A relatively large nuclear power plant, currently in full operation mode, was allegedly attacked by persistent threat groups through sophisticated malware. The cybercriminals reportedly gained administrative control of an important network, but may not have been able to reach or breach the core or internal network which directly connects to the nuclear power plant. The Kundankulam Nuclear Power Plant (KKNPP) in Tamil Nadu, India, is now fully operational, but the threat might not be completely eradicated, claim experts.
According to an online news platform, the “External Network” at the Kundankulam Nuclear Power Plant (KKNPP) in Tamil Nadu was allegedly compromised early last month. The cybersecurity authorities in charge of safeguarding the sensitive and vulnerable networks have insisted that the nuclear power plant is safe and protected. However, the independent cybersecurity expert who was first made aware of the cyberattack, claims the attack was rather serious, and the authorities allegedly confirmed the presence of unauthorized system-level access.
I just witnessed a casus belli in the Indian cyberspace and it sucks at every level.
— Pukhraj Singh (@RungRage) September 7, 2019
Dtrack Malware Allegedly Infects ‘External Network’ On Indian Nuclear Power Plant
Pukhraj Singh, a cybersecurity expert, claims the successful breach of network security of a nuclear power plant is a “casus belli” or an act of war. He claims the attack was most probably carried out via malware Dtrack. Moreover, the breach allegedly gave domain controller level access at the KKNPP in Tamil Nadu. He further claims that “extremely mission-critical targets were hit”, but didn’t give any details. Singh also claims that in a string of emails the issue was acknowledged by the National Cyber Security Coordinator, Lt Gen. (Dr) Rajesh Pant.
Seeing KKNPP’s press release, I would like to add that I notified Lt Gen Rajesh Pant (National Cyber Security Coordinator) on Sep 4. Follow-up emails were exchanged, acknowledging the issue. I would solicit no further enquiries on the matter, requesting privacy. https://t.co/SMdABbJcvQ
— Pukhraj Singh (@RungRage) October 29, 2019
The attack allegedly involved crippling or compromising a Domain Controller. The device is essentially a gateway that checks the authenticity of devices attempting to access the network. Needless to add, if the Domain Controller is compromised, it can easily be manipulated to approve or ignore devices owned and operated by unauthorized agents. The attack was reportedly carried out using a malware Dtrack, which belongs to a persistent and global cybercrime group called ‘Lazarus’. The group’s creation is a collection of tools that collectively attempt to bypass security and gain unauthorized administrative control of successfully infected devices. According to the cybersecurity expert, the “External Network” of KKNPP was infected with Dtrack.
Is India’s Nuclear Power Plant And Other Sensitive Infrastructure Vulnerable To Cyberattacks?
It is important to note that every nuclear plant, and even other infrastructure that’s critical to the nation, usually operate two separate networks. The internal or core network, which is also referred to as the “Operational Network” is always “air-gapped”. Simply put, the network is completely independent, and is not connected to any external devices. The servers, power and other support systems too, are cut off from the external world.
The External Network, however, is connected to the internet, and any device that’s exposed to the same always remains vulnerable to cyberattacks. There have been numerous cases wherein attackers have run sophisticated automated algorithms that continuously crawl the cyberspace looking for vulnerabilities. Moreover, state-sponsored cybercriminals have been known to deploy targeted attacks on sensitive and vulnerable targets such as nuclear enrichment and refining systems, power-plants, hydro-electric dams, and such.
Although the External and Internal Networks are two different entities, a security breach in either can be further exploited through data mining and social engineering. The Dtrack malware could be mining data on the external network, including keystrokes, and files uploaded and downloaded. Information gathered through such processes could reveal secure email addresses and passwords, login credentials, and other sensitive information that can be exploited.