Not just the Kudankulam plant of the Nuclear Power Corporation of India Limited (NPCIL), the Indian Space Research Organisation (ISRO), too, was alerted of a possible breach by suspected malware, The Indian Express has learnt.
On September 3, the National Cyber Coordination Centre, set up under a classified project “to generate necessary situational awareness of existing and potential cyber security threats and enable timely information sharing,” received intelligence from a US-based cybersecurity company that a “threat actor” had breached master “domain controllers” at the Kudankulam plant and at ISRO with a malware, later identified as a “Dtrack.” Sources said both NPCIL and ISRO were alerted on September 4.
The breach at the Kudankulam plant became public on October 28 after some of the plant’s data showed up on virustotal.com, an online malware scanning service.
How malware hits the system
The malware targeting Kudankulam and ISRO in early September was identified as Dtrack. Designed to steal data, a Dtrack can give the “threat actor” complete control over all infected devices. In this case, it targeted domain controllers — the server computer that responds to security authentication requests.
On October 29, Kudankulam Nuclear Power Project (KKNPP) said that no cyber-attack was possible on the plant’s standalone control system. The next day, however, NPCIL admitted there had been an infection “in the internet connected network used for administrative purposes” and that “the matter was immediately investigated by DAE specialists.” It added: “This (network) is isolated from the critical internal network. The networks are being continuously monitored. Investigation also confirms that the plant systems are not affected.”
But there has been no word from ISRO so far.
The Indian Express sent ISRO a questionnaire Thursday. Despite several calls and messages, ISRO is yet to respond.
Sources, however, confirmed to The Indian Express that with the proposed lunar landing of Chandrayaan 2 due in about 100 hours — it subsequently failed — and the safety of a nuclear power plant at stake, a multi-agency team swung into action soon after the threat was received.
Most high-security setups operate on two “air-gapped (separate) networks”: a standalone control system that runs the core function — reactors in case of a nuclear power plant — and an online network responsible for the rest of the functions. The Dtrack malware, it is learnt, targeted the domain controller of the online network, exposing its credentials such as passwords.
On September 23, researchers at Russia-based cybersecurity company Kaspersky Labs reported that the last activity of a Dtrack malware that targeted “banks and research centres in India” was “detected in the beginning of September 2019”.
They attributed the malware to Lazarus, “an umbrella name that typically describes hacking activity which advances Pyongyang’s interests”. After the breach at Kudankulam became public last week, Seoul-based non-profit IssueMakersLab, an expert group of malware analysts, has claimed that they identified the malware as the same one that was used to infiltrate the South Korean military’s internal network in 2016.
“North Korea has been interested in the thorium based nuclear power, which to replace the uranium nuclear power (sic). India is a leader in thorium nuclear power technology,” it claimed on November 1.
Two days later, IssueMakersLab tweeted an image “of the history of malware used by the North Korean hacker group B that hacked the Kudankulam” plant. It showed a 16-digit password used to “compress a list of files on an infected PC” as well as a MBR (master boot record) Wiper version of the malware.
MBR Wipers are destructive malware often intended for cyber warfare. These can spread from an infected source to the entire network, erase files after extracting and uploading those to the attacker, and then overwrite the master boot record making the network unusable.