What is DTrack: North Korean virus being used to hack ATMs to nuclear power plant in India
indiatoday.in · by · October 30, 2019
Nuclear Power Corporation of India Limited (NPCIL) has admitted that one of its computers has been attacked by malware. Although the nuclear body has not named the Kudankulam nuclear power plant in its statement, it has mentioned that the victim computer was only used for administrative purposes and was not connected to the main control system.
The admission of malware comes a day after the power plant denied the social media reports of a cyber attack. Pukhraj Singh, a cyber threat intelligence analyst who has worked with the government and global security teams, claimed on social media that Kudankulam plant was under an attack. He claimed that the threat was identified by a third party, which contacted him and he informed the concerned government body on September 4.
Cybersecurity researchers flagged the malware as DTrack – a virus used by a North Korea-based hacker group Lazarus.
What is DTrack?
DTrack, as flagged by cyber-security firm Kaspersky, is used by hackers to attack financial and research centres in India. It’s earlier version ATMDtrack was designed to hack ATMs in India.
“The malware was designed to be planted on the victim’s ATMs, where it could read and store the data of cards that were inserted into the machines,” a post by Kaspersky said in September.
Later a version of it was used to attack the banking system in South Korea as well as for the infamous WannaCry ransom worm attacks across the globe.
Researchers have identified that the malware which infected the computer at Kudankulam nuclear power plant was DTrack. However, cyber attack expert Pukhraj Singh says that the identity of the malware was not certain.
If it’s N. Korea then this is a ridiculously escalatory proliferation/espionage op. But false flags are so goddamn easy. Kaspersky may be tracking overlapping infra, not this exact campaign. Hack of 2nd target could be power projection. Time lost in IR, we may never really know https://t.co/9xi4CZrvd1
— Pukhraj Singh (@RungRage) October 29, 2019
What is the purpose of Lazarus attacks?
According to reports, Lazarus is an arm of the North Korean regime. Lazarus first landed on the radar of many security researchers following the infamous Sony Pictures hack in late 2014. Once considered a ragtag ensemble of hackers, the group has risen to prominence over the years with a series of lucrative hacks involving the SWIFT payment network used by banks.
After the due investigations, the cyber experts have tied the 2013 cyberattack in South Korea and WannaCry ransom worm attacks in 2017 to Lazarus Group.
News agencies including Reuters have cited a United Nations report that estimated North Korean hacking has generated $2 billion for the country’s weapons of mass destruction programmes.
What does DTrack do?
There are at least 180 versions of DTrack virus identified by Kaspersky Lab. Samples analyzed by Kaspersky Lab include the following capabilities:
#Retrieving browser history
#Gathering host IP addresses, information about available networks and active connections
#Listing all running processes
#Listing all files on all available disk volumes
How can companies/organisations/research organisations avoid DTrack and its variants?
According to Kaspersky, the hackers need to gain at least partial control over the internal network in order to launch a cyber attack. This means that the target organisations may have a number of security issues, such as:
#Weak network security policies
#Weak password policies
#Lack of traffic monitoring
Steps companies can take to avoid malware attack:
#Tighten their network and password policies
#Use traffic monitoring software
#Use antivirus solutions
indiatoday.in · by · October 30, 2019