A story has been making the rounds on the Internet since yesterday about a cyber attack on an Indian nuclear power plant.
Due to some experts commentary on social media even after lack of information about the event and overreactions by many, the incident received factually incorrect coverage widely suggesting a piece of malware has compromised “mission-critical systems” at the Kudankulam Nuclear Power Plant.
Relax! That’s not what happened. The attack merely infected a system that was not connected to any critical controls in the nuclear facility.
Here we have shared a timeline of the events with brief information on everything we know so far about the cyberattack at Kudankulam Nuclear Power Plant (KKNPP) in Tamil Nadu.
From where this news came?
The story started when Indian security researcher Pukhraj Singh tweeted that he informed Indian authorities a few months ago about an information-stealing malware, dubbed Dtrack, which successfully hit “extremely mission-critical targets” at Kudankulam Nuclear Power Plant.
According to Pukhraj, the malware managed to gain domain controller-level access at the nuclear facility.
What is the Dtrack malware (linked to the North Korean hackers)?
According to a previous report published by researchers at Kaspersky, Dtrack is a remote access Trojan (RAT) intended to spy on its victims and install various malicious modules on the targeted computers, including:
- browser history stealer,
- functions that collect host IP address, information about available networks and active connections, list of all running processes, and also the list of all files on all available disk volumes.
Dtrack allows remote attackers to download files to the victim’s computer, execute malicious commands, upload data from the victim’s computer to a remote server controlled by attackers, and more.
According to the researchers, Dtrack malware was developed by the Lazarus Group, a hacking group believed to be working on behalf of North Korea’s state spy agency.
How did the Indian Government respond?
Immediately after Pukhraj’s tweet, many Twitter users and Indian opposition politicians, including Congress MP Shashi Tharoor, demanded an explanation from the Indian Government about the alleged cyberattack — which it never disclosed to the public.
In response to the initial media reports, the Nuclear Power Corporation of India (NPCIL), a government-owned entity, on Tuesday released an official statement, denying any cyber attack on the control system of the nuclear power plant.
“This is to clarify Kudankulam Nuclear Power Plant (KNPP) and other Indian Nuclear Power Plants Control are stand-alone and not connected to outside cyber network and Internet. Any cyber-attack on the Nuclear Power Plant Control System is not possible,” the NPCIL statement reads.
To be honest, the statement is factually correct, except the “not possible” part, as Pukhraj was also talking about the compromise of the administrative IT network, not the critical systems that control the power plant.
Indian Government later acknowledged the cyberattack, but…
However, while primarily addressing false media reports and rumors of Stuxnet like malware attack, the NPCIL, intentionally or unintentionally, left an important question unanswered:
If not control systems, then which systems were actually compromised?
When the absolute denial backfired, NPCIL on Wednesday released a second statement, confirming that there was indeed a cyberattack, but it was limited only to an Internet-connected computer used for administrative purposes, which is isolated from any mission-critical system at the nuclear facility.
“Identification of malware in the NPCIL system is correct. The matter was conveyed by CERT-In when it was noticed by them on September 4, 2019,” the NPCIL statement reads.
“The investigation revealed that the infected PC belonged to a user who was connected to the Internet-connected network. This is isolated from the critical internal network. The networks are being continuously monitored.”
Though North Korean hackers developed the malware, the Indian Government has not yet attributed the attack to any group or country.
What could attackers have achieved?
For security reasons, control processing technologies at nuclear power plants are typically isolated from the Internet or any other computers that are connected to the Internet or external network.
Such isolated systems are also termed as air-gapped computers and are common in production or manufacturing environments to maintain a gap between the administrative and operational networks.
Compromising an Internet-connected administrative system doesn’t allow hackers to manipulate the air-gapped control system. Still, it certainly could allow attackers to infect other computers connected to the same network and steal information stored in them.
If we think like a hacker who wants to sabotage a nuclear facility, the first step would be collecting as much information about the targeted organization as possible, including type of devices and equipment being used in the facility, to determine the next possible ways to jump through air gaps.
The Dtrack malware could be the first phase of a bigger cyber-attack that, fortunately, get spotted and raised the alarm before causing any chaos.
However, it has not yet been revealed, by researchers or the Government, that what kind of data the malware was able to steal, analysis of which could be helpful to shed more light on the gravity of the incident.
The Hacker News will update the article when more information becomes available on this incident. Stay Tuned!