Kudankulam Nuclear Power Plant Hit By Cyberattack

India’s second nuclear power unit stopped operating on 19th October 2019. It is suspected that the Kudankulam Nuclear Power Plant was hit by a cyberattack and the authorities were already alerted of the threat months in advance. Even as cybersecurity experts were investigating the case, the authorities were quick to dismiss any occurrence of a spyware infiltrating their systems. Although in a subsequent press release the authorities accepted the cyberattack on their systems. The power plant project built in collaboration with Russia has been a target of foreign players since its inception. Meanwhile, the cybersecurity community is concerned whether the Kudankulam hackers did steal India’s Thorium secrets.

Kudankulam Nuclear Power Plant hit by Cyberattack
Kudankulam Nuclear Power Plant hit by Cyberattack

Nuclear Power Unit stops operating

The second 1,000 MW nuclear power unit at Kudankulam, owned by the Nuclear Power Corporation of India Ltd (NPCIL) stopped power generation on Saturday 19th October, said Power System Operation Corporation Ltd (POSOCO). The atomic power plant stopped generation about 12.30 a.m. on Saturday owing to “SG level low”, the company added. The expected date of the unit’s revival is not known. The NPCIL has two 1,000 MW nuclear power plants at Kudankulam Nuclear Power Project (KNPP) built with Russian equipment.

Official statement from Kudankulam Power Plant Project on Cyberattack
Official statement from Kudankulam Power Plant Project on Cyberattack

While cybersecurity experts are investigating the breach, the Kudankulam Nuclear Power Plant in Tamil Nadu has denied being the victim of a cyber attack and denied any incident of a spy virus having infected the systems at the plant. The statement asserted that since “Kudankulam Nuclear Power Plant Project (KKNPP) and other Indian Power Plants Control Systems are stand alone and not connected to outside cyber network and Internet, any cyberattack on the Nuclear Power Plant Control Systems is not possible.” This however, is a false assertion which was exposed when Israeli intelligence targeted Iranian Nuclear facility (which also was not connected to Internet) with Stuxnet.

NPCIL confirms Cyberattack

After initially denying the incident the Nuclear Power Corporation of India Ltd (NPCIL) on Wednesday accepted cyber attack on its system.

“Identification of malware in NPCIL system is correct. The matter was conveyed by CERT-In when it was noticed by them on September 4, 2019,” a statement issued by NPCIL said. “The matter was immediately investigated by DAE (Department of Atomic Energy) specialists. The investigation revealed that the infected PC belonged to a user who was connected in the internet connected network for administrative purposes. This is isolated from the critical internal network,” it said adding the networks are being monitored continuosly. The statement said that the plant systems were not affected by the malware.

Nuclear Power Corporation of India confirms Cyberattack
Nuclear Power Corporation of India confirms Cyberattack

Prior warning

More than a month before the unit stopped operating, the National Cyber Security Coordinator Office was notified of an intrusion of their systems by cyber threat intelligence analyst, Pukhraj Singh. The alert was generated on investigation by cybersecurity firm Kaspersky into spy tools dubbed DTrack.

[jetpack_subscription_form title="Subscribe to GreatGameIndia" subscribe_text="Enter your email address to subscribe to GGI and receive notifications of new posts by email."]

“Domain controller-level access [gained] at Kudankulam Nuclear Power Plant. The government was notified way back,” said cyber security professional Pukhraj Singh, who in a series of tweets on Monday and Tuesday contended that he was first alerted by a “third party” that discovered the hack and had in turn alerted the National Cyber Security Coordinator on September 3.

“And there was another target way more serious,” he told HT, without giving more details.

An official in a cyber security division of the government, asking not to be named, said that a tip-off was received from “a friendly country” and a team of experts was rushed to the facility located in Tirunelveli in Tamil Nadu in early September. “The foreign government’s help allowed for a quick response,” this person added, asking not to be named.

Refusing to give more details about the second incident that Singh referred to, he said the disclosure must be made by the government alone. “I think the government should be the one disclosing. I’ve told [National Cyber Coordination Centre chief] Lt Gen Rajesh Pant so. Responsible disclosure is a normal practice. Everyone gets hacked. It must be relayed with confidence and clarity,” he added.

DTrack Data Collection

DTrack data dump of the power plant also revealed statically encoded login credentials among other things:

Kudankulam Nuclear Power Plant DTrack data collection
Kudankulam Nuclear Power Plant DTrack data collection
Kudankulam Nuclear Power Plant DTrack data collection
Kudankulam Nuclear Power Plant DTrack data collection
  • Login credentials
  • Local IP, MAC, OS install information (including registered org) via registry
  • Browser history
  • Connectivity to local IP
  • Compspec, ipconfig, netstat info
> net use \\\\10.38.1.35\\C$ su.controller5kk /user:KKNPP\\administrator

DTrack – Spy Tool

Kaspersky Global Research and Analysis Team have discovered a previously unknown spy tool, which had been spotted in Indian financial institutions and research centers. Called Dtrack, this spyware reportedly was created by the Lazarus group and is being used to upload and download files to victims’ systems, record key strokes and conduct other actions typical of a malicious remote administration tool (RAT).

In 2018, Kaspersky researchers discovered ATMDtrack – malware created to infiltrate Indian ATMs and steal customer card data. Following further investigation using the Kaspersky Attribution Engine and other tools, the researchers found more than 180 new malware samples that had code sequence similarities with the ATMDtrack, but at the same time were not aimed at ATMs. Instead, its list of functions defined it as spy tools, now known as Dtrack. Moreover, not only did the two strains share similarities with each other, but also with the 2013 DarkSeoul campaign, which was attributed to Lazarus – an infamous advanced persistence threat actor responsible for multiple cyberespionage and cyber sabotage operations.

Dtrack can be used as a RAT, giving threat actors complete control over infected devices. Criminals can then perform different operations, such as uploading and downloading files and executing key processes.

Entities targeted by threat actors using Dtrack RAT often have weak network security policies and password standards, while also failing to track traffic across the organization. If successfully implemented, the spyware is able to list all available files and running processes, key logging, browser history and host IP addresses, including information about available networks and active connections.

The newly discovered malware is active and based on Kaspersky telemetry, is still used in cyberattacks.

“Lazarus is a rather unusual nation state sponsored group. On one hand, as many other similar groups do, it focuses on conducting cyberespionage or sabotage operations. Yet on the other hand, it has also been found to influence attacks that are clearly aimed at stealing money. The latter is quite unique for such a high profile threat actor because generally, other actors do not have financial motivations in their operations,” said Konstantin Zykov security researcher, Kaspersky Global Research and Analysis Team.

“The vast amount of Dtrack samples we found demonstrate how Lazarus is one of the most active APT groups, constantly developing and evolving threats in a bid to affect large-scale industries. Their successful execution of Dtrack RAT proves that even when a threat seems to disappear, it can be resurrected in a different guise to attack new targets.

The Foreign Hand

In 2012, the then Prime Minister of India Manmohan Singh in a starting disclosure claimed that foreign intelligence agencies were involved in the sabotage of the Kudankulam Nuclear Power Plant Project (KNPP), a bedrock of India-Russia alliance. Manmohan Singh was referring to the anti-nuclear protests in Kudankulam, which he claimed were orchestrated by American-backed NGOs.

After repeated denials for over a year from fishermen and farmers who were opposing the protest against the KNPP that they were being funded from overseas, the police in the southern Indian town opened a case against a “suspicious money transfer” from London.

The police said T. Ambika, wife of anti-KNPP activist Kumar alias Thavasi Kumar, received around $55,000 in her account with Canara Bank’s Kudankulam Banch from a particualar Anand based in the United Kingdom. Officials from the bank let the police know about the deposit in the account. The police then started an enquiry about the money being sent from a foreign destination to one associated with the ongoing anti-KNPP struggle.

Intelligence Report

According to a secret Intelligence Bureau document in possession of GreatGameIndia the protests were spear-headed by Ohio State University funded, SP Udaykumar, and a host of Western-funded NGOs. The larger conspiracy was unraveled when a German national provided Udaykumar a scanned map of all nuclear plant and uranium mining locations in India. The map included contact details of 50 Indian anti-nuclear activists revealing an intricate Network aimed to ‘take-down’ India’s nuclear program through NGO activism.

An enquiry of Udaykumar had revealed a deep and growing connection with US and German entities. In July 2010, Udaykumar received an unsolicited contract from the Kirwan Institute for Study of Race and Ethnicity at the Ohio State University, USA as a Consultant on “Group, Race, Class and Democracy issues through NGOs”. He was paid $21,120 upto June 2011 in a US bank account in his name and was contracted to earn another $17,600 upto April 2012 for fortnightly reports. These reports were significant in the fact that they were very brief lists of three general articles or books purported to have been read in the past fortnight, none relating to anti-nuclear activism, his main interest.

As a result, Udaykumar’s contact in Germany, one Sonntag Rainer Hermann (German national) was deported from Chennai on February 27, 2012. Hermann’s laptop contained a scanned map of India with 16 nuclear plants (existing or proposed) and five uranium mine locations marked prominently. The map also included contact details of 50 Indian anti-nuclear activists hand-written on small slips of paper along with a Blackberry PIN graph. The map was sent via email to five prominent anti-nuclear activists, including Udaykumar.

Map acquired from a German spy by the Intelligence Bureau with 16 nuclear plants (existing or proposed) and five uranium mine locations marked prominently.
Map acquired from a German spy by the Intelligence Bureau with 16 nuclear plants (existing or proposed) and five uranium mine locations marked prominently.

Sustained analysis revealed that the name slips on the map were hand-written in order to avoid possible detection by text search algorithms said to be installed at e-gateways. The map clearly indicated the involvement of an organized agency and/or a highly professional, well-funded entity, which expends considerable effort in masking its origins.

Based on the above enquiry, network analysis of all anti-nuclear NGO activity in India revealed the existence of

  1. One ‘Super Network’ (prominently driven by Greenpeace and renowned activists) and
  2. Five ‘Territorial Networks’ based out of
    1. Tamil Nadu (Idinthakarai, District Tirunelveli),
    2. Kerala (Trivandrum),
    3. Andhra Pradesh (Hyderabad),
    4. Gujarat (Ahmedabad),
    5. Meghalaya (Shillong)

Analysis

On October 19th, the second nuclear power unit at Kudankulam stopped operating.

Kaspersky, a cybersecurity firm founded by Russian intelligence was monitoring suspicious activities of spyware dubbed DTrack infiltrating the administrative controls eventually gaining domain controller level access to Kudankulam Nuclear Power Plant.

The same information was relayed to KNPP officials through cybersecurity expert Pukhraj Singh in early September. Ultimately, the team was able to contain the impact of the cyber strike from causing more damage.

Although an official statement from a low-level official from KNPP denied the incident claiming, since the “control systems at India’s power plants are not connected to the Internet, any cyber strike is impossible”.

This is, however, a false assumption. A similar incident occurred at Iranian Nuclear facility at Natanz targeted by Israeli intelligence through stolen NSA tools now known as Stuxnet.

Iranians, with the help of the Russians, were although able to contain severe damage, a valuable lesson was learned. The myth of the impenetrable air-gap network was shattered in front of the whole world.

It was these same lessons learnt during the Iranian incident that helped to prevent a catastrophe at KNPP. As quoted by News Meter.

FDI in Nuclear Power

Update: 13/01/2020

Months after the cyberattack at Kudankulam in which India’s Thorium Secrets were stolen, the Indian government is contemplating to allow FDI in nuclear power area. The decision, likely to be considered by the Prime Minister’s Office (PMO), would be a paradigm shift in India’s nuclear power policy, and subsequently open the gates for multinational companies to overtake the country’s nuclear energy projects.

GreatGameIndia is a journal on Geopolitics and International Relations. Get to know the Geopolitical threats India is facing in our exclusive book India in Cognitive Dissonance. Send in your tips and submissions by filling out this form or write to us directly at the email provided.

Join us on Telegram for more intel and updates

Leave a Reply