Hack breach at Kudankulam NPP may have gone unnoticed for 6 months: Group-IB


Global cybersecurity company Group-IB revealed earlier this week that the hackers who attacked and breached defences at India’s Kudankulam Nuclear Power Project (KKNPP) in Tamil Nadu last year may have remained undetected for more than six months. The revelation is contained in the Singapore-based Group-IB’s latest Hi-Tech Crime Trends 2020/2021 report.

The first two units at KNPP, operated by state-run operator Nuclear Power Corporation of India Ltd (NPCIL), have been commissioned in 2014 and 2017, respectively, while construction is underway for the next four units 3-6 of the project whose equipment suppliers and technical consultants are the Russian state atomic energy corporation Rosatom.

Group-IB, which analysed the Kudankulam cybersecurity breach last year in their previous report on Hi-Tech Crime Trends 2019/2020, said their analysis of an archive containing the remote-administration tool, Dtrack, attributed to North Korean hackers group Lazarus, revealed “that the logs contained data from a compromised machine running Windows that belonged to an employee of the Nuclear Power Corporation of India Ltd (NPCIL).”

Group-IB’s latest report further reveals that “all the files in the archive were compiled at different times, but the main file with the compromised data is dated January 30, 2019, i.e., more than six months before they were detected. This suggests that the hackers remained unnoticed in the victim’s network for a long time.”

News of the hacking was first made public by a former analyst at India’s National Technical Research Organisation (NTRO), Pukhraj Singh. NPCIL had, thereafter, admitted the breach, saying that “identification of malware in the NPCIL system is correct. The matter was conveyed by CERT-In (Computer Emergency Response Team) when it was noticed by them on September 4, 2019.”

The KNPP’s unit 2 was shut down on October 19 last year, which Group-IB believes is related to the hacking. In a statement issued at the time, NPCIL had said the attack had only affected the network used for administrative purposes, which was separate from the network operating the control systems for the nuclear reactors.

Singh, who had first broken news of the KNPP hack, was later reported by Indian media as saying that the attack was on an administrative network and not the operational one. “I think they’re confusing the domaincontroller with control network. I didn’t claim the latter. The administrative (not operational) network was certainly popped,” he said.
In its latest report, Group-IB said: “The nuclear industry is turning into the number one target for state-sponsored threat actors. Unlike the previous reporting period, during which no attacks were observed, the current one was marked by attacks on nuclear energy facilities in Iran and India.”

In its earlier report for the period 2019-20, Group-IB had said: “In some cases, their (hackers) attacks involved shutting down energy infrastructures or certain facilities in various countries. For example, in 2019, Lazarus attacked a nuclear organization in India, which led to the power plant’s second unit being shut down. The non-typical choice of victim indicates that rival countries may have been interested in these attacks.”

The malware DTrack was first identified in September last year by Russian software solutions provider Kaspersky Labs. In a report published in September 2019, Kaspersky Labs said the malware’s targets included banks and research centres in India.

“According to our telemetry, the last activity of DTrack was detected in the beginning of September 2019,” the Kaspersky report said. It also said that some of the programming and execution characteristics of DTrack, and a similar malware called ATMDtrack, which was found infecting Indian ATM machines, suggested a link with the Lazarus group. During the same month last year, the US Department of Treasury imposed sanctions on what they said were three North Korean state-controlled hacking groups, including Lazarus.

The operating units 1 and 2 at KNPP are equipped with advanced Russian-designed Pressurised Water Reactors (PWRs) of the VVER-1000 category, each with a capacity of 1,000 MW, while the remaining four units under construction are also proposed to be fitted with VVER-1000 units with more advanced safety features. Meanwhile, India’s Bhabha Atomic Research Centre (BARC) is developing its own computational code system and software for the Russian-made VVERs at the KNPP.