On October 16, when the second unit of the 2,000 megawatt nuclear power plant at Kudankulam in Tamil Nadu was shut down, it seemed like a routine procedure. Since it became operational in 2016, the unit was shut down over 100 times for operational and maintenance reasons. But the shutdown this time was anything but normal. On October 28, experts revealed that the Kudankulam Nuclear Power Plant (KKNPP) was the target of a cyberattack. Pukhraj Singh, an independent cybersecurity expert who was earlier with the National Technical Research Organisation, tweeted that he found a data dump indicating that the plant was targeted by a malware called Dtrack. Cyberexperts believe that the attack, which compromised the plant’s domain controller-level access, was orchestrated by the Pyongyang-based Lazarus group, which is reportedly run by the North Korean intelligence.
Within hours of Singh’s revelation, R. Ramadoss, KKNPP’s training superintendent and information officer, issued a statement, denying the attack. “Our control systems are standalone and not connected to outside cybernetwork and internet. Any cyberattack on the Nuclear Power Plant Control system is not possible,” said the statement. The statement neither confirmed nor denied the malware attack.
On October 30, the Nuclear Power Corporation of India Limited (NPCIL), which oversees nuclear power generation and distribution in the country, confirmed the attack. “Identification on malware in NPCIL system is correct. The matter was conveyed by CERT-In [the national computer emergency response team] when it was noticed by them on September 4, 2019,” said a statement. An investigation by the department of atomic energy found that the infected computer “belonged to a user who was connected to the internet-connected network used for administrative purposes”.
The NPCIL, which oversees 22 nuclear reactors in seven sites across the country, however, did not specify the location of the attack. “It did not come out clearly on when, where and how the attack happened. However, the acceptance reveals that the depth of the attack was huge. Given the fact that the reactor has a history of shutting down and also looking at the pattern of the attack, there is a clear breach of data,” said Abhijit Iyer-Mitra, senior fellow at the Delhi-based Institute of Peace and Conflict Studies. He said the Windows-enabled systems within the KKNPP air gap (the physical isolation of a computer/ local network from unsecured networks/internet), made the reactors vulnerable to attacks.
Nuclear plants in India run on an operating system called SCADA (supervisory control and data acquisition, a system for gathering and analysing real time data). “The SCADA systems run on Linux, and are not connected to internet or any [external] network. Windows is the operating system that connects the administrative part, while the running of the power plant is controlled by industrial control systems (ICS),” said Ishwar Prasad Bhat, founder and CEO of Necurity Solutions, a computer security service. However, if the operating system on NPCIL’s administrative systems is Windows, a huge amount of data could have been stolen, given Dtrack’s capability. This may include critical data such as access control, maintenance schedule, safety standards and quality control. Moreover, experts warn that malware targeting ICS and SCADA systems have been in use for a decade or even longer. “Exploits increased in volume and prevalence in 2018 for almost every ICS/SCADA vendor,” according to the Operational Technology Security Trends Report 2019 published by cybersecurity firm Fortinet.
Dtrack, used by the Lazarus group, steals information and also gives administrator privileges of the infected system to its creator. It can steal information on various processes in the system, its browsing history, software, IP information and the local networks connected to it. VirusTotal, a virus scanning website run by Google, has confirmed that Dtrack was used in cyberattacks earlier, too, such as in the case of widespread hacking of ATMs reported from India last year.
Iyer-Mitra said the virus used in Kudankulam was undetected and it could regenerate and renew itself. He compared it with the US-led cyberattack on Iranian assets using the Stuxnet virus, which severely crippled the Iranian nuclear programme. “Given the nature of the worm and the serious equipment problem at KKNPP, there are chances of a Stuxnet-style gradual attrition of capability,” he said.
IssueMakersLab, a Seoul-based expert group of malware analysts, said the Kudankulam hackers had earlier sent malware-infested emails to S.A. Bhardwaj, former chairman of the Atomic Energy Regulatory Board and an expert on thorium-based nuclear reactors, and to Anil Kakodkar, former director of the Bhabha Atomic Research Centre. North Korean hackers are said to be interested in thorium-based reactors, which will replace uranium-based nuclear reactors. India is one of the world leaders in thorium technology. IssueMakersLab also confirmed that one of the hackers who attacked India’s nuclear energy sector was “using a North Korean self-branded computer produced and used only in the North Korea. And, the IP used by one of the hackers was from Pyongyang.”
Also read
- Malware found in phones, but ‘inconclusive’ if Pegasus: Supreme Court
- Pegasus: SC extends time for submitting probe report on use of Israeli spyware
- Spanish Prime Minister's phone was infected with Pegasus spyware: Government
- Bengal was offered Pegasus spyware for just Rs 25 crore: Mamata
- Pegasus: Investigations worldwide hold a crucial lesson for India
- FBI says it purchased Pegasus spyware to evaluate it
- Pegasus probe: Why India's surveillance laws need a relook
There were reports that along with the Kudankulam reactor, hackers also targeted the Indian Space Research Organisation at a time when ISRO was working on its moon mission. ISRO has not confirmed or denied the reports.
For now, India seems to have escaped a crippling cyberattack. However, sensitive installations like Kudankulam remain vulnerable to more such attacks. “The malware was detected in an administrative system and not in the control system. Even then, it is strategically important as the administrative system contains all the crucial data,” said G. Sundarrajan of Poovulagin Nanbargal, a Tamil Nadu-based environmental group. “Back in 2017, nuclear watchdogs had warned that Indian systems were not failure-proof. It is risky to run this plant in a densely populated area.”