Casus belli: Malware found in Indian nuclear plant's network

Researcher calls the malware attack an act of war as the nuclear power plant is not the only facility that was compromised

The Nuclear Power Corporation of India Limited (NPCIL) has conceded that malware was found on the administrative network of its nuclear power plant in Kudankulam. The acknowledgement comes a day after the public sector organisation denied the possibility of any attack affecting the nuclear plant's control systems.

Social media on Monday picked up cyber-security expert Pukhraj Singh’s tweets in September that the Kudankulam nuclear plant systems were infected with malware. He called it a casus belli (an act of war). The Kudankulam Nuclear Power Plant (KKNPP) staunchly refuted the news.

"Our control systems are standalone and not connected to outside cyber-network and internet. Any cyber-attack on the Nuclear Power Plant Control system is not possible," said KKNPP training superintendent and information officer R Ramadoss in a press release on 29 October.

A day later, NPCIL confirmed the malware attack and said the Indian Computer Emergency Response Team (CERT-In) was alerted.

"Identification of malware in the NPCIL system is correct. The matter was conveyed by CERT-In when it was noticed by them on September 4, 2019," said NPCIL associate director AK Nema in a press release.

"The investigation revealed that the infected PC belonged to a user who was connected to the Internet-connected network used for administrative purposes. This is isolated from the critical internal network. The networks are being continuously monitored," it added.

Security experts have pointed out that the malware is a version of Dtrack. The backdoor trojan shares elements of code from malware that were traced back to the Lazarus threat group, classified as a North Korean state-sponsored hacking operation by the US Justice Department. 

"We first saw early samples of this malware family in 2013, when it hit Seoul," said a Kaspersky blog post on Dtrack. "Now, six years later, we see them in India, attacking financial institutions and research centers."

The Indian Express reported that a third-party multinational IT company discovered the attack in early September and alerted India’s National Cyber Security Council (NCSC).

What fuelled the circulation of Pukhraj Singh's tweet was the fact that the power plant had an unexpected shutdown of one of its reactors recently, the latest in a series of breakdowns.

The nuclear power plant is not the only facility that was compromised, Singh told Ars Technica. He called the malware attack an act of war because of the second target, which he did not disclose, the report said.

"It should come as no surprise that India is both a target for political and economic reasons or a major player, ready-or-not, in the cyber- arena too. India has offensive and defensive cyber-capabilities, is a nuclear power, has a massive percentage of the world’s population, the largest middle class in the world and the world’s largest democracy. " commented Sam Curry, chief security officer at Cybereason.

"It is strategic and has deep ties with the leading economies like the USA. That makes India a massive part of the geopolitical landscape and by extension of the cyber-landscape. It’s time for India step up activities, and it’s time for a new alignment and balance of power in the cyber-domain to match what we do in others: land, sea, air, space," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews