A maior usina nuclear da Índia, a usina nuclear de Kudankulam, sofreu um ataque no início deste ano. Inicialmente, o Projeto de Energia Nuclear de Kudankulam negou o ciberataque ocorrido.
A notícia está a circular no twitter após o investigador Pukhraj Singh notificar o incidente.
Pukhraj Singh said that “Domain controller-level access at Kudankulam Nuclear Power Plant. The government was notified way back. Extremely mission-critical targets were hit.” He also added that he notified the incident to National Cyber Security Coordinator( NCSC) on Sep 4.
So, it’s public now. Domain controller-level access at Kudankulam Nuclear Power Plant. The government was notified way back. Extremely mission-critical targets were hit. https://t.co/rFaTeOsZrw pic.twitter.com/OMVvMwizSi
— Pukhraj Singh (@RungRage) October 28, 2019
A invasão foi detetada por uma empresa terceirizada de segurança e a empresa logo entrou em contato com Pukhraj Singh, que notificou o incidente à NCSC e as IoCs identificadas.
According to the notice from KKNP, on 29/10/2019, states that “This is to clarify Kudankulam Nuclear Power Plant(KNPP) and other Indian Power Plant Control Systems are stand-alone and not connected to outside cyber network and internet. Any cyber-attack on the Nuclear Power Plant Control System is not possible,”
- Keylogging
- Retrieve browser history
- Gather host IP addresses, information about available networks and active connections,
- List all running processes,
- List all files on all available disk volumes.
O malware também inclui módulos adicionais que permitem que um invasor obtenha acesso remoto ao sistema e pode upload/ download ou executar ficheiros.
O malware tem sido atribuído ao grupo de hackers da Coreia do Norte “Lazarus Group”.
Attached pic is data collection from #KKNPP #Dtrack malware (a few other bits not pictured).
– Local IP, MAC, OS install information (including registered org) via registry
– Browser history
– Connectivity to local IP
– Compspec, ipconfig, netstat infovia @a_tweeter_user https://t.co/7LqEhNOom2 pic.twitter.com/qKIVzvbQbV
— Kevin Perlow (@KevinPerlow) October 28, 2019
Congress MP Shashi Tharoor demanded an explanation from the government on Twitter: “This seems very serious. If a hostile power can conduct a cyber attack on our nuclear facilities, the implications for India’s national security are unimaginable. The Government owes us an explanation.”
This seems very serious. If a hostile power is able to conduct a cyber attack on our nuclear facilities, the implications for India’s national security are unimaginable. The Government owes us an explanation. https://t.co/5NokFcQFWs
— Shashi Tharoor (@ShashiTharoor) October 29, 2019
The report also confirms that the attack limited within the administrative network and the critical systems are air-gapped that are isolated from the administrative networks.“Identification of malware in the NPCIL system is correct. The matter was conveyed by CERT-In when it was noticed by them on September 4, 2019.”
Pedro Tavares is a professional in the field of information security working as an Ethical Hacker/Pentester, Malware Researcher and also a Security Evangelist. He is also a founding member at CSIRT.UBI and Editor-in-Chief of the security computer blog seguranca-informatica.pt.
In recent years he has invested in the field of information security, exploring and analyzing a wide range of topics, such as pentesting (Kali Linux), malware, exploitation, hacking, IoT and security in Active Directory networks. He is also Freelance Writer (Infosec. Resources Institute and Cyber Defense Magazine) and developer of the 0xSI_f33d – a feed that compiles phishing and malware campaigns targeting Portuguese citizens.
Read more here.