Cyberattack Against KNPPP And ISRO: The Threat Comes Home – Analysis
By Observer Research Foundation
By Kartik Bommakanti
It is now evident that both Kudankulam Nuclear Power Plant (KNPP) and the Indian Space Research Organisation (ISRO), were the target of a cyber-attack or it could simply be an act of cyber espionage that originated in North Korea. Either way, this cyber intrusion has consequences.
The malware used is DTrack run by North Korean hacker group Lazarus. The latter, from relative obscurity gained notoriety for hacking into Sony Pictures in late 2014 and played key pulling of series of heist-related hacks against the SWIFT payment network that banks extensively use within India and beyond.
The first is the extent of the breach and the second what consequences this intrusion is likely to have on India’s nuclear energy programme and civilian space programme in the long-term future. As of now, Nuclear Power Corporation of India Limited (NPCIL) has conceded that one of its computers on its administrative network was struck by the DTrack malware.
The attack can be construed in one of two ways. The first is that this cyber-attack was indeed an “attack” against high value strategic targets directed at a nuclear power station and the space programme and the second is that it did not per se constitute an attack, but potentially an act of espionage. Given the fact that the DTrack malware only compromised one computer system used exclusively for administrative purposes implied something far less sinister than malware taking complete control of the reactor at the KNPPP facility. However, this seemingly attractive proposition is contestable. The empirical record derived from precedents does not necessarily support this claim.
For instance, the Stuxnet malware, which eventually struck the gas centrifuges of Iran’ nuclear facility at Natanz started with a Computer Network Exploitation (CNE) attack, which euphemistically phrased, would amount to cyber espionage and was a prelude to something larger. CNE essentially involves securing information about the target and in the case of nuclear facilities data about “dimensions, functions and features” of the operating computers and the controls they have over the nuclear reactors.
Apart from surveillance, the malware is designed to ferret out information identifying vulnerabilities and strengths of the computers controlling the gas centrifuges and reactors. What followed was the malicious code Stuxnet’ employment against the Natanz facility’ gas centrifuges. Hence, the DTrack malware that struck both KNPPP and ISRO was possibly a prelude to something larger. Only time will either vindicate or discredit this proposition.
To be sure, cyber espionage tends to be more common than cyber war or acts of sabotage in the digital age. At best, even if cyber war does not occur, it tends to occur at very low thresholds of attack. The target tends to be “soft” as is the case with financial institutions such as banks, which are often subjected to information theft, hacks, defacements and other acts of sabotage.
The attacks can be directed against computer networks on which they depend for the conduct of routine banking transactions. In addition, public sector and educational organisations suffer the same. Most common malware attacks are Denial of Service (DoS) attacks, which temporarily shut down the internet network of the target.
In addition, there are other forms cyber-attacks also that Computer Emergency Response Team – India (CERT-I) has identified and these include such as GTBots whose design and characteristics are wide ranging and can be flexibly custom built to meet whatever the Bot controller needs.
After all, the administrative network at NPCIL and the infected computer was connected to the internet. Cyber penetration into one machine might not have given or compromised all the data the attackers sought. CERT-I intervention may have been prompt, nipping the malign infection in the bud. Although speculative, if the penetration was more extensive, the KNPPP administrative computer grid could potentially serve as the source of information about the level of security, maintenance enabling a preparation for a future cyber-attack, if not by the Lazarus group, but other motivated Indian adversaries such as China or Pakistan or both.
Indeed, this latest attack may serve merely as a prelude to something greater. Lazarus is the cyber hacking arm of the North Korean state, which has close ties to both Beijing and Rawalpindi. To be sure the CERT-I would have identified, quarantined and de-infected the infected system from the rest of KNPPP’ computer network.
Beyond the exact nature and scope of the DTrack malware attacks, what can we infer from these cyber-attacks against KNPPP and ISRO for their future? Are both these strategic programmes – India’s civilian nuclear energy programme and civilian space programme staring at a dire future? Between the Indian civilian nuclear energy programme and the India space programme, the former is likely to face graver consequences.
The wider long-term implications of this cyber-attack on the KNPPP for the role of nuclear power in India’s energy mix is hard to determine at this stage. However, Indian public perceptions about the security and safe operation of nuclear power plants has never been sympathetic or benign, which means that the construction of new nuclear power stations that can help meet India’s growing energy requirements will suffer a setback.
After all, the Lazarus group’s DRtrack cannot but reinforce negative public perceptions about nuclear energy. This conclusion may be wrong, as attacks of this kind remain rare, yet if these attacks become more persistent and recurrent, there is a risk of public perception about nuclear energy suffering potentially, imperilling the country’s energy security and low carbon goals – a denouement governments cutting across party lines could lament. This is a serious wake up call for India and its nuclear administrators, cyber first responders, and the wider Indian strategic establishment.