Someone Just Hacked India's Most Advanced Nuclear Power Plant.

[manlion]

Was the Kudankulam Nuclear Plant Compromised by a Malware Attack?

Was the Kudankulam Nuclear Power Plant the subject of a cyber attack earlier this year?

On Tuesday, 29 October, the power plant had to issue an official denial saying, “Any attack on on the Nuclear Power Plant Control System is not possible.”

This statement was issued after a number of social media posts, including by a former officer of the National Technical Research Organisation, alleged such an attack had taken place, and that the government had been aware of this since early September.

Despite the denial, questions over this potential breach of cyber security remain, with independent reports from VirusTotal and Kaspersky appearing to verify that a form of malware known as ‘Dtrack’ was used to attack targets in India.

How Did This Incident Come to Light ?

On the evening of 28 October, a link to a report on VirusTotal.com, an independent site used to verify and track cyber attacks, was posted on Twitter. The tweet surmised that a form of malware called ‘DTRACK’ had been found in VirusTotal’s assessment.

https://twitter.com/x/status/1188811977851887616

Cybersecurity firm Kaspersky had said in a press release on 23 September that they had discovered ‘Dtrack’ previously in “Indian financial institutions and research centers”.

According to them, this form of spyware “reportedly was created by the Lazarus group and is being used to upload and download files to victims’ systems, record key strokes and conduct other actions typical of a malicious remote administration tool (RAT).”

Further details of how the malware operates, including the functions it can be used to perform on an infected system, can be found here.

The initial tweet was soon shared by cyber security expert Pukhraj Singh, a former officer of the National Technical Research Organisation – the premier government agency tasked with India’s cyber defence operations (which he had played a key role in setting up).

Singh wrote that this discovery now made public a breach he had become aware of in early September, which he had alerted the government about.

https://twitter.com/x/status/1188853620541775872

In this post, Singh revealed that there had been a “Domain controller-level access” at the plant as a result of the incident.

A domain controller is a server that provides access on request to the resources of a domain, ie, a network of computers and the data on them. The domain controller authenticates users, allows access to resources based on the credentials of the user and is responsible for the security of a particular domain.

Singh went on to note that he had not discovered the intrusion himself, but after he was informed about it by a third party, he then notified Lt General Rajesh Pant, the National Cyber Security Coordinator (NCSC). He said that the third party shared further details with the NSCS in the days that followed.

Speaking to The Quint, former NCSC Gulshan Rai explained what would have happened behind the scenes after this request was received:

“This is a very sensitive issue, one where critical infrastructure is involved. If someone has reported a malware attack to the Cyber Security Coordinator, then I am sure that they have most certainly taken this up with the Nuclear Power Corporation of India as well as the Atomic Energy Commission and the Department of Atomic Energy. The Ministry of Home Affairs will have to notified. They will have acted upon it when it was reported.”

Singh has claimed that there was email correspondence between him and Lt General Pant acknowledging the issue. However, this is unlikely to be confirmed by the government authorities, according to Rai.

“As far as informing the reporter of the incident goes, the National Cyber Security Coordination office is under no obligation to report back, confirm or deny anything to anyone given the highly sensitive nature of the case,” he said, before clarifying that this “doesn't mean they would not have acted on it.”

https://twitter.com/x/status/1189046764378185728

Power Plant Issues Denial

Following Tharoor’s post and increasing chatter about the potential cyber attack, the Training Superintendent and Information Officer of the Kudankulam Nuclear Power Project issued a press release decrying the news as “false information” that was being propagated on social media platforms, electronic and print media.

https://www.thequint.com/news/india...udankulam-nuclear-power-plant-official-denies

 

[Sheikh Rauf]

black market promoter indian officials design to make alot of money since we all know india is the only black market which sell uranium .. or some false flag operation to blame Pakistan.

 

[crankthatskunk]

A part from very poor physical security and safety of Indian atomic installations and reactors, now we have the proofs that the cyber security is not up to the task either.

Shouldn't Pakistan be raising the red flag all around the world that Indian nuclear assets are under threat, insecure, a security risk to the region and whole world.
The Americans should move in and take control of all Indian's reactors, nuclear fossil material, its raw material and uranium stockpiles and off course the nuclear arms to save the south Asia and the world for impending disaster.

 

[Lincoln]

A part from very poor physical security and safety of Indian atomic installations and reactors, now we have the proofs that the cyber security is not up to the task either.

Shouldn't Pakistan be raising the red flag all around the world that Indian nuclear assets are under threat, insecure, a security risk to the region and whole world.
The Americans should move in and take control of all Indian's reactors, nuclear fossil material, its raw material and uranium stockpiles and off course the nuclear arms to save the south Asia and the world for impending disaster.

"The americans should move in and..."

Stop. Seriously.

 

[BL33D]

A part from very poor physical security and safety of Indian atomic installations and reactors, now we have the proofs that the cyber security is not up to the task either.

Shouldn't Pakistan be raising the red flag all around the world that Indian nuclear assets are under threat, insecure, a security risk to the region and whole world.
The Americans should move in and take control of all Indian's reactors, nuclear fossil material, its raw material and uranium stockpiles and off course the nuclear arms to save the south Asia and the world for impending disaster.

People seem to forget AQ Khan so easily. Sigh!

 

[crankthatskunk]

People seem to forget AQ Khan so easily. Sigh!

Nobody has forgotten him, Pakistanis always remember him as a hero. He was not guilty of any wrongdoings.

 

[hussain0216]

India is a risk

 

[Chhatrapati]

Power plants have a fail safe especially the Russian build ones have manual fail safe in accordance with the Chernobyl data. There is no way anyone can control a power plant and make it go critical or even shut them down remotely. The malware the user talks about targets ATM machines download records
The 1000 MW plant has been facing a lot of technical issues throughout the last year, now it's shut down again. The attack on ATM machines happened in September.

He was not guilty of any wrongdoings.

Except selling Nuclear weapon designs to North Korea and Libya.

As for Indian nuclear power plants, you can go ahead and make some noise in international agency, which will not give any fuks as IAEA already verified them and do constant checks on power plants. Stealing them and selling them in black market works in Hollywood movies not in real life.

 

[crankthatskunk]

Power plants have a fail safe especially the Russian build ones have manual fail safe in accordance with the Chernobyl data. There is no way anyone can control a power plant and make it go critical or even shut them down remotely. The malware the user talks about targets ATM machines download records
The 1000 MW plant has been facing a lot of technical issues throughout the last year, now it's shut down again. The attack on ATM machines happened in September.


Except selling Nuclear weapon designs to North Korea and Libya.

As for Indian nuclear power plants, you can go ahead and make some noise in international agency, which will not give any fuks as IAEA already verified them and do constant checks on power plants. Stealing them and selling them in black market works in Hollywood movies not in real life.

Well at least now you admit it only happened in the Hollywood movies or perhaps in their "Bollywood" re-runs, which is also known as "copying" and stealing the ideas and work.

You seems to be having your head buried somewhere in between your legs.
The twit clearly said that the "Domain Server/admin" level breached had happened. That means that someone got the access to the system as "Domain Administrator". And you are falsely attributing it to ATMs.
You should understand why the world is now waking up to lies and deceit of the Indians.

 

[undercover JIX]

FAKE NEWS

Thanks Tejas Bhai, we will never know the real news if you are not around.

People seem to forget AQ Khan so easily. Sigh!

what is the relation between AQ Khan and this news?

 

[The Eagle]

VAKASHA SACHDEV &
SUSHOVAN SIRCAR
UPDATED:05H 37M AGO


Was the Kudankulam Nuclear Power Plant Hit by a Malware Attack?

Camera: Sumit Badola | Producer: Srishti Tyagi
Was the Kudankulam Nuclear Power Plant the subject of a cyber attack earlier this year?

On Tuesday, 29 October, the power plant had to issue an official denial stating: “Any attack on the Nuclear Power Plant Control System is not possible.”

This statement was issued after a number of social media posts, including by a former officer of the National Technical Research Organisation, alleged such an attack had taken place, and that the government had been aware of this since early September.

Despite the denial, questions over this potential breach of cybersecurity remain, with independent reports from VirusTotal and Kaspersky appearing to verify that a form of malware known as ‘Dtrack’ was used to attack targets in India.

Cybersecurity researcher Anand Venkatanarayanan described the official denial as “a non-statement”, explaining that “it neither confirms nor denies the malware attack. The initial reports did not say if the malware was found on the IT systems or the OT systems.”

Cybersecurity expert, Pukhraj Singh, who had first informed the National Cyber Security Coordinator Lt Gen Rajesh Pant on 3 September, told The Quint that he had pointed out that the IT network of the power plant had been compromised, which is very different from its control systems.

“A domain controller, which authenticates and authorises resources in a centralised manner, generally sits on the administrative IT network. The Operational Technology network is generally air-gapped, as it’s most critical. I was merely pointing out that the administrative IT network seems to be compromised. It doesn’t necessarily imply the reactor’s control systems were impacted.”
Pukhraj Singh, Cybersecurity Expert

“They were, however, very specific of the Malware used and the virus signatures used. It is a DTrack malware which is primarily used for data theft and spying and not a malware that causes operational disruption,” Venkatanarayanan added.

How Did This Incident Come to Light?
On the evening of 28 October, a link to a report on VirusTotal.com, an independent site used to verify and track cyber attacks, was posted on Twitter. The tweet surmised that a form of malware called ‘DTRACK’ had been found in VirusTotal’s assessment.

https://twitter.com/x/status/1188811977851887616

Cybersecurity firm Kaspersky had said in a press release on 23 September that they had discovered ‘Dtrack’ previously in “Indian financial institutions and research centers”.

According to them, this form of spyware “reportedly was created by the Lazarus group and is being used to upload and download files to victims’ systems, record keystrokes and conduct other actions typical of a malicious remote administration tool (RAT).”

Further details of how the malware operates, including the functions it can be used to perform on an infected system, can be found here.

The initial tweet was soon shared by Singh, a former officer of the National Technical Research Organisation – the premier government agency tasked with India’s cyber defence operations (which he had played a key role in setting up).

Singh wrote that this discovery now made public a breach he had become aware of in early September, which he had alerted the government about.

https://twitter.com/x/status/1188853620541775872

In this post, Singh revealed that there had been a “Domain controller-level access” at the plant as a result of the incident.

A domain controller is a server that provides access on request to the resources of a domain, ie, a network of computers and the data on them. The domain controller authenticates users, allows access to resources based on the credentials of the user and is responsible for the security of a particular domain.

Singh went on to note that he had not discovered the intrusion himself, but after he was informed about it by a third party, he then notified Lt General Rajesh Pant, the National Cyber Security Coordinator (NCSC). He said that the third party shared further details with the NSCS in the days that followed.

https://twitter.com/x/status/1189046764378185728

Speaking to The Quint, Pant’s predecessor as NCSC Gulshan Rai explained what would have happened behind the scenes after this request was received:


“This is a very sensitive issue, one where critical infrastructure is involved. If someone has reported a malware attack to the Cyber Security Coordinator, then I am sure that they have most certainly taken this up with the Nuclear Power Corporation of India as well as the Atomic Energy Commission and the Department of Atomic Energy. The Ministry of Home Affairs will have to be notified. They would have acted upon it when it was reported.”

Singh has claimed that there was email correspondence between him and Lt General Pant acknowledging the issue. However, this is unlikely to be confirmed by the government authorities, according to Rai.

“As far as informing the reporter of the incident goes, the National Cyber Security Coordination office is under no obligation to report back, confirm or deny anything to anyone given the highly sensitive nature of the case,” he said, before clarifying that this “doesn't mean they would not have acted on it.”

Power Plant Issues Denial
Following Tharoor’s post and increasing chatter about the potential cyber attack, the Training Superintendent and Information Officer of the Kudankulam Nuclear Power Project issued a press release decrying the news as “false information” that was being propagated on social media platforms, electronic and print media.

He clarified that the Kudankulam Nuclear Power Plant and the control systems of other Indian nuclear power plants are “standalone and not connected to outside cyber network and internet.”

Such systems are said to be ‘air-gapped’, with the idea that this prevents them from being vulnerable to attacks by malware. However, experts warn that this is no guarantee that an attack cannot be carried out – precedent exists in the Stuxnet attack on an Iranian nuclear plant in 2010.

It remains to be seen if any further clarifications are issued by the government on this incident, but this is likely to remain classified.

“All I can say is this is highly sensitive and be it NTRO or Cyber Security Coordination Centre,” says Gulshan Rai, who suggests that the government “will maintain the highest level of secrecy on this.”

Problem With The Official Denial
Venkatanarayanan pointed out that the denial does not distinguish between the IT and the OT systems and tries to paint a picture as if these two system are one.

“This is problematic because a compromise even on the IT systems can reveal a lot including key personnel information, their schedules and other personal data,” he told The Quint.

At a time when cyber sphere has emerged as new domain of warfare among nations, how can an attack of this nature, that too, on a nation’s critical infrastructure be viewed?

“The compromise is also a power projection exercise. It proves to everyone that some part of the critical infrastructure can be hit even during peacetime,” he said.

“The blanket denial in not addressing these aspects, hence, is disappointing as it shows that the authorities’ visceral response to a cyber incident is always denial. Given that it is not possible to survive cyber attacks by closing our eyes, this incident shows how unprepared the authorities are, just not on responding to these incidents but even on the messaging.”
Anand Venkatanaryanan, Cybersecurity Expert

Stuxnet & The Iran Nuclear Attack
While the blanket denial issued by the Kudankulam Nuclear Power Project described the reports as "false information", the reason provided in the statement gave way to further questions.

The official press statement said that, "KKNPP and other Indian Nuclear Power Plants Control Systems are standalone and not connected to outside cyber network and Internet."

There is, however, a famous precedent from 2010 where the standalone or air-gapped Natanz uranium enrichment facility in Iran was attacked by the Stuxnet virus.

It is important to remember that the concerns raised were about the presence of a malware that can enable theft of key data and not cause operational disruption. But the Stuxnet example proves that blanket denials are not a good idea.

Kim Zetter, who researched and extensively documented the attack on Iran’s nuclear plant, described the Stuxnet worm as the “world’s first digital weapon”. But what does that mean?

Stuxnet stands out and woke the world up to cyber attacks because it successfully managed to escape the digital realm and caused actual physical destruction on critical infrastructure of a nation – the uranium enrichment centrifuges.

The virus had managed to escape the air-gapped computers, as the attackers had designed the weapon to spread through infected USB pen drives.

The attack went undetected for over a year, till a team of officers from the International Atomic Energy Agency (IAEI) noticed a highly unusual failure rate in the centrifuges that were engaged in the enrichment process.

Eventually, despite no official figures being released by the Iranian government, it is estimated that 984 centrifuges were destroyed, which constituted a 30 percent decrease in enrichment efficiency.

Questions That Remain Unanswered
Despite official denials stating that it is “not possible” to carry out “any cyber attack”, a number of important questions and concerns remain unaddressed by the authorities.

Data Compromised?: The malware allegedly appears to have infected the IT system, which contains administrative information about an organisation’s functioning and is of non-critical nature. There is no acknowledgment on this front yet and we do not know if any administrative data has been compromised.

Official Denial Doesn’t Address The Concern: Pukhraj Singh had highlighted that the malware had domain controller access. This means that the administrative IT network seems to be have been compromised. The official denial in KKNPP’s statement, however, ignored this claim and clarified that its controller systems or operational technology (OT) systems were unaffected.

As Venkatanarayanan pointed out, the IT and the OT systems are separate but the denial, however, does not distinguish these two systems and tries to paint a picture as if these two system are one.

Malware Still Active: As cybersecurity companies TotalVirus and Kaspersky have pointed out, the Dtrack virus still remains an active malware. Developed by North Korea’s largest hacker group, the Lazarus Group, the ATMDtrack malware has been spotted on ATM networks of Indian banks since late summer 2018 and is designed for spying and data theft. This issue has not been acknowledged by the NSSC or NTRO.

The Quint
~~~~~~~~~~~~~~~~~~~~~~~~~~~

For the record and as well future reference, screenshots are saved regarding same incident.

Beside the argument of Indian Nuclear Plants are highly risky and vulnerable to possible malware attacks as such, a bit of search will also reveal that Indian Nuclear Plants been also reported in regard to incidents referring to mismanagement in handling as well as totally failing to occupational safety.

Interestingly, such attack is kept under wraps & unreported but on other hand, the possibility then revealed as a fact when alleged third party gets attention. Dates are also more important as it was 4th of September while critical mission data was hit and the attackers had the access. It was in fact more than a SURPRISE, for India who's DM was making statements in regard to revoking no first use policy while their own nuclear assets aren't safe.

 

[maximuswarrior]

Very vulnerable indeed.

 

[fitpOsitive]

Someone trying to sell India an expensive cyber surveillance solutions.
Dear India, this happens when you show your money to world that you are very rich. Now, they will make you buy the whole system, and guess what, that way they will keep an eye on you as well.

 

[Lincoln]

Someone trying to sell India an expensive cyber surveillance solutions.
Dear India, this happens when you show your money to world that you are very rich. Now, they will make you buy the whole system, and guess what, that way they will keep an eye on you as well.

This doesn't make sense to me. Why is the Nuclear system allowed any contact with "outside."

I am not tech savvy, but I have heard that Nuclear Plant systems aren't in any connected to external networks or the internet. So the only way for a malware to be loaded would be an internal breach.

So, maybe even more worse.

Edit: what are air gapped systems?

 

[Areesh]

Just wait

And multiple ID rat @Tejas Spokesman would come and tell us that no damage was done and everything is fine and everything is completely under control of Indian government