In the backdrop of claims of cyber attack at the Kudankulam Nuclear Power Plant (KKNPP), the Nuclear Power Corporation of India Ltd (NPCIL) on Wednesday confirmed that a malware was detected in its system on September 4. NPCIL added that systems at the plant have not been affected.
"The matter was conveyed by CERT-In when it was noticed by them on September 4, 2019," NPCIL stated in a release a day after claims of cyber attack surfaced online. Upon probe by specialists at the Department of Atomic Energy (DAE), it was revealed that the infected computer "belonged to a user who was connected in the internet-connected network used for administrative purposes". The affected system has now been isolated from critical internal network. "The networks are being continuously monitored," NPCIL stated further.
KKNPP is one of the most prestigious projects in India run in collaboration with a Russian government company.
The NPCIL statement, however, is in stark contrast to the confidence shown by KKNPP officials as the issue came to light on Tuesday. “Our control systems are standalone and not connected to outside cyber network and internet. Any cyber attack on the Nuclear Power Plant Control system is not possible,” clarified R. Ramadoss, KKNPP’s Training Superintendent and Information Officer, in a press release.
The official statement also noted that news of cyber attack on KKNPP was part of a misinformation campaign. "Some false information is being propagated on the social media platform, electronic and print media with reference to cyber attack on Kudankulam Nuclear Power Plant. This is to clarify KKNPP and other Indian Nuclear Power Plants Control Systems are stand-alone and not connected to outside cyber network and Internet. Any cyber attack on the Nuclear Power Plant Control System is not possible. Presently, KKNPP Unit-1 and 2 are operating at 1000 MWe and 600 MWe respectively without any operational or safety concerns," it stated.
At the same time, it is to be noted that Ramadoss's clarification did not deny a cyber attack in the recent past. Rather, he only stated that the systems were “standalone”, which led to the question of a potential breach in the cyber space with regards to Kudankulam.
Cyber researchers, however, claimed that there was a breach of "part of the network". The statement only clarifies and focuses on the airgap, but does not seem to rule out a compromise of their enterprise network.
They pointed out the fact that the statement came from only the Information Officer and not a higher authority. It is to be noted that nuclear power plants in India come directly under the Prime Minister’s Office.
It is often common for malware to include hard-coded, stolen credentials in a case like KKNPP. It is no secret that North Korean hacker group Lazarus has targeted nuclear plants before.
Independent reports from VirusTotal and Kaspersky confirm that a form of malware named 'DTrack' was used to attack specific targets in India. Apparently, DTrack is attributed to Lazarus and was created to infiltrate Indian ATMs.
Though it is unlikely that the reactor control systems were compromised, the statement from KKNPP neither confirmed or denied the malware attack, experts had pointed out following Ramadoss's statements. “This is neither a confirmation nor a denial. This is simply a statement expressing total surprise about their ignorance,” tweeted cyber security researcher Anand Venkatanarayanan. He further clarified that DTrack is a malware family, specialised on sucking information out of infected systems.