North Korea identified as potential source of cyber attack on Indian nuclear plant

The attack, allegedly by North Korea, refers to a targeted campaign on the Kudankulam Nuclear Power Plant in Tamil Nadu that is now known to have intensified earlier this year. PHOTO: REUTERS

NEW DELHI - A recent sophisticated cyber attack on an Indian nuclear power plant aimed at ferreting out sensitive research and technical data could have originated in North Korea.

In a tweet sent out on Monday (Nov 4), IssueMakersLab (IML), a Seoul-based cyber-intelligence organisation, has claimed that one of the hackers involved "is using a North Korean self-branded computer produced and used only in" North Korea.

It also added that the IP address of one of the attackers was traced back to Pyongyang.

The attack refers to a targeted campaign on the Kudankulam Nuclear Power Plant in Tamil Nadu that is now known to have intensified earlier this year.

It sought to steal sensitive data from the plant by accessing the domain controller administrator's credentials.

Details of the attack, however, began emerging only last month after the specific malware used in the attack showed up on VirusTotal, an online virus scanning service.

It gained public traction as well as media attention after Indian cyber-security expert Pukhraj Singh tweeted a link to the malware on VirusTotal on Oct 28 and corroborated the attack on Kudankulam.

Mr Singh told The Straits Times that he had prior knowledge of the attack as he had been contacted on Sept 1 by an American cyber-security firm which had spotted the intrusion at Kudankulam.

He did not name the firm and said that he alerted the office of India's National Cyber Security Coordinator on Sept 3 after ascertaining the facts of the attack.

Mr Singh, who has previously worked for India's technical intelligence agency, the National Technical Research Organisation, also added that "extremely mission-critical targets" at the plant were affected.

Following these claims, the Nuclear Power Corporation of India Limited (NPCIL) denied the attack on Oct 29 but admitted it a day later, issuing a statement saying that a malware had been detected in the "NPCIL system".

According to the statement, the infected computer was part of the administrative network and "isolated" from the critical internal network.

The NPCIL also said that systems at the plant, which is India's largest, were not affected.

According to a series of tweets posted on Nov 2 by IML, the intent of the malware attack was to collect data on thorium-based nuclear power from India.

The country has the world's largest deposit of thorium and is widely acknowledged as a world leader in thorium research and development.

"North Korea has been interested in... thorium-based nuclear power, which to replace the uranium nuclear power... Since last year, North Korean hackers have continuously attempted to attack to obtain that information," IML tweeted.

The NPCIL statement did not make any reference to the kind of data that may have been stolen by the hackers.

IML also claimed that North Korean hackers had launched spear-phishing attacks on India's nuclear energy-related experts by disguising themselves as employees of India's nuclear energy organisations.

They continued their attack for about two years, it added.

The lab had also claimed in April this year that North Korea's Kimsuky Group attempted to steal information on the latest design of the Advanced Heavy Water Reactor, an Indian design for a next-generation nuclear reactor that burns thorium into the fuel core.

Cyberthreat intelligence analysts have found that the malware used for the Kudankulam campaign has a "reasonable amount of overlap" with DTrack, a tool that cyber-security company Kaspersky had in September spotted in Indian financial institutions and research centres.

A release from the firm then had said that this spyware "reportedly was created by the Lazarus group" and can be used to upload and download files to victims' systems and record key strokes, among other functions.

The Lazarus group is a cybercrime group made up of an unknown number of individuals and widely suggested to have links to North Korea.

The Indian Express newspaper also reported on Wednesday that the Indian Space Research Organisation (ISRO) too had been targeted around the same time as Kudankulam by the same malware campaign.

ISRO at that point was in the thick of its lunar mission and its Vikram lander was scheduled to land on the moon on Sept 7. The lander lost contact after making a hard landing on the lunar surface.

ISRO has not made any comment yet on these claims. The North Korean embassy in New Delhi also did not respond to a request for comment from ST.

Mr Singh said this incident should push India to develop the full spectrum of its cyber defence capabilities, including the capability to attribute attacks to specific actors, derive the intent of an attack, track threat actors over a longer period of time, and leverage multiple sources of intelligence.

"Cyber security should become the pivot of our national security strategy. The intrusions at Kudankulam weren't destructive because the actor decided against it. We were at its mercy," he added.

Join ST's Telegram channel and get the latest breaking news delivered to you.