Two days ago a well-known cybersecurity researcher sent alarm bells ringing when he claimed that he had found a data dump that indicated India’s newest nuclear power plant had been hacked. As the Indian government scrambled to come up with a response, cybersecurity researchers across the globe began to sift through the data looking for clues.
India has a number of nuclear power plants across the country.
The fact that the nuclear power plant had ostensibly been hacked was also known to Pukhraj Singh, a respected Indian cybersecurity professional who had also served in India’s technical intelligence agency, the NTRO (National Technical Research Organization). The NTRO is India’s equivalent of the US National Security Agency. Singh left a few years ago and has been working on cyber-threat intelligence as a private consultant for a few years. It was Singh who pointed to the independent security researcher who had posted details of the hack on Twitter.
On October 28, there was a reference to malware (malicious software or virus) that dumps data from various systems into a shared drive using the power plant’s domain controller administrator’s credentials. “So it’s public now,” Singh said on Twitter. “Domain controller-level access at Kudankulam Nuclear Power Plant. The government was notified way back. Extremely mission-critical targets were hit,” he said.
India is a recognized nuclear weapons power and its nuclear program, both civil and military, are joined at the hip. The Department of Atomic Energy reports directly to the prime minister, as does the Nuclear Command Authority. This makes any cyber breach at any level a major security threat.
A few hours later the authorities at the nuclear power plant issued a denial. “Some false information is being propagated on social media. This is to clarify that Kudankulam Nuclear Power Plant and other Indian nuclear power plant control systems are stand-alone and not connected to outside cyber network and internet. Any cyberattack on the power plant is not possible,” the statement asserted.
But it seems that the level of detail put out in the public domain by the cybersecurity researchers probably forced the government to switch from outright denial to a grudging acknowledgment that the nuclear power plant’s IT systems had been breached.
But most security researchers who had seen the leaked data were not convinced.
Hidden clues in the virus
Two senior Indian government officials who work on cyber threats confirmed to Asia Times that they had been alerted about the threat in September this year. “We can assure everyone that this was officially taken up at the highest levels and a team was dispatched to carry out an audit,” one of the senior government officials told Asia Times. “The audit found that there was a breach and efforts are still going on to address it.”
So why did the power plant issue a denial? Security researchers point to the clever wording of the statement behind the denial.
The standard design of a nuclear power plant typically requires two distinct networks that are critical to its operations. One is known as the industrial control system (ICS) or operational technology (OT). This controls the actual running of the machines in the plant, controlling the input and output of data to ensure power is generated through a controlled nuclear reaction. This was clearly not compromised, and hence the denial.
However, all other functions of the plant are based on information technology (IT) systems that contain vast amounts of data. This data is essential for all sorts of functions such as managing personnel, access controls, safety standards, maintenance schedules and quality monitoring among a host of other functions. By its nature, as cybersecurity researchers pointed out, this is connected to the internet. This secure virtual domain that all the IT functions of the plant rested on was compromised.
This attack was very different from the Stuxnet cyber virus that crippled Iran’s nuclear plants a few years ago. At that time American intelligence operatives managed to plant an infected USB stick on an Iranian nuclear scientist at a conference. As soon as he plugged it into a computer that was connected to the ICS portion of the plant, the virus exploited a vulnerability in the Windows operating system and slowed down the centrifuges.
However, in India, hackers managed to access the vast amounts of data lying on the IT side of the plant. The information embedded within the malware gave the first clues. It led to a family of online viruses known as DTrack, designed to suck out data from secure systems.
The North Korean link
DTrack is the same malware that accomplished a successful breach a few years ago in India’s banking system. It is considered as a new “new type” of malware, which was deliberately created for data theft and spying. The anti-virus and cybersecurity solutions firm Kaspersky was the first to label it as “DTrack” on September 23 and start mapping its many mutations.
According to Kaspersky, the DTRack family of malwares is associated with a hacking entity known as the “Lazarus Group.” While there is no hard intelligence on who “Lazarus Group” works for, there have been indications that it as done some work for North Korea.
Kaspersky’s detailed analysis indicated that it had similarities to another related virus called “ATM DTrack.” This was used to steal financial information from bank ATMs and has been found in many financial institutions and research centers. In October 2016, a major breach was detected at an Indian private bank’s ATM network that quickly spread through the entire banking system. In a few months the government had to recall an estimated 2.9 to 3.2 million credit and debit cards that had been compromised by the “ATM DTrack” virus.
“Unfortunately, at that time we did not take the threat as seriously as we should have. The concerned private firm where the data breach took place never alerted us, and the virus spread quickly. By the time we managed to discover it, a lot of damage had already taken place,” the senior Indian government cybersecurity official said.
Singh’s initial alert and disclosures were confirmed by the well-known site, VirusTotal, which in turn contacted 46 virus-scanning engines that classified it as a part of the DTrack Malware family. Another independent security researcher and Kaspersky also confirmed that this was indeed the DTrack virus. As Singh revealed later on, he had alerted India’s National Cyber Security Coordinator, who works under the Prime Minister’s Office.
The fact that the power plant’s IT domain controller’s credentials were also found exposed the enormity of the situation. This was the clearest indication that not only the domain controller but also the internal network of the power plant had been successfully breached by the hackers. It also indicated that this malware was custom-designed for the Kudankulam Nuclear Power Plant’s IT systems. Someone had carried out a detailed reconnaissance of its IT systems, found an opening and successfully inserted the DTrack virus.
Indian government officials said attributing a cyberattack is one of the hardest jobs in the world. For now, as this episode has revealed, a very clear and present danger threatens India’s most critical sectors.