DTrack: the malware that can hack anything, from ATMs to nuclear plants

Network security specialists report that the Nuclear Power Corporation of India (NPCIL), a government-controlled nuclear company, has been the victim of a serious malware infection. Although Indian officials did not explicitly mention the affected facility, they did specify that the infected equipment belongs to one of the administrative areas of the nuclear plant, so it is not related to any critical control system.  

A few days ago, Pukhraj Singh, a cybersecurity
expert who has previously worked with the Indian government, stated on his
social media that the Kudankulam nuclear plant was under attack; although the
authorities initially disregarded these claims, they ended up acknowledging the
incident this morning.

Regarding the malware variant used in this
attack, network security specialists have identified it as DTrack, a virus
linked to the activities of the dangerous Lazarus hacker group, sponsored by
the North Korean government. It is apparently an older version of the ATMDTrack
malware, used to hack ATMs in India.

Researchers at security firm Kaspersky Lab have
identified at least 180 different versions of DTrack malware; these versions do
not vary too much from each other, as they all show a similar set of features
that include:

  • Keylogging
  • Browsing
    history collection
  • IP
    addresses, available networks and active connections collection
  • List
    of any running process
  • List
    of any file on all available disk volumes

To deploy the attack, hackers require some
level of control over the internal networks of the target organization, so
there has to be previous security weaknesses, such as poor password managing,
lack of traffic monitoring, among other flaws.

According to expert reports, this malware was designed for its installation at multiple ATMs in order to capture data from victims’ cards. Another version of the malware was recently detected on South Korean banking systems, as well as in some cases of infection of the WannaCry ransomware.

Network security experts first detected Lazarus
group activity about 5 years ago during cyberattacks against Sony that resulted
in massive leaks of sensitive information. Over time, Lazarus hackers have
shown great evolving ability, even compromising the security of more
sophisticated IT systems, such as the interbank payment network known as SWIFT.

Multiple researchers have linked the wave of
attacks in South Korea and the WannaCry ransomware outbreak to this hacker
group, which would have managed to collect more than $2 billion USD for a North
Korean mass destruction weapons program.

In the face of recent signs of hacker activity,
network security experts from the International Institute of Cyber Security (IICS)
recommend system administrators implement protective measures, such as
establishing stricter password and network policies, use of traffic monitoring
software and use of the most sophisticated antivirus solutions available.

Click to comment

You must be logged in to post a comment Login

Leave a Reply

To Top

Pin It on Pinterest

Share This