A day after reports emerged suggesting that it was not just the Kudankulam Nuclear Power Plant but also ISRO (Indian Space Research Organisation) that was warned on 3 September of a possible cyber breach by a data-theft malware, the national space agency has confirmed to The Quint that they were alerted.
While an official at ISRO did say that they were alerted by CERT-In, he also added that their systems were “unaffected”. The alert of a possible intrusion into ISRO’s systems came during India’s Chandrayaan-2 mission, that commenced on 22 July and ended on 7 September.
“I can only comment that we also got the alert... our cybersecurity team got into action, they checked the whole thing and we were unaffected,” the official told The Quint.
Cyber security experts commenting on ISRO’s response pointed out that an alert would only come from CERT-In if there was an actual intrusion into its systems, as was the case in the Kudankulam security breach.
On Thursday, in a new development, an Indian cyber threat analyst who has examined the server that was hacked by North Korean threat actors to deploy attacks, has said that there is evidence to show that at least one serving ISRO scientist was sent phishing emails by the hackers.
ISRO Officials Targeted By Hackers
Yash Kadakia, founder of Security Bridge, a Mumbai-based cybersecurity company, told The Quint that he can confirm that the same server that was used to send phishing mails to senior nuclear scientists associated with the Kudankulam Plant was used to send similar emails to an ISRO scientist and other officials on various boards of the space agency.
“On the same server, the ISRO scientists were targeted as well. For the phishing emails they were using one particular server,” Kadakia said.
“We know they were targeted, they got the link, they clicked on the link. That much we can confirm so far,” Kadakia added.
Kadakia has been working alongside IssueMaker Labs, an expert group of malware analysts in South Korea – who have tracked North Korea’s cyber operations since 2008.
According to information accessed by Security Bridge, so far, thirteen people from across five agencies have been confirmed to have been sent phishing mails from the one server in question. The server was not hosted in North Korea but it was being used for these attacks.
“We do have the email address of the targeted ISRO scientist but have not publicly disclosed that information yet. We have shared it with National Critical Information Infrastructure Protection Centre (NCIIPC) so that they can look into it and investigate.”Yash Kadakia, Founder, Security Bridge Cybersecurity
Kadakia, however, clarified that there are two things he doesn’t yet know with certainty:
A) If the phishing malware successfully executed.
B) Whether officials connected with ISRO were using an official company device, personal phones or home laptops to access the mails.
Parallels With Kudankulam
The information provided by Kadakia illustrates a number of parallels with the modus operandi of the attack on Kudankulam:
1. Phishing Mails Before Malware Attack: In the Kudankulam attack, senior scientists were sent phishing mails for over a year before the actual malware on the plant was deployed. The Nuclear Power Corporation of India Limited (NPCIL), which runs the plant in Tamil Nadu, on 30 October, confirmed that the “identification of malware in NPCIL system is correct.”
2. Targeted by Same Hackers: The fact that the same server was used to send the phishing mails to scientists associated with Kudankulam plant and ISRO indicates that they were all targeted by the same set of hackers.
Simon Choi, who heads IssueMaker Labs, had told The Quint that North Korean hacker group called Kimsuky had conducted reconnaissance since at least 2018 by targeting senior nuclear physicists like Anil Kakodkar, former director of Bhabha Atomic Research Centre (BARC) and SA Bhardwaj, former chairman of the Atomic Energy Regulatory Board (AERB).
Choi had told The Quint on Wednesday that the cyber attack by suspected North Korea-based hackers on the Kudankulam Nuclear Power Plant in September was intended specifically for information theft and that the actors were able to steal technology-related data from the plant’s IT systems.
“We have found that Nuclear Power Plant technology-related data has been taken,” Choi said.
ISRO’s Response Raises Questions
An ISRO official told The Quint on Thursday that, “as far as ISRO is concerned, we got an alert, checked our systems and are unaffected. I will not go into details”
Pukhraj Singh, a cybersecurity researcher who has served at the National Technical Research Organisation (NTRO) and was the first to raise an alarm about the cyber attack on Kudankulam, asked what exactly does "checking" means in this case?
“Saying that they ‘checked’ their systems is a very abstract statement. Does it mean an anti-virus scan, an audit of the cybersecurity architecture, roping in incident responders and threat hunters, or something else? What was their protocol of response?” Singh asked.
Cybersecurity researcher Anand Venkatanarayanan, asked on a similar note: “Given that disinfection process and data gathering is still a work in progress in Kudankulam lant’s case, how is it possible that a full check was completed in the case of ISRO this fast?”
Lt Gen Rajesh Pant, National Cyber Security Coordinator, responding to queries on Wednesday about whether data was taken from the nuclear plant, had told The Quint: “Our inquiry is still in progress and we cannot comment on South Korean reports. Analysis of computer logs for forensics involves sifting terabytes of data and is a time-consuming process.”