North Korean Malware Attack Strikes Indian Nuclear Power Plant

On Oct. 30, the Nuclear Power Corporation of India Limited (NPCIL) issued a press release confirming a cyber attack on the Kudankulam Nuclear Power Plant (KKNPP) in Tamil Nadu, India, on Sept. 4. KKNPP officials had previously denied the attack, and one official stated “any cyber attack on the Nuclear Power Plant Control System is not possible.” 

KKNPP is a joint project between India and Russia. While located in India, the pressurized water reactors are of Russian design. Upon completion, the entire plant will have six units. Unit 1 was connected to the Indian power grid in October 2013 and Unit 2 began commercial operation in October 2016. Currently, Units 3 and 4 are under construction. The nuclear plant provides for the entire southern India grid. 

According to ZDNet, a business-technology news website, KKNPP’s network was victim to a malware attack created by North Korea state-sponsored hackers. The source also reports that the specificity of the malware attack suggests it was uniquely designed to operate and spread within the plant’s IT network. 

VirusTotal, a virus-scanning website owned by Alphabet, Google’s parent company, uploaded a report indicating a large amount of KKNPP’s administrative network had been stolen. If the report is accurate, the attack would have weakened KKNPP’s network, thus making it more susceptible to subsequent cyberattacks. 

According to the Oct. 30 press release, the attack was “isolated from the critical network” and the “investigation also confirms that the plant systems are not affected.” 

What the attack did reveal, assuming the plant systems were not affected, is that India’s cyber defense system is outdated and based on old principles, like the air gap strategy. The strategy, according to James Conca of Forbes, is the idea of physically isolating essential computers or networks from un-secure ones. The “air gap” is supposed to prohibit communication from devices on opposite sides of the gap. The strategy is generally effective in protecting against unprofessional attacks, but are useless in protecting from attacks that occur from within - on the same side of the “air gap” - which is what happened at KKNPP. The investigation hints to a phishing attack on a KKNPP employee. 

CPO Magazine writes that most cyberattacks between nation-states stop short of attacks on nuclear power plants’ control systems. Doing so indicates one of the most serious escalations of cyberwarfare possible. 

Indian politicians demand explanations from the government about the attack. One politician stated, “The National Cyber Security Coordinator owes an explanation on the preparedness of such facilities.”

This is not the first time a large power plant has been targeted. Last year, a cyber attack on an oil refinery in Saudi Arabia was carried out with the intention of causing an explosion.