Not only Kudankulam, ISRO, too, was alerted of cyber security breach

The breach at the Kudankulam plant became public on October 28 after some of the plant’s data showed up on virustotal.com, an online malware scanning service.

On October 29, Kudankulam Nuclear Power Project (KKNPP) said that no cyber-attack was possible on the plant’s standalone control system. The next day, however, NPCIL admitted there had been an infection “in the internet connected network used for administrative purposes” and that “the matter was immediately investigated by DAE specialists.” It added: “This (network) is isolated from the critical internal network. The networks are being continuously monitored. Investigation also confirms that the plant systems are not affected.”

But there has been no word from ISRO so far.

The Indian Express sent ISRO a questionnaire Thursday. Despite several calls and messages, ISRO is yet to respond.

Sources, however, confirmed to The Indian Express that with the proposed lunar landing of Chandrayaan 2 due in about 100 hours — it subsequently failed — and the safety of a nuclear power plant at stake, a multi-agency team swung into action soon after the threat was received.

Also Read | Kudankulam nuclear plant denies hacking of its control system, officials say audit found breach

Most high-security setups operate on two “air-gapped (separate) networks”: a standalone control system that runs the core function — reactors in case of a nuclear power plant — and an online network responsible for the rest of the functions. The Dtrack malware, it is learnt, targeted the domain controller of the online network, exposing its credentials such as passwords.

On September 23, researchers at Russia-based cybersecurity company Kaspersky Labs reported that the last activity of a Dtrack malware that targeted “banks and research centres in India” was “detected in the beginning of September 2019”.

They attributed the malware to Lazarus, “an umbrella name that typically describes hacking activity which advances Pyongyang’s interests”. After the breach at Kudankulam became public last week, Seoul-based non-profit IssueMakersLab, an expert group of malware analysts, has claimed that they identified the malware as the same one that was used to infiltrate the South Korean military’s internal network in 2016.

“North Korea has been interested in the thorium based nuclear power, which to replace the uranium nuclear power (sic). India is a leader in thorium nuclear power technology,” it claimed on November 1.

Two days later, IssueMakersLab tweeted an image “of the history of malware used by the North Korean hacker group B that hacked the Kudankulam” plant. It showed a 16-digit password used to “compress a list of files on an infected PC” as well as a MBR (master boot record) Wiper version of the malware.

MBR Wipers are destructive malware often intended for cyber warfare. These can spread from an infected source to the entire network, erase files after extracting and uploading those to the attacker, and then overwrite the master boot record making the network unusable.