Was the Kudankulam Nuclear Power Plant the subject of a cyber attack earlier this year?
On Tuesday, 29 October, the power plant had to issue an official denial stating: “Any attack on the Nuclear Power Plant Control System is not possible.”
This statement was issued after a number of social media posts, including by a former officer of the National Technical Research Organisation, alleged such an attack had taken place, and that the government had been aware of this since early September.
[UPDATE: On Wednesday, 30 October, the Nuclear Power Corporation of India Limited admitted that a malware attack had in fact taken place, more details in a new story here. Read on for details of the malware attack, why the power plant denial didn’t hold much water, and how an Iranian nuclear power plant was compromised by a virus in 2010.]
Camera: Sumit Badola | Producer: Srishti Tyagi
Despite the denial, questions over this potential breach of cybersecurity remain, with independent reports from VirusTotal and Kaspersky appearing to verify that a form of malware known as ‘Dtrack’ was used to attack targets in India.
Cybersecurity researcher Anand Venkatanarayanan described the official denial as “a non-statement”, explaining that “it neither confirms nor denies the malware attack. The initial reports did not say if the malware was found on the IT systems or the OT systems.”
Cybersecurity expert, Pukhraj Singh, who had first informed the National Cyber Security Coordinator Lt Gen Rajesh Pant on 3 September, told The Quint that he had pointed out that the IT network of the power plant had been compromised, which is very different from its control systems.
“A domain controller, which authenticates and authorises resources in a centralised manner, generally sits on the administrative IT network. The Operational Technology network is generally air-gapped, as it’s most critical. I was merely pointing out that the administrative IT network seems to be compromised. It doesn’t necessarily imply the reactor’s control systems were impacted.”Pukhraj Singh, Cybersecurity Expert
“They were, however, very specific of the Malware used and the virus signatures used. It is a DTrack malware which is primarily used for data theft and spying and not a malware that causes operational disruption,” Venkatanarayanan added.
How Did This Incident Come to Light?
On the evening of 28 October, a link to a report on VirusTotal.com, an independent site used to verify and track cyber attacks, was posted on Twitter. The tweet surmised that a form of malware called ‘DTRACK’ had been found in VirusTotal’s assessment.
Cybersecurity firm Kaspersky had said in a press release on 23 September that they had discovered ‘Dtrack’ previously in “Indian financial institutions and research centers”.
According to them, this form of spyware “reportedly was created by the Lazarus group and is being used to upload and download files to victims’ systems, record keystrokes and conduct other actions typical of a malicious remote administration tool (RAT).”
Further details of how the malware operates, including the functions it can be used to perform on an infected system, can be found here.
The initial tweet was soon shared by Singh, a former officer of the National Technical Research Organisation – the premier government agency tasked with India’s cyber defence operations (which he had played a key role in setting up).
Singh wrote that this discovery now made public a breach he had become aware of in early September, which he had alerted the government about.
In this post, Singh revealed that there had been a “Domain controller-level access” at the plant as a result of the incident.
A domain controller is a server that provides access on request to the resources of a domain, ie, a network of computers and the data on them. The domain controller authenticates users, allows access to resources based on the credentials of the user and is responsible for the security of a particular domain.
Singh went on to note that he had not discovered the intrusion himself, but after he was informed about it by a third party, he then notified Lt General Rajesh Pant, the National Cyber Security Coordinator (NCSC). He said that the third party shared further details with the NSCS in the days that followed.
Speaking to The Quint, Pant’s predecessor as NCSC Gulshan Rai explained what would have happened behind the scenes after this request was received:
“This is a very sensitive issue, one where critical infrastructure is involved. If someone has reported a malware attack to the Cyber Security Coordinator, then I am sure that they have most certainly taken this up with the Nuclear Power Corporation of India as well as the Atomic Energy Commission and the Department of Atomic Energy. The Ministry of Home Affairs will have to be notified. They would have acted upon it when it was reported.”
Singh has claimed that there was email correspondence between him and Lt General Pant acknowledging the issue. However, this is unlikely to be confirmed by the government authorities, according to Rai.
“As far as informing the reporter of the incident goes, the National Cyber Security Coordination office is under no obligation to report back, confirm or deny anything to anyone given the highly sensitive nature of the case,” he said, before clarifying that this “doesn't mean they would not have acted on it.”
Power Plant Issues Denial
Following Tharoor’s post and increasing chatter about the potential cyber attack, the Training Superintendent and Information Officer of the Kudankulam Nuclear Power Project issued a press release decrying the news as “false information” that was being propagated on social media platforms, electronic and print media.
He clarified that the Kudankulam Nuclear Power Plant and the control systems of other Indian nuclear power plants are “standalone and not connected to outside cyber network and internet.”
Such systems are said to be ‘air-gapped’, with the idea that this prevents them from being vulnerable to attacks by malware. However, experts warn that this is no guarantee that an attack cannot be carried out – precedent exists in the Stuxnet attack on an Iranian nuclear plant in 2010.
It remains to be seen if any further clarifications are issued by the government on this incident, but this is likely to remain classified.
“All I can say is this is highly sensitive and be it NTRO or Cyber Security Coordination Centre,” says Gulshan Rai, who suggests that the government “will maintain the highest level of secrecy on this.”
Problem With The Official Denial
Venkatanarayanan pointed out that the denial does not distinguish between the IT and the OT systems and tries to paint a picture as if these two system are one.
“This is problematic because a compromise even on the IT systems can reveal a lot including key personnel information, their schedules and other personal data,” he told The Quint.
At a time when cyber sphere has emerged as new domain of warfare among nations, how can an attack of this nature, that too, on a nation’s critical infrastructure be viewed?
“The compromise is also a power projection exercise. It proves to everyone that some part of the critical infrastructure can be hit even during peacetime,” he said.
“The blanket denial in not addressing these aspects, hence, is disappointing as it shows that the authorities’ visceral response to a cyber incident is always denial. Given that it is not possible to survive cyber attacks by closing our eyes, this incident shows how unprepared the authorities are, just not on responding to these incidents but even on the messaging.”Anand Venkatanaryanan, Cybersecurity Expert
Stuxnet & The Iran Nuclear Attack
While the blanket denial issued by the Kudankulam Nuclear Power Project described the reports as "false information", the reason provided in the statement gave way to further questions.
The official press statement said that, "KKNPP and other Indian Nuclear Power Plants Control Systems are standalone and not connected to outside cyber network and Internet."
There is, however, a famous precedent from 2010 where the standalone or air-gapped Natanz uranium enrichment facility in Iran was attacked by the Stuxnet virus.
It is important to remember that the concerns raised were about the presence of a malware that can enable theft of key data and not cause operational disruption. But the Stuxnet example proves that blanket denials are not a good idea.
Kim Zetter, who researched and extensively documented the attack on Iran’s nuclear plant, described the Stuxnet worm as the “world’s first digital weapon”. But what does that mean?
Stuxnet stands out and woke the world up to cyber attacks because it successfully managed to escape the digital realm and caused actual physical destruction on critical infrastructure of a nation – the uranium enrichment centrifuges.
The virus had managed to escape the air-gapped computers, as the attackers had designed the weapon to spread through infected USB pen drives.
The attack went undetected for over a year, till a team of officers from the International Atomic Energy Agency (IAEI) noticed a highly unusual failure rate in the centrifuges that were engaged in the enrichment process.
Eventually, despite no official figures being released by the Iranian government, it is estimated that 984 centrifuges were destroyed, which constituted a 30 percent decrease in enrichment efficiency.
Questions That Remain Unanswered
Despite official denials stating that it is “not possible” to carry out “any cyber attack”, a number of important questions and concerns remain unaddressed by the authorities.
Data Compromised?: The malware allegedly appears to have infected the IT system, which contains administrative information about an organisation’s functioning and is of non-critical nature. There is no acknowledgment on this front yet and we do not know if any administrative data has been compromised.
Official Denial Doesn’t Address The Concern: Pukhraj Singh had highlighted that the malware had domain controller access. This means that the administrative IT network seems to be have been compromised. The official denial in KKNPP’s statement, however, ignored this claim and clarified that its controller systems or operational technology (OT) systems were unaffected.
As Venkatanarayanan pointed out, the IT and the OT systems are separate but the denial, however, does not distinguish these two systems and tries to paint a picture as if these two system are one.
Malware Still Active: As cybersecurity companies TotalVirus and Kaspersky have pointed out, the Dtrack virus still remains an active malware. Developed by North Korea’s largest hacker group, the Lazarus Group, the ATMDtrack malware has been spotted on ATM networks of Indian banks since late summer 2018 and is designed for spying and data theft.