A day after officials at Kudankulam Nuclear Power Plant (KKNPP) in Tamil Nadu, India, denied a cyberattack on its systems, the Nuclear Power Corporation of India Limited (NPCIL), the administrative governing body for nuclear power plants in the country, said “malware” was in one of their systems.
The NPCIL said Wednesday only an administrative system was infected by malware and the plant’s control systems were not affected. But others are saying there was domain controller level access achieved and mission critical targets hit.
Security researcher Pukhraj Singh in India, who has been reporting on the issue, said on Twitter: “So, it’s public now. Domain controller-level access at Kudankulam Nuclear Power Plant. The government was notified way back. Extremely mission-critical targets were hit.”
In addition, the second 1,000 MW nuclear power unit at Kudankulam, owned by NPCIL stopped power generation Oct. 19, said Power System Operation Corporation Ltd (POSOCO). The atomic power plant stopped generation about 12.30 a.m. on Saturday owing to “SG level low”, the company added.
There are no officials statements as to why the unit was shut down. But it went down around the same time as the cyber incident occurred.
The NPCIL did not specify what malware was found and whether it was on a system maintained by KKNPP. They only confirmed the presence of malware.
The threat of a potential cyberattack on Indian cyberspace was first pointed out by Pukhraj Singh who notified Lt. Gen Rajesh Pant (National Cyber Security Coordinator) Sept. 4.
Security researchers took to Twitter Monday after a data dump was uploaded to VirusTotal by unidentified persons contained evidence of the malware DTRACK infecting computer/computers at KKNPP. DTRACK is spyware, reportedly developed by North Korea-based hacker group Lazarus.
As the tweets related to the breach started, KKNPP officials released a press statement denying the attack.
“The tweets and all those allegations are baseless. The software in all nuclear power plants in the country is an independent one and not tied to any external network. It is false propaganda,” said R Ramdoss, the training superintendent and information officer through the release. KKNPP had reasoned that no such attacks can take place as their control systems are air-gapped, implying they are not connected to the Internet or to any computer connected to the Internet.
On Wednesday, the NPCIL that oversees the operation of the KKNPP, in their release said, “The officials at Computer Emergency Response Team (CERT-In) informed NPCIL officials on September 4, 2019. The matter was immediately investigated by DAE specialists. The investigation revealed that the infected PC belonged to a user who was connected in the Internet-connected network used for administrative purposes. This is isolated from the critical internal network. The networks are being continuously monitored. Investigations also confirm that the plant systems are not affected.”
The NPCIL is a public sector enterprise under the administrative control of the Department of Atomic Energy (DEA) and comes under the Prime Ministers Office (PMO). NPCIL operates atomic power plants, such as KKNPP, and implements atomic power projects for electricity generation.
“Can we say this was absolutely shut down? I don’t think so, but there was a series of breadcrumbs saying the attack started in IT and led to OT,” said Michael Rothschild, director director of marketing at security provider, Indegy.
While most don’t know all the facts just yet, we do know threat detection at the facility was not where it should have been and situational awareness appeared very low.
“This appears to be like the canary in the mine where the canary died but they didn’t do anything about it,” Rothschild said.
This report was compiled by Gregory Hale from reporting and wire and Twitter reports.