New Delhi: A part of a network in India’s largest civil nuclear facility, the Kudankulam Nuclear Power Plant (KNPP) in Tamil Nadu, was breached earlier this year, according to an official and a cyber security expert involved in the detection of a hack that is feared to have originated on foreign soil.
The attack, both these people told HT, did not compromise critical systems — which are contained in an isolated network to create an “air gap” — linked to the functioning of the plant, but gained access to the plant’s administrative network.
“Domain controller-level access [gained] at Kudankulam Nuclear Power Plant. The government was notified way back,” said cyber security professional Pukhraj Singh, who in a series of tweets on Monday and Tuesday contended that he was first alerted by a “third party” that discovered the hack and had in turn alerted the National Cyber Security Coordinator on September 3.
“And there was another target way more serious,” he told HT, without giving more details.
KNPP released a statement on Tuesday denying that sensitive systems were compromised. “KNPP and other Indian nuclear power plants are not connected to outside cyber network and internet. Any cyber attack on the Nuclear Power Plant Control System is not possible,” it said.
Singh, who has worked with government agencies in the past, clarified after the statement was issued that the attack was on an administrative network and not the operational one. “I think they’re confusing the domain controller with control network. I didn’t claim the latter… The administrative (not operational) network was certainly popped,” he said.
An official in a cyber security division of the government, asking not to be named, said that a tip-off was received from “a friendly country” and a team of experts was rushed to the facility located in Tirunelveli in Tamil Nadu in early September. “The foreign government’s help allowed for a quick response,” this person added, asking not to be named.
Refusing to give more details about the second incident that Singh referred to, he said the disclosure must be made by the government alone. “I think the government should be the one disclosing. I’ve told [National Cyber Coordination Centre chief] Lt Gen Rajesh Pant so. Responsible disclosure is a normal practice. Everyone gets hacked. It must be relayed with confidence and clarity,” he added.
The NCCC chief, retired Lt Gen Pant, said he would not be able to offer a comment immediately since he was travelling.
Former cyber security coordinator Gulshan Rai said indications were of an incident that did not appear to be serious. “There are no reports of any attack after some initial reports. Had systems been compromised I am sure there would be more reports. India has very robust response systems and have proved their capabilities repeatedly in the past. I’m sure there is no reason to worry,” he said.
The department of atomic energy (DAE) did not respond to request for a comment.
The disclosure of the alleged incident regarding the Kudankulam network was first triggered by a Twitter post on October 28 from an anonymous account, “@a_tweeter_user”, which pointed to a data file uploaded on a cyber security firm’s website. The file purported to show clues resembling a malware called DTrack, which was identified in late September by Russia-based Kaspersky Labs.
In a report published on September 23, Kaspersky researchers said the malware’s targets included “banks and research centres in India”.
“According to our telemetry, the last activity of DTrack was detected in the beginning of September 2019,” said the report.
Kaspersky researchers said some of the programming and execution characteristics of DTrack, and a similar malware it labelled ‘ATMDtrack’ that was found infecting Indian ATM machines, suggested a link with the Lazarus group.
The group, the report added, had targeted Seoul using a similarly designed malware in 2013. Its members are unknown, but are believed to have ties with the North Korean administration. On September 13, the US department of the treasury imposed sanctions on what they said were three North Korean state-controlled hacking groups, including Lazarus.
Governments and private corporations across the world deploy a wide variety of mechanisms to protect their networks from being hacked, with the most sensitive services often protected by what is referred to as an air gap. An air-gapped network is believed to be closed and inaccessible unless the access is done physically. In 2010, American and Israeli spy agencies are reported to have used a malware called Stuxnet, which “jumped” the air gap — it is believed to have required an initial human role to infect the first target device — and mount an attack on Iranian nuclear facilities.
Researchers have since demonstrated using novel ways, such as using the computers’ speakers at a frequency not detectable by human hearing, the ability to jump the air gap.
By special arrangement with