A day after officials at Kudankulam Nuclear Power Plant (KKNPP) in Tamil Nadu denied a cyberattack on its systems, the Nuclear Power Corporation of India Limited (NPCIL) — the administrative governing body for nuclear power plants in the country, admitted that a "malware" was identified in one of their systems.
In an official press release on Wednesday, the NPCIL said that only an administrative system was infected by malware and that the plant's control systems were not affected. The NPCIL did not specify what malware was found and whether it was on a system maintained by KKNPP. They only confirmed the presence of malware as pointed out by various security researchers on social media.
The threat of a potential cyberattack on Indian cyberspace was first pointed out by an Indian Twitter user Pukhraj Singh who notified Lt Gen Rajesh Pant (National Cyber Security Coordinator) on Sep 4.
Cyber security researchers took to Twitter on Monday after a data dump that was uploaded to the website VirusTotal by unidentified persons contained evidence of the malware DTRACK infecting computer /computers at KKNPP. DTRACK is spyware, reportedly developed by the infamous North Korea-based hacker group Lazarus.
As the tweets related to the breach started grabbing eyeballs on social media, the KKNPP officials released a press statement denying that such a cyberattack had taken place. "The tweets and all those allegations are baseless. The software in all nuclear power plants in the country is an independent one and not tied to any external network. It is false propaganda,” said R Ramdoss, the training superintendent and information officer through the release. KKNPP had reasoned that no such attacks can take place as their control systems are air-gapped, implying that they are not connected to the internet or to any computer that is connected to the internet.
However, on Wednesday, the NPCIL that oversees the operation of the KKNPP, in their release said, "The officials at Computer Emergency Response Team (CERT-In) informed NPCIL officials on September 4, 2019. The matter was immediately investigated by DAE specialists. The investigation revealed that the infected PC belonged to a user who was connected in the internet-connected network used for administrative purposes. This is isolated from the critical internal network. The networks are being continuously monitored. Investigations also confirm that the plant systems are not affected."
The NPCIL is a public sector enterprise under the administrative control of the Department of Atomic Energy (DEA) and comes under the Prime Ministers Office (PMO). NPCIL operates atomic power plants, such as KKNPP, and implements atomic power projects for electricity generation.
Pukhraj, the security researcher who first observed and alerted authorities about the cybersecurity breach also told TNM that only the administrative IT network of the nuclear power plant seemed to be compromised.
He, however, added that it was not a trivial matter and did not wish to create panic. "A domain controller, which authenticates and authorises resources in a centralised manner, generally sits on the administrative IT network. The Operational Technology network is generally air-gapped, as it's most critical. I was merely pointing out that the administrative IT network seems to be compromised. It doesn't necessarily imply the reactor's control systems were impacted.”
Meanwhile, Poovulagin Nanbargal, an environmental group reacted by saying, ”The acceptance of cyber attack in NPCIL systems by NPCIL only confirms the worst fears that nuclear reactors are not only prone to natural disasters but also to cyber attacks. The callous manner in which NPCIL dealt with this issue even furthers the fears. We want the state and central government to investigate this cyber attack and bring the culprits to task. We want the state government to scrap the permissions given for further expansion of reactors as any disaster is responsibility of the state government.”