Suspected North Korea hackers targeted Indian space agency
India’s space research agency was warned of a cyber attack in the middle of a landmark moon mission as part of a broader assault by suspected North Korean hackers, cyber security consultants with data on the incidents said.
The attack on the Indian Space Research Organisation (ISRO), whose much-hyped Chandrayaan-2 moon mission in September ended in failure, came as the country’s nuclear authority revealed last week a cyber attack at the Kudankulam nuclear plant in the southern state of Tamil Nadu.
The space research organisation was one of at least five critical government agencies, including India’s Atomic Energy Regulatory Board, to have been attacked in recent months, said Yash Kadakia, founder of Security Brigade, a Mumbai-based cyber security company.
People associated with the agencies opened phishing emails sent by the hackers, potentially unleashing malware into their systems.
ISRO confirmed that it had been warned of a cyber attack but said it had found nothing suspicious after an investigation. The Nuclear Power Corporation of India initially issued a similar denial following reports the Kudankulam plant had been hacked before clarifying that malware had entered one of its networks.
“Our systems were not compromised and our systems were not affected,” said an official at the space agency, adding that the moon mission itself had not been impacted.
The attacks will raise concern that suspected North Korean hackers are targeting the critical infrastructure of foreign countries to disrupt operations, steal technology or sell information.
Narendra Modi, India’s prime minister, has championed the country as an elite space power. But the Chandrayaan-2 mission, which was to be the first to land on the unexplored south pole of the moon, ended in failure about seven weeks after it was launched.
The ISRO official said its core systems were isolated from the attack. “We have an internal network which is 100 per cent isolated from the internet,” the official said.
Hackers have been hitting India’s atomic agencies since 2018, using phishing emails containing malware, said Simon Choi of Issuemakers Lab, a non-profit intelligence organisation based in Seoul that monitors North Korean hackers.
Mr Choi said he had data showing the emails had targeted senior members of the Indian nuclear energy industry, including Shiv Abhilash Bhardwaj, former chairman of the Atomic Energy Regulatory Board, and Anil Kakodkar, former director of the Atomic Energy Commission of India.
He added the attack on the Kudankulam nuclear power plant had also employed phishing emails.
Mr Bhardwaj was not immediately available for comment. Mr Kakodkar said he had only “read this from newspapers and I have no further information”.
Mr Choi said: “A group known as DarkSeoul or Operation Troy, which hacked South Korea’s defence ministry and banks, actually penetrated into the nuclear power plant after another group known as Kimsuky did some surveillance and gathered information.
“The latest hacking events in India show that North Korea’s attention has shifted to key infrastructure facilities of other countries, and it shows that it can successfully penetrate them.”
But cyber security experts cautioned that attributing an attack to a particular actor can be fraught. One Asia-based cyber analyst who had reviewed the attack but did not want to be named said that while it was “unlikely”, the techniques used by the hackers could have been used by another actor to apportion blame to North Korea.
Mr Kadakia of Security Brigade said he had compiled a list of 13 recipients of phishing emails spanning at least five government agencies, including ISRO, after reviewing data from the server compromised by the hackers. Some of the phishing emails were sent to private Gmail accounts.
While Mr Kadakia said he could verify the officials were targeted and that they had opened the links potentially unleashing malware, he could not confirm if a virus infected other computers in the agencies.
“This is not really rocket science, it wasn’t really anything cutting edge, it was a phishing email, an unpatched browser and a lack of monitoring,” said Mr Kadakia. “They clicked the links and opened the malware.”
Sohn Young-dong, a defence expert at Hanyang University in Seoul, said Pyongyang might be using the attacks to seek nuclear technology to help overcome its own energy crisis. Equally, it could equally be aiming to “sell such information to countries like Iran”.
The US government’s Congressional Research Service has detailed that a 2014 attack on South Korea’s nuclear plant operator — attributed to North Korea by officials in Seoul — resulted in designs and manuals being published and that the “hackers intended to cause a malfunction at atomic reactors, but failed to break into their control system”.