India’s second (and largest) nuclear power unit stopped operating on 19th October 2019. It is suspected that the Kudankulam Nuclear Power Plant was hit by a cyberattack and the authorities were already alerted of the threat months in advance. Even as cybersecurity experts are investigating the case, the authorities were quick to dismiss any occurrence of a spyware infiltrating their systems. The power plant project built in collaboration with Russia has been a target of foreign players since its inception.
Kudankulam Nuclear Power Plant hit by Cyberattack
Nuclear Power Unit stops operating
The second 1,000 MW nuclear power unit at Kudankulam, owned by the Nuclear Power Corporation of India Ltd (NPCIL) stopped power generation on Saturday 19th October, said Power System Operation Corporation Ltd (POSOCO). The atomic power plant stopped generation about 12.30 a.m. on Saturday owing to “SG level low”, the company added. The expected date of the unit’s revival is not known. The NPCIL has two 1,000 MW nuclear power plants at Kudankulam Nuclear Power Project (KNPP) built with Russian equipment.
Official statement from Kudankulam Power Plant Project on Cyberattack
While cybersecurity experts are investigating the breach, the Kudankulam Nuclear Power Plant in Tamil Nadu has denied being the victim of a cyber attack and denied any incident of a spy virus having infected the systems at the plant. The statement asserted that since “Kudankulam Nuclear Power Plant Project (KKNPP) and other Indian Power Plants Control Systems are stand alone and not connected to outside cyber network and Internet, any cyberattack on the Nuclear Power Plant Control Systems is not possible.” This however, is a false assertion which was exposed when Israeli intelligence targeted Iranian Nuclear facility (which also was not connected to Internet) with Stuxnet.
More than a month before the unit stopped operating, the National Cyber Security Coordinator Office was notified of an intrusion of their systems by cyber threat intelligence analyst, Pukhraj Singh. The alert was generated on investigation by cybersecurity firm Kaspersky into spy tools dubbed DTrack.
Seeing KKNPP’s press release, I would like to add that I notified Lt Gen Rajesh Pant (National Cyber Security Coordinator) on Sep 4. Follow-up emails were exchanged, acknowledging the issue. I would solicit no further enquiries on the matter, requesting privacy. https://t.co/SMdABbJcvQ
— Pukhraj Singh (@RungRage) October 29, 2019
DTrack Data Collection
DTrack data dump of the power plant also revealed statically encoded login credentials among other things:
Kudankulam Nuclear Power Plant DTrack data collection
Kudankulam Nuclear Power Plant DTrack data collection
Local IP, MAC, OS install information (including registered org) via registry
Connectivity to local IP
Compspec, ipconfig, netstat info
> net use \\10.38.1.35\C$ su.controller5kk /user:KKNPP\administrator
DTrack – Spy Tool
Kaspersky Global Research and Analysis Team have discovered a previously unknown spy tool, which had been spotted in Indian financial institutions and research centers. Called Dtrack, this spyware reportedly was created by the Lazarus group and is being used to upload and download files to victims’ systems, record key strokes and conduct other actions typical of a malicious remote administration tool (RAT).
In 2018, Kaspersky researchers discovered ATMDtrack – malware created to infiltrate Indian ATMs and steal customer card data. Following further investigation using the Kaspersky Attribution Engine and other tools, the researchers found more than 180 new malware samples that had code sequence similarities with the ATMDtrack, but at the same time were not aimed at ATMs. Instead, its list of functions defined it as spy tools, now known as Dtrack. Moreover, not only did the two strains share similarities with each other, but also with the 2013 DarkSeoul campaign, which was attributed to Lazarus – an infamous advanced persistence threat actor responsible for multiple cyberespionage and cyber sabotage operations.
Dtrack can be used as a RAT, giving threat actors complete control over infected devices. Criminals can then perform different operations, such as uploading and downloading files and executing key processes.
In a breach of national security, INS Vikrant, India’s first Indigenous Aircraft Carrier (IAC) was hit by an espionage attack where a hard disk and a multi function control (MFC) processor were stolen from the ship docked at the Cochin Shipyard Ltd (CSL) https://t.co/UZNMUJmO59
— Sabena Siddiqi (@sabena_siddiqi) October 28, 2019
Entities targeted by threat actors using Dtrack RAT often have weak network security policies and password standards, while also failing to track traffic across the organization. If successfully implemented, the spyware is able to list all available files and running processes, key logging, browser history and host IP addresses, including information about available networks and active connections.
The newly discovered malware is active and based on Kaspersky telemetry, is still used in cyberattacks.
“Lazarus is a rather unusual nation state sponsored group. On one hand, as many other similar groups do, it focuses on conducting cyberespionage or sabotage operations. Yet on the other hand, it has also been found to influence attacks that are clearly aimed at stealing money. The latter is quite unique for such a high profile threat actor because generally, other actors do not have financial motivations in their operations,” said Konstantin Zykov security researcher, Kaspersky Global Research and Analysis Team.
“The vast amount of Dtrack samples we found demonstrate how Lazarus is one of the most active APT groups, constantly developing and evolving threats in a bid to affect large-scale industries. Their successful execution of Dtrack RAT proves that even when a threat seems to disappear, it can be resurrected in a different guise to attack new targets.
— GreatGameIndia (@GreatGameIndia) October 2, 2019
The Foreign Hand
In 2012, the then Prime Minister of India Manmohan Singh in a starting disclosure claimed that foreign intelligence agencies were involved in the sabotage of the Kudankulam Nuclear Power Plant Project (KNPP), a bedrock of India-Russia alliance. Manmohan Singh was referring to the anti-nuclear protests in Kudankulam, which he claimed were orchestrated by American-backed NGOs.
After repeated denials for over a year from fishermen and farmers who were opposing the protest against the KNPP that they were being funded from overseas, the police in the southern Indian town opened a case against a “suspicious money transfer” from London.
The police said T. Ambika, wife of anti-KNPP activist Kumar alias Thavasi Kumar, received around $55,000 in her account with Canara Bank’s Kudankulam Banch from a particualar Anand based in the United Kingdom. Officials from the bank let the police know about the deposit in the account. The police then started an enquiry about the money being sent from a foreign destination to one associated with the ongoing anti-KNPP struggle.
According to a secret Intelligence Bureau document in possession of GreatGameIndia the protests were spear-headed by Ohio State University funded, SP Udaykumar, and a host of Western-funded NGOs. The larger conspiracy was unraveled when a German national provided Udaykumar a scanned map of all nuclear plant and uranium mining locations in India. The map included contact details of 50 Indian anti-nuclear activists revealing an intricate Network aimed to ‘take-down’ India’s nuclear program through NGO activism.
An enquiry of Udaykumar had revealed a deep and growing connection with US and German entities. In July 2010, Udaykumar received an unsolicited contract from the Kirwan Institute for Study of Race and Ethnicity at the Ohio State University, USA as a Consultant on “Group, Race, Class and Democracy issues through NGOs”. He was paid $21,120 upto June 2011 in a US bank account in his name and was contracted to earn another $17,600 upto April 2012 for fortnightly reports. These reports were significant in the fact that they were very brief lists of three general articles or books purported to have been read in the past fortnight, none relating to anti-nuclear activism, his main interest.
As a result, Udaykumar’s contact in Germany, one Sonntag Rainer Hermann (German national) was deported from Chennai on February 27, 2012. Hermann’s laptop contained a scanned map of India with 16 nuclear plants (existing or proposed) and five uranium mine locations marked prominently. The map also included contact details of 50 Indian anti-nuclear activists hand-written on small slips of paper along with a Blackberry PIN graph. The map was sent via email to five prominent anti-nuclear activists, including Udaykumar.
Map acquired from a German spy by the Intelligence Bureau with 16 nuclear plants (existing or proposed) and five uranium mine locations marked prominently.
Sustained analysis revealed that the name slips on the map were hand-written in order to avoid possible detection by text search algorithms said to be installed at e-gateways.
Based on the above enquiry, network analysis of all anti-nuclear NGO activity in India revealed the existence of
One ‘Super Network’ (prominently driven by Greenpeace and renowned activists) and
Five ‘Territorial Networks’ based out of
Tamil Nadu (Idinthakarai, District Tirunelveli),
Andhra Pradesh (Hyderabad),
The map clearly indicated the involvement of an organized agency and/or a highly professional, well-funded entity, which expends considerable effort in masking its origins.