"I just witnessed a casus belli in the Indian cyberspace and it sucks at every level," tweeted Pukhraj Singh, a cyber threat intelligence analyst who has worked with the government and global security teams, on September 7. The allusion didn’t go viral at the time, providing cause for concern over a month later.
On Tuesday morning, the Kudankulam Nuclear Power Project’s Training Superintendent and Information Officer issued a press release rubbishing “false information” about a “cyberattack” on the power plant.
The release was issued after a report by Viral Total, an internet security firm owned by Google, flagged malware which cyber-security firm Kaspersky had already warned of. The ‘virus’, called DTrack, a version of which has been used to “infiltrate Indian ATMs and steal customer card data”, comes from the North Korean hacker group Lazarus, according to Kaspersky.
It was the trigger for Singh to state on Twitter that he had already warned the Indian government as far back as September 3 after being tipped off by a third party.
So, it's public now. Domain controller-level access at Kudankulam Nuclear Power Plant. The government was notified way back. Extremely mission-critical targets were hit. https://t.co/rFaTeOsZrw pic.twitter.com/OMVvMwizSi— Pukhraj Singh (@RungRage) October 28, 2019
The official word out of Kudankulam had added: “This is to clarify Kudankulam Nuclear Power Plant (KNPP) and other Indian Nuclear Power Plants Control are standalone and not connected to outside cyber network and Internet. Any cyberattack on the Nuclear Power Plant Control System is not possible. Presently, KKNPP Unit-1 and 2 are operating at 1000 MWe and 600 Mwe, respectively without any operational or safety concerns,” the release added.
On October 19, news agency IANS had reported that the 1000 MW second plant at Kudankulam had stopped operation that day.
A report in The Indian Express on Wednesday quoted an anonymous source within the National Cyber Security Council (NCSC) who confirmed that a “breach” had indeed taken place which affected administrator systems and not “main operations”.
In an interview with Outlook over email, Singh said: “highly critical Indian targets were definitely hit.”
Q: Is it possible to figure out the nature of the intrusion and what targets were hit?
I think it's work in progress. Cyber threat intelligence companies are still ascertaining it. But, yes, some highly critical Indian targets were definitely hit.
Q: Was it a DTrack intrusion?
There is indeed some overlap in the attack infrastructure of DTrack and the one which I mentioned. But nothing can be said with certainty without more inputs from the threat intelligence industry.
Q: Is it possible to figure out what data has been accessed from DTrack Payload Data Collection?
It would be irresponsible to do guesswork. The government should take the call.
Q: As you've said on Twitter, you were alerted to the breach by a third party which you took up with the NCSC. What sent the alarm bells ringing?
Yes, I was informed by a third party. Seeing the nature of the targets set the alarm bells ringing. I informed NCSC on September 3.
Q: The KKNPP release says 'control systems' weren't affected while you've mentioned that the domain controller was hit. What difference does that make?
Control systems are software interfaces managing the critical equipment of the power plant. It's the sanctum sanctorum, the most critical piece. A domain controller is what authorises access to resources on a network. The latter generally runs on the administrative IT network, segregated from the operational technology network where the control systems are located. I would be making an informed guess that while the attacker had privileged access to the IT network, the OT network may have been spared.
Q: The press release also mentions that the systems are 'standalone' ones. Is it possible for them to be on an island, so to speak?
This is an academic discussion with many ifs and buts.