Update (October 30, 2019 3:15 pm): In a major U-turn, the Nuclear Power Corporation of India Limited (NPCIL) confirmed in a press release (given below) that an internet connected computer at the Kundankulam Nuclear Power Plant had indeed been infected. Quint first reported this development. KKNPP had officially denied any such compromise yesterday.

Confirming MediaNama’s earlier report, it said that the malware was detected by CERT-In on September 4, 2019. The press release reiterated that the compromised computer was “isolated from the critical internal network”. Also, investigation confirmed that plant systems were not affected.

Update (October 30, 2019 10:29 am): The Computer Emergency Response Team (CERT-In) received a tip from an anti-virus company that observed “malicious activity” in the external network of KKNPP in early September, MediaNama has learnt from sources. A computer used by an employee in the finance department had been compromised. Indian Express first confirmed the breach. It is unclear at this stage how the malware got domain controller access to the system.

Subsequently, an inter-agency team, consisting of CERT and National Critical Information Infrastructure Protection Centre (NCIIPC), was sent for clean-up in mid-September. Since it is a nuclear power plant, NCIIPC was sent, but according to our sources, no critical information itself was compromised. We have also learnt that such breaches occur on a regular basis, across infrastructural networks, and CERT keeps sending teams to clean them up.

In early September, the external network at the Kundankulam Nuclear Power Plant (KKNPP) in Tamil Nadu was compromised, as per an independent cybersecurity expert. Calling it a “casus belli” (an act of war), Pukhraj Singh said that the attack, most probably carried out via malware Dtrack, allegedly gave domain controller level access at the KKNPP in Tamil Nadu. He further wrote that “extremely mission-critical targets were hit”, but didn’t give any details, despite repeated queries from MediaNama.

Singh, who has worked at UIDAI and PMO’s National Technical Research Organisation in the past, says that a third party informed him about the intrusion after which he informed the National Cyber Security Coordinator on September 3. He says that in the follow-up emails, the issue was acknowledged. Lt Gen. (Dr) Rajesh Pant, the National Cyber Security Coordinator in the National Security Council, was unavailable for comment as he is out of the country until November 5.

What is domain controller? Think of domain controller as the device that will verify the authenticity of all the other devices on the network. If that’s compromised, it can approve any device as authentic, including those of foreign agents’.

What is Dtrack? As per a Kaspersky report from September, the global cybercrime group Lazarus has created a spyware called Dtrack which had been spotted in Indian financial institutions and research centres. Dtrack can give threat actors “complete control over infected devices”. As per a lot of experts, including Singh, the malware that infected KKNPP’s external network has similar strains to Dtrack.

What did the KKNPP say about this? In a statement (given below), KKNPP denied all such claims. In a phone conversation with MediaNama, R. Ramdoss, the Training Superintendent and Information Officer at KKNPP, said that the nuclear power plant was fully secure. He explained that KKNPP, like every nuclear power plant, has at least two networks — an operational island, which deals with the actual working of the power plant, and the other network.

The operational island, as the name suggests, is not connected to any external network, including internet, and the all computers are air gapped, that is, incapable of connecting wirelessly or physically with other computers or network devices. “All data is only in the server connected to the [control] system,” Ramdoss said.

Through the other network, higher officials are given access to external internet, and that has “separate IT department” and “their servers are completely different”, as per Ramdoss. “Nothing is connected to the operating island [which controls the actual nuclear power plant],” he said.

One of the plant’s power units stopped power generation on October 19 due to low SG level. (Read about it here.) Ramdoss told MediaNama that the two power units had some problem on the “feed water side, with a valve which feeds water to the steel generator”. The temporary shutdown rectified the problem, and the two power units are now operating at 100% (1000 MW) and 60% (600 MW) capacity, respectively. The second unit is not operating at full capacity because there is a “vibration problem”, and as per manufacturer’s instructions, the operations have been restricted. As per Ramdoss, these were mechanical issues, not ones arising out of any hack or cybersecurity compromise.

Does that mean we are in the clear? The nuclear power plant itself might be safe, but the other network might have truly been compromised. In a number of conversations with cybersecurity experts, who spoke only on condition of anonymity, MediaNama learnt that any device that is connected to the internet is at risk for malware. And the internet-connected network at nuclear power plants, called airbags, are often breached. The magnitude of the problem will be determined by the nature of malware planted.

As per Singh and other experts, Dtrack is mining data on the external network, including key strokes, and files uploaded and downloaded. This can compromise the officials’ secure email addresses, authentication details, etc.

What don’t we know?

  • Is the external network at KKNPP secure or has it been compromised? We now know that it was definitely compromised and subsequently cleaned up.
  • If it has been compromised, then to what extent?
  • What kind of data is Dtrack mining from the external network, if any?
  • Why was no action taken by the National Cyber Security Coordinator if he was informed about this on September 3? As per Singh and other experts, the malware is still present.
  • What caused the valve in the second power plant to stop functioning?
  • Why does India not have a disclosure policy when it comes to cyberattacks on national infrastructure?

Update (October 30, 2019 3:15 pm): This article was updated with press release from NPCIL. The original article was published on October 29 at 4:15 pm.

Update (October 30, 2019 10:29 am): This article was updated. The original article was published on October 29 at 4:15 pm.