Experts from Group-IB, who discovered and analysed an archive containing dtrack, a remote-administration tool attributed to North Korean group Lazarus, says that analysis “revealed that the logs contained data from a compromised machine running Windows that belonged to an employee of the Nuclear Power Corporation of India Limited (NPCIL).”
The report, Hi-Tech Crime Trends 2020/2021, further reveals that “all the files in the archive were compiled at different times, but the main file with the compromised data is dated January 30, 2019, i.e. more than six months before they were detected. This suggests that the hackers remained unnoticed in the victim’s network for a long time.”
News of the breach was first made public by Pukhraj Singh, a former analyst at the National Technical Research Organisation NTRO. At that point, NPCIL had admitted that, “identification of malware in NPCIL system is correct. The matter was conveyed by CERT-In (Computer Emergency Response Team) when it was noticed by them on September 4, 2019.”
But this retraction came only after the plant’s information officer had initially issued a press release stating that a cyberattack was not possible at the plant. They classified Singh’s tweets as false information only to retract within a day.
The plant’s second power unit was shut on October 19 last year, an incident Group-IB believes is interlinked to the breach, something that NPCIL has denied vehemently. In its statement NPCIL had said that the attack had only affected the network used for administrative purposes, which was separate from the network handling the control systems for the nuclear reactors.
Besides the attack on KKNPP, there may have been two other cyberattacks on nuclear installations last year globally, according to the report. One being an attack on Korea Hydro & Nuclear Power, which provides as much as 30% of that country’s power supply. The attack was believed to have been perpetrated by the same North Korean group, Lazarus.
The second attack was one which, it is believed, was mounted by Israel on Iran’s largest uranium-enrichment facility in Natanz and caused a fire and explosion in early July last year.
According to Group-IB, there is increased interest in Indian nuclear technology from various nation-state actors, “because the country is developing nuclear technology and thorium-based reactors.” Thorium based rectors — whilst still being a technology that is under development — can be a game changer for a country like India, which has traditionally had to reply on other nations for satiating its fast-growing appetite for energy.
India has the largest deposits of thorium in the world, with as much as 846,000 tonne available within the country. According to the World Nuclear Association, the use of thorium as a new primary-energy source has been a tantalising prospect for many years. Extracting its latent energy value in a cost-effective manner remains a challenge, and will require considerable R&D investment.