Decoding motives behind the Kudankulam Nuclear Power Plant intrusion from North Korea-based Lazarus group

  • What is Dtrack malware?
    What was the purpose of Lazarus attack on Kudankulam Nuclear Power Plant ?
    What does DTrack do?
    Why is this intrusion hostile to Indian interests?

GS paper 3 (Internal Security and Challenges, impact of communication networks, Cyber security.)

What is the context about?

  • The North Korea-based Lazarus group’s attack against Kudankulam Nuclear Power Plant (KKNPP) and the Indian Space Research Organisation in early September this year triggered considerable concerns over the challenge posed by external cyber threats.
    The North Korean State, with a Stalinist regime at its helm, is starved of financial and technological resources.
    Nuclear Power Corporation of India Limited (NPCIL) has admitted that one of its computers has been attacked by malware.

What is Dtrack malware?

  • DTrack, as flagged by cyber-security firm Kaspersky, is used by hackers to attack financial and research centres in India. It’s earlier version ATMDtrack was designed to hack ATMs in India.
    “The malware was designed to be planted on the victim’s ATMs, where it could read and store the data of cards that were inserted into the machines,” a post by Kaspersky said in September.
    Researchers have identified that the malware which infected the computer at Kudankulam nuclear power plant was DTrack.

What was the purpose of Lazarus attack on Kudankulam Nuclear Power Plant ?

  • There are two possibilities that could have driven the Lazarus group to deploy DTRACK — a spyware which allows access to data — to infiltrate the administrative network of the KKNPP facility.
    The first is purely technological: The DTRACK intrusion was to steal as much available technical data relating to the reactors’ design, coolant system, fuel handling and storage system, and ascertain the operating capacity of the reactors at the KKNPP.
    The second was perhaps to test both the cyber defences at the KKNPP facility, and Indian cyber operators’ response mechanisms when faced with a cyber intelligence penetration.

What does DTrack do?

There are at least 180 versions of DTrack virus identified by Kaspersky Lab. Samples analyzed by Kaspersky Lab include the following capabilities:
Retrieving browser history
Gathering host IP addresses, information about available networks and active connections
Listing all running processes
Listing all files on all available disk volumes

Why is this intrusion hostile to Indian interests?

  • It is plausible North Korea passed information on to interested third parties, which are inimical to Indian interests. Pakistan and China individually, or both, may be beneficiaries of the cyber intelligence exfiltration by the Lazarus group.
    If not immediately, both Beijing and Islamabad, in due course, could exploit the information provided by the North Korean cyber espionage mission against KKNPP.
    In the event of a crisis, the vulnerabilities of the VVERs could be exploited and their safe operation threatened.