Cyber Attack on Indian Nuclear Power Plant – Explained

The Cyber Blog IndiaCyber Security

India is a developing country. It is a well-accepted fact that a developing country requires energy to move towards being a developed country. But in the race to become a superpower, what if the security of one of the most critical and crucial assets of the nation is compromised?

On 4th September 2019, a malware attack on the Kadankulam Nuclear Power Plant (KKNPP) was detected by CERT-In (Indian Computer Emergency Response Team). KKNPP is India’s largest nuclear power plant. The power plant has two Russian pressurized water reactors which have a large capacity of 1000 megawatts each. KKNPP has also planned to install four more nuclear reactors units, which would result in the most significant collaboration between Russia and India in the nuclear energy sector.

What had happened?

Though the operational systems and the administrative systems of the KKNPP are separate, it was found that one PC, connected to the internet-connected network, was infected. This PC belonged to a user, and it was used for administrative purposes. As per the statement issued by the Nuclear Power Corporation of India Limited (NPCIL), this network is isolated from the critical internal network.

Before the acceptance of this attack by AK Nema, Associate Director at NCPIL, R Ramdoss, Training Superintendent and Information Officer at KKNPP issued a statement that categorically denied any instance of cyber attacks on the nuclear power plant.

It has been reported that the information about the cyber attack on the KKNPP network was shared by a certain security researcher called Pukhraj Singh, who is said to have been notified by an undisclosed party. Accordingly, the attack was reported to India’s National Cyber Security Coordinator, Lt. Gen. (Retd.) Rajesh Pant on September 03, 2019, and subsequently, CERT-In confirmed a day later.

During the investigation, the indicator of compromise (IoC) was found to be a Dtrack malware, which has been recently affecting enterprise networks and ATMs. It is believed that this malware has been created by a group called Lazarus with links to North Korea.

Why is there a security threat?

When cyber attacks on nuclear power plants are discussed, the Stuxnet attack causing substantial damage to Iran’s nuclear power program is a prime example of the consequences of a successful cyber attack. Nuclear power plants of a country are a part of its critical infrastructure, and if an attacker with malicious intent is able to break into computer networks, the results can be indeed disastrous.

Who is responsible for this?

IML (Issue Makers Lab), which is a non-profit intelligence organization in South Korea, has shared evidence of the cyber attack online and has claimed that the attack was initiated from North Korea. They further added that they have been monitoring the Lazarus group since 2008. North Korea has been interested in thorium-based nuclear power in which India is a leader. As of now, North Korea is using uranium-based nuclear power, and there are theories that they want to replace it with thorium-based nuclear power.

IML claims that earlier, the North Korean hackers have targeted several top Indian scientists through “malware-laced” emails, such as former Atomic Energy Commission chairman, ex-BARC director, etc. through which the hackers can contact anyone in India’s nuclear energy sector with a trusted relationship. This Korean intelligence group has been revealing about the North Korean hackers through Twitter since October 31.


Co-authored by Sammed Akiwate and Raj Pagariya.