A malware attack on India’s largest nuclear power plant appears to have been perpetrated by a North Korean state-sponsored hacking group. The attackers did not gain access to the plant controls, but did have access to the network used for administrative functions and may have exfiltrated sensitive information from it.
The malware attack took place at the Kudankulam Nuclear Power Plant (KKNPP) on September 4, 2019, but was not publicly acknowledged by India’s Nuclear Power Corporation of India Limited (NPCIL) until nearly the end of October. “Identification of malware in NPCIL system is correct,” said A.K. Nema, Associate Director and Appellate Authority, in a public statement. The India Department of Atomic Energy (IDAE) is the regulatory body responsible for investigating the issue.
The acknowledgement came a day after security researcher and former analyst for the Indian government Pukhraj Singh tied a malware report to the attack. The report prompted the NPCIL to issue a statement that the plant’s control systems are not affected as they are isolated from the administrative network and beyond the reach of hackers entering from that avenue. The agency also stated that the networks are being continuously monitored for any unauthorized activity.
Located at the southern tip of India, the KKNPP has been an ongoing source of controversy in the area since it was brought online in 2013. Most of this is due to concerns over the ability to safely evacuate the area if a Fukushima-like accident should occur. The plant has had 70 shutdowns since it was activated, including one that took place shortly before the malware attack occurred, but has plans in place to expand from two to six reactors in the near future.
The KKNPP malware attack
The IDAE investigation found that the malware attack originated from a user who was connected to the administrative network, indicating that it was most likely a phishing attack on an employee.
Interestingly, Singh referred to the malware attack as an “act of war.” In an interview with Ars Technica, Singh revealed that he used that terminology because there was a similar attack on a second target that was not disclosed to the public. The malware also contained hardcoded credentials for the power plant’s internal network, indicating that the attack was highly targeted.
North Korean advanced persistent threat (APT) group “Lazarus” is suspected to be behind the attack based on the type of malware used. The Dtrack malware is a favorite of the group, most commonly used for covert espionage and data exfiltration deployed against financial and industrial research targets. In September, the group was found using a new variant called ATMDtrack to compromise ATMs in India.
It is standard practice for nuclear power plants to “air gap” their control systems. These air gaps keep the administrative systems that most employees have access to isolated from the critical reactor controls. Security researchers believe this was an attempt to exfiltrate data that could be useful in a future attack directly on the control system, or to establish an ongoing presence for the surreptitious collection of such information.
The Dtrack malware is capable of logging keystrokes, scanning IP addresses, listing all available files and running processes, and retrieving browser history on target networks.
Nuclear power plant vulnerabilities
ZDNet’s coverage of the malware attack expressed the opinion that the infection of the nuclear power plant may have been a mistake or a simple test of capability. Lazarus does not have an established history of sabotage; the group focuses on financial gain, theft of intellectual property and international tracking of North Korean dissidents and refugees primarily. The attack may have branched off from the group’s current campaign against banks and financial industry targets in India.
An attack on the control systems of a nuclear power plant is considered one of the most serious cyber escalations possible between nation-states, and one that state-sponsored groups usually stop short of. Incursions into nuclear power systems are usually for scouting purposes and for stealing technical information; the Nuclear Threat Initiative documented 11 malicious incidents of this nature in a 2016 report.
The first (and still largest) malware attack on a nuclear power plant was the infamous Stuxnet attack on an Iranian facility in 2009, which is widely attributed to the United States and Israel. This attack proved that with enough reconnaissance in an administrative network, it is possible for hackers to develop a means of jumping the air gap and gaining direct access to controls. The Stuxnet attack took out about 1,000 centrifuges at an Iranian uranium enrichment facility by rapidly accelerating and decelerating their rotors, which causes aluminum tubes in them to expand to the point that parts of the centrifuge are forced out of place and the unit is rendered inoperable.
In late 2017, an unknown hacking group compromised a petrochemical plant in Saudi Arabia using a worm called Triton. The worm targeted a type of safety workstation that is also commonly used in nuclear power plants, inducing a failsafe state that forced the plant to shut down. Traces of the same group were found by security researchers at an unnamed industrial site in early 2019.
The most dangerous possible consequence of a cyber attack on a nuclear power plant is the inducement of a core meltdown, which could cause a miles-wide spread of radiation and render the immediate land uninhabitable for decades. These attacks could also be used to simply cut power to millions of people for an extended period of time.
The district in which India’s largest nuclear power plant is located is home to over three million people, with one million of those living within 30 kilometers of the plant. Activists have raised concerns about the ability of the government to evacuate these residents safely in the event of an incident, given that the area is composed of many rural villages and there are no airports in the district.