CHENNAI: Social media was abuzz on Tuesday with alleged cyber attack on Kudankulam Nuclear Power Plant (KKNPP) and there were claims of "domain controller-level access" breach. However, the plant authorities quickly issued an official denial saying, "Any attack on the Nuclear Power Plant Control System is not possible."
The allegation was fuelled by noted cyber intelligence specialist Pukhraj Singh, who was instrumental in setting up of the cyber-warfare operations centre of the National Technical Research Organisation (NTRO) that gathers technical intelligence for the Indian Government.
It all started when a link to a report on data dumps made on VirusTotal.com, an independent site that tracks the activities of various viruses that infect systems worldwide, was posted on Twitter on October 28 evening that had the user name "KKNPPadministrator" which experts claimed referred to computer systems of the nuclear power plant. The tweet surmised that a form of malware called 'Dtrack' has been found in VirusTotal's assessment. Incidentally, cybersecurity firm Kaspersky had said in a press release on September 23 that they had discovered 'Dtrack' previously in "Indian financial institutions and research centers".
In his post, Pukhraj Singh claimed: "So, it's public now. Domain controller-level access at Kudankulam Nuclear Power Plant. The government was notified way back. Extremely mission-critical targets were hit." In another tweet, Singh said he did not discover the intrusion. "A 3rd party did. It contacted me and I notified National Cyber Security Coordinator (NCSC) on September 3." Singh went on to claim there was email correspondence between him and Lt General Rajesh Pant, NCSC, acknowledging the issue.
Express could not reach Rajesh Pant for comments as he was reportedly out of the country and can not confirm Singh's claims. Former NCSC Gulshan Rai told Express, "If someone has reported a malware attack to the NCSC, then I am sure they would have acted upon. My argument is in last two months, nothing has been reported from people who areflagging this issue now." However, Rai said nothing can be ruled out.
On October 19, the second 1,000 MW nuclear power unit at Kudankulam stopped power generation owing to "SG level low". Some twitter users attributed it to alleged cyber attack, which KKNPP officials categorically refuted. Authorities said the brief shutdown was due to mechanical issues.
R Ramdoss, the Training Superintendent and Information Officer at KKNPP, termed the alleged cyber attack as 'false information'. "This is to clarify KKNPP and other Indian Nuclear Power Plants control systems are stand alone and not connected to outside cyber network and internet. Any cyber attack on the Nuclear Power Plant Control System is not possible. Presently, KKNPP Unit-1&2 are operating at 1000 MW and 600 MW respectively without any operational or safety concerns," he said in the press release.
Speaking in general, noted cybersecurity expert GS Madhusudan said: "High security air-gapped systems are generally isolated from outside world and hence there is no possibility of a virus infecting an air-gapped system via external network. Also, in high security embedded systems, commercial grade operating systems like Windows are not typically used but rather highly specialised secured operating systems are preferred."
But, Abhijit Iyer Mitra, Senior Fellow at the Nuclear Security Programme of the Institute of Peace and Conflict Studies which is an independent think tank on South Asian and Indian security issues, told Express there was a precedent where the standalone or air-gapped Natanz uranium enrichment facility in Iran was attacked by the Stuxnet virus in 2010.
"The KNPP denial only raises more questions than it answers. The data dump is clearly from KNPP and shows both that windows was used as the operating system & the existence of a stub.exe file shows that it was subject to a cyber attack, because the stub is essentially the Trojan horse - acts as virus incubator, that enables it to hide and regenerate. Dtrack is a derivative of the virus used by the North Korean Lazarus group to attack Sony in 2015. It is essentially ransomeware. The only explanation for the data dump is that either the KNPP authorities refused to cooperate or the other possibility is that this data dump is a carefully fabricated hoax. The question is if it is the latter then to what end?"
In 2016, the then Director General of International Atomic Energy Agency (IAEA) Yukiya Amano said: "This is not an imaginary risk. This issue of cyber attacks on nuclear-related facilities or activities should be taken very seriously."