NPCIL Hack : Everything You Need To Know

Updated: Feb 19



The network of one of India’s nuclear power plants was infected with malware created by North Korea’s state-sponsored hackers and the Nuclear Power Corporation of India Limited (NPCIL) confirmed.

The Kudankulam Nuclear Power Plant (KNPP) is reported to be infected for the first time.


Pukhraj Singh, a former security analyst at India’s National Technical Research Organization (NTRO), pointed out that the recent VirusTotal upload was actually associated with a malware infection in KNPP. Specifically the malware sample included hardcoded credentials for KNPP’s internal network, suggesting that the malware was specifically compiled to spread and operate within the power plant’s IT network.

Several security researchers have identified the malware as a backdoor trojan developed by Lazarus Group, North Korea’s elite hacking unit.


The revelation of the compromise immediately went viral because a few days before the compromise the same power plant had to unexpectedly shut down one of its reactors.

Initially, KNPP officials denied they had suffered any malware infections, issuing a statement describing the tweet as “misinformation”, and said a cyber attack on the power plant was “not possible” . Later they released an official press release accepting the malware infection.


What is Lazarus Group ?


The Lazarus Group is a advanced persistent threat group attributed to the North Korean government. The group has been active since at least 2009 and was allegedly responsible for the November 2014 devastating Viper attack as part of a campaign by Novetta against Sony Pictures Entertainment called Operation Blockbuster. The malware used by the Lazarus Group is related to other reported campaigns, including Operation Flame, Operation 1 Emission, Operation Troy, Darkseole, and Ten Days of Rain. In late 2017, the Lazarus Group used Kildisk, a disk-wiping device, in an attack against an online casino based in Central America.


The definitions of the North Korean group are known as significant overlaps, and the Lazarus group name is known to encompass a wide range of activity. Some organizations use the Lazarus Group to refer to an activity attributed to North Korea. Some organizations track North Korean groups or groups such as Bleinorf, APT37 and APT38 separately, while other organizations may track some activity associated with those group names under the name Lazarus Group.


What is DTrack ?


It is a trojan developed by Lazarus group. According to Russian antivirus manufacturer Kaspersky’s analysis of Dtrack malware, this trojan includes the following features such as keylogging, Retrieving browser history, Collecting information about host IP addresses, enumerating available networks and active connections,

List all running processes, Listing all files on all available disk versions.

As is evident from its features, Direx is commonly used for reconnaissance purposes and as a dropper for other malware payloads.

Previous Dtrack samples have typically been seen in politically motivated cyber espionage operations, and in attacks on banks – with a custom version of the Dtrack, also named AMTDtrack being discovered last month.



"On the final note one thing is to be said and that is India is filled with extraordinary cyber security talents and but the authorities should learn how to cultivate these young minds."

People Do Crazy Stuff and We are one of them.

Thinkers and doers, from the field of Cybersecurity, Ethical Hacking, Python, Dark Net and Forensics, getting inspired from people from same and different field of knowledge.

  • 800px-Telegram_2019_Logo.svg
  • Twitter
  • Instagram
  • Facebook

© 2020 by Bluefire Redteam LLP