North Korea (attributed by malware overlap): Officials at the Kudankulam Nuclear Power Plant (KNPP) in India publicly acknowledged a breach of KNPP’s IT systems, which they claim did not affect the operational network or the critical control systems that govern the power plant’s operation. In a press release, a plant official said that the control system operational networks “…are standalone and not connected to outside cyber network and Internet… Any Cyberattack on the Nuclear Power Plant Control System is not possible.” Security researcher Pukhraj Singh posted information to Twitter alleging that the attackers had access to the Domain Controller (DC) and that “extremely mission-critical assets were hit.” The incident came to light when another security researcher discovered a malware sample that had been uploaded to Virus Total, a free service for checking files against several Anti-Virus (AV) products at once. Security researchers can pay for access to search Virus Total and download malware samples from it. The malware sample analyzed by Singh and others contained a computer name, username and password for an administrator account on a server inside the Kudankulam Nuclear Power Plant. Singh became aware of the malware on September 5th, and he reported the incident to Indian officials on September 7, 2019. The malware was identified by researchers as “DTrack” or “ATMDTrack,” which has been attributed to North Korean state-sponsored computer network operations by researchers at the Moscow-based Kaspersky Lab. Previous reports by Kaspersky indicate that ATMDTrack was used to target Automated Teller Machines (ATMs) in India to steal information from bank customer’s bank cards. On October 29th, zdnet.com reported that 1.3 million stolen bank card records, mostly from banks in India, were posted for sale on Joker’s Stash, one of the largest criminal shops for purchasing credit and debit card details. It is unknown if these incidents are related.
Attributing an attack purely through the use of malware is tenuous because any threat group can appropriate and use malware created by another threat group, especially once the malware has become widely available through VirusTotal or other online repositories. Solid attribution requires more than one overlap, such as the use of the same Command and Control (C2) server at about the same time, or access to attacker communications channels where multiple attacks are planned or discussed. While it is wise to physically separate IT networks and Internet connections from critical control systems on operational networks, such separation does not guarantee that an attack against the operational network is “not possible.” Even on stand-alone systems, it is important to practice defense-in-depth through security scanning of workstations and servers, and by monitoring and analyzing network traffic to control systems that cannot be scanned otherwise. Security professionals should be aware of the risks involved when uploading file samples to Virus Total, including the risk that a malware sample may contain identifying information or passwords from the network it was built to target. Uploading any file to Virus Total exposes the file to examination by anyone who pays for access. In the case of this nuclear power plant, that examination resulted in officials being notified of the breach, and also publicly exposing the breach several weeks later.
Read more about the KNPP incident on ArsTechnica: https://arstechnica.com/information-technology/2019/10/indian-nuke-plants-network-reportedly-hit-by-malware-tied-to-n-korea/