On September 4, both the Nuclear Power Corporation of India Limited (NPCIL) and the Indian Space Research Organisation (ISRO) were alerted about a possible cyber security breach in their systems by a suspected malware, Indian Express has reported. The warning came from a US-based cyber security company, which said a “threat actor” had breached master “domain controllers”.
The NPCIL breach, at the Kudankulam nuclear power plant, became public on October 28. After first denying the reports, NPCIL confirmed a day later that it had, in fact, been hit by a malware. It was also quick to add, though, that the potentially compromised administrative network was “isolated from the critical internal network” and that the plant’s systems were not affected.
A Department of Atomic Energy probe reportedly found that a user had connected a malware-infected personal computer to the plant’s administrative network.
ISRO did not respond to the Indian Express‘s requests for comments, neither has the space agency issued a public statement. However, sources reportedly confirmed to the newspaper that authorities swung into action immediately after the alert was received, especially since the Chandrayaan 2 lunar landing (which failed) was scheduled for about 100 hours after that.
The malware used has been identified as ‘Dtrack’.
A Russian cyber security company, Kaspersky Labs, had said on September 23 that “banks and research centres in India” were targeted by Dtrack “in the beginning of September 2019”, and this was the latest detected activity of the malware. According to them, the malware was the work of Lazarus, “an umbrella name that typically describes hacking activity which advances Pyongyang’s interests”.
After the breach at Kudankulam became public, Seoul-based non-profit IssueMakersLab said that the same malware had also been used against South Korea’s internal military network in 2016.
VirusTotal, a virus-scanning website run by Alphabet, found that a large amount of administrative data was stoled from Kudankulam, Washington Post reported. This means, the paper argues, that subsequent attacks could have serious repercussions for more critical systems. Cyber attacks “can be used to facilitate sabotage, theft of nuclear materials, or — in the worst-case scenario — a reactor meltdown. In a densely populated country like India, any radiation release from a nuclear facility would be a major disaster”, the newspaper says.
NPCIL’s response, according to the Washington Post, indicates that Indian authorities might not be taking these threats seriously enough. Isolating a computer or a local network from the internet – which is what the power company said it is doing – does not do much to guarantee cyber security.
“Given the low threshold of military escalation between India and Pakistan, and high potential for escalation from cyber to the real world, India may wish to treat the Kudankulam attack as a wake-up call about its vulnerable cyber defenses at nuclear facilities and other critical infrastructure,” the author, Debak Das, writes.―The Wire