Malware detected at the Kundankulam nuclear power plant in India's state of Tamil Nadu has not affected plant systems, an investigation by Nuclear Power Corp. of India (NPCIL), the nation's nuclear plant operator, confirms.
The entity said in a press release on Oct. 30 that it discovered the malware on Sept. 4 on the personal computer of a user that was connected to an administrative network via the internet. "This is isolated from the critical internal network," NPCIL said. "The networks are being continuously monitored.
ZDNet, an IT-centered news website owned by CNET Networks, reported that speculation about the incident first emerged on Twitter, when Pukhraj Singh, a former security analyst for India's National Technical Research Organization (NTRO), suggested the malware, VirusTotal, was linked to a malware infection at the 1,834-MW nuclear plant, though he later acknowledged he did not know whether the plant's operational technology (OT) systems were compromised. Security researchers have since identified the malware as a version of Dtrack, a "backdoor trojan developed by Lazarus Group, North Korea's elite hacking unit."
So, it's public now. Domain controller-level access at Kudankulam Nuclear Power Plant. The government was notified way back. Extremely mission-critical targets were hit. https://t.co/rFaTeOsZrw pic.twitter.com/OMVvMwizSi
— Pukhraj Singh (@RungRage) October 28, 2019
According to the Times of India, NPCIL issued the press release in response to the viral tweet that alleged the cyberattack had compromised the nuclear plant's domain controller-level access. But plant information officer R. Ramdoss in a press release on Oct. 29 called that information "false," noting that the plant has isolated control systems–a feature in all nuclear plants–which made cyberattacks on the control system "impossible."
Kundankulam has two 917-MW VVER V-412 reactors that were designed and engineered by Russia's state-owned nuclear firm Atomstroyexport, The first, completed in December 2014, was a POWER Top Plant. NPCIL brought the second online in March 2017. Units 3 and 4 are now under construction under an agreement with Russia, and Units 5 and 6 are in planning. Ramdoss noted that Units 1 and 2 were operating "at 1,000 MWe and 600 MWe respectively without any operational or safety concerns."
Security firms like Kaspersky note that Dtrack malware rarely targets the energy and industrial sector, and previous samples have been discovered in politically motivated cyber-espionage operations and in attacks on banks.
But as Andrea Carcano, co-founder and chief product officer at industrial cybersecurity firm Nozomi Networks told POWER, there is a reason the Indian incident is worrying: "Dtrack malware may usually be used for reconnaissance purposes but the information gathered from infected industrial and critical infrastructure plants could be used for other malicious purposes," he said.
"It is imperative that critical infrastructure organizations put plans in place to prevent malicious attacks, and the cybersecurity community comes together to share expertise and knowledge on identifying and providing solutions to cybersecurity challenges," Carcano added. "Applying artificial intelligence and machine learning detection and response enables organizations to monitor for malware and rapidly respond to remove malicious code."
For Barak Perelman, CEO of Indegy, another industrial cyber security expert, another concerning detail is that the vulnerability window "was too long." The exploit, discovered on Sept. 4, wasn't made public until earlier this week. "The initial denial means that either there was a serious lack of situational awareness or they were working to hide this incident from public knowledge. Lastly, once there was an admission of the infection, scoping the problem and appropriate response was not clear," he told POWER. "This event underscores the importance of having the right industrial threat detection, asset tracking and risk mitigation systems in place, which has long been the security posture for IT operations. Yet, we have not applied it to critical infrastructure operations."
Perelman stressed the importance of an audit trail that could help prevent similar incidents at other facilities. "Since individuals tend to cover their tracks when they make mistakes, having a reliable audit trail that can't be tampered with is critical. Finally, when a threat is detected, an audit trail can significantly reduce incident response times to mitigate or contain an infection," he said.
Dave Weinstein, chief security officer at operational technology (OT) network protection firm Claroty–who was recently a guest on the POWER Podcast–also told POWER the incident was noteworthy. "In some respects, it's reassuring that the attackers did not reach the plant's control systems, but it's a stark reminder that safety and cybersecurity go hand-in-hand these days. Organizations can no longer rely on the so-called ‘air gap' to secure their control systems; they must perform continuous security monitoring," he said.
–Sonal Patel is a POWER senior associate editor (@sonalcpatel, @POWERmagazine)