent the attack with Check Point’s threat prevention solutions.  Check Point’s SandBlast Threat Emulation technology behaviorally detects all versions of Dtrack.

Why is this important?

No critical damage was reported during this attack. However, it is possible that this was the first stage of a more complex, planned attack as threat actors frequently conduct reconnaissance and probing operations to better prepare a more substantial attack. Cyberattacks on nuclear power plants could have catastrophic effects, especially if the network that runs the machines and software controlling the nuclear reactor are compromised. A breach can be used to facilitate sabotage, theft of nuclear materials, or — in the worst-case scenario — a reactor meltdown. In a densely populated country like India, any radiation release from a nuclear facility would be a major disaster.

Malware linked to North Korea’s Lazarus Group

Several security researchers identified the malware as a version of Dtrack, a backdoor trojan developed by the North Korea-linked, Lazarus Group. Dtrack was first discovered in 2013, and since then numerous versions have been identified, each one slightly different. Over the years, the creators of the malware have turned it into an infostealer that doubles as a cyberespionage tool, now capable of harvesting browsing history, network topology and listing files stored on the infected disks. Based on these features, Dtrack is usually used for reconnaissance purposes and as a dropper for other malware payloads.

Detecting and preventing this malware

Lazarus Group continues to be one of the most active hacking groups, developing new versions of the malware at a face pace and expanding their operations. For instance, Lazarus Group was believed to be behind the SONY hack in 2014, in which private and personal documents were stolen from employees and publicly posted, as well several unreleased films. In addition, Lazarus Group was credited with conducting the daring hack of the YouBit cryptocurrency exchange in 2017, which siphoned off 17 percent of the exchange’s value and forced its closing. Dtrack has been used in widespread attacks both for financially-motivated and espionage attacks.

SandBlast Threat Emulation performs deep CPU-level inspection, stopping even the most dangerous attacks before malware has an opportunity to deploy and evade detection. SandBlast Threat Emulation uses OS-level inspection to examine a broad range of file types, including executables and data files.

The indicators of compromise (IOCs) for Dtrack are also stored within Check Point’s ThreatCloud. The world’s most powerful threat intelligence database, ThreatCloud inspects 4 million files and blocks 7,000 zero-day attacks each day. Check Point’s threat prevention solutions operationalize the cyber intelligence stored in ThreatCloud. ThreatCloud receives data feeds from hundreds of millions of sensors from CheckPoint gateways, protected endpoints, cloud instances, as well as the largest team of elite researchers and security engineers in the industry. Artificial Intelligence engines residing in ThreatCloud analyze and correlate this data and share it throughout Check Point’s global customer base, preventing threats before they can breach networks, clouds, PCs, smartphones and IoT devices.