India Nuclear Energy Co., Ltd. (NPCIL) confirmed that there is malware in the management network of the Kudankulam nuclear power plant. According to Ars Technica, the malware is believed to be the Lazarus cybercrime group. The researcher said the attacker used malware to try to gain domain-level access to the nuclear power plant, and the attacker successfully accessed some of the critical facilities.
In a press release today, NPCIL Associate Director A. K. Nema stated, “Identification of malware in NPCIL system is correct. The matter was conveyed by CERT-In [India’s national computer emergency response team] when it was noticed by them on September 4, 2019.”
“The matter was immediately investigated by [India Department of Atomic Energy] specialists,” Nema stated in the release. “The investigation revealed that the infected PC belonged to a user who was connected to the Internet connected network used for administrative purposes. This is isolated from the critical internal network. The networks are being continuously monitored.”
After the researchers disclosed the news, there were also a lot of rumors on the Internet. For example, the rumors linked the nuclear power plant and the earthquake virus that was encountered in the Iranian nuclear facility in the early years. Obviously this is only a nuclear power plant and not a place for the manufacture of nuclear weapons raw materials. Moreover, the seismogenic virus used to attack Iran’s nuclear facilities has long disappeared for many years. After causing panic, India officially issued a statement acknowledging the penetration of external attackers, which was infiltrated by servers used to manage internal computers connected to the Internet. These servers primarily control the network access of some of the internal computers, and the impact of these servers on the critical facilities of the nuclear power plant is relatively low.
According to the information disclosed by the Indian government, the current attack is mainly in the initial stage, and the attacker needs to infiltrate the internal network to collect the deployment situation and internal information of the facility. Kaspersky’s previous report showed that the same malware mainly installed keyloggers, stealing browsing records, collecting network activity and disk files. Attackers can remotely issue commands to allow malware to perform more malicious operations, and the malware is said to have been developed by the notorious Lazarus Group. Lazarus Group’s well-known attacks in recent years include WannaCry ransomware, the National Bank of Bangladesh’s theft and attacks on Sony Pictures. The attack on the Indian nuclear power plant is not clear about the specific purpose. Fortunately, it was discovered at the beginning of the attack.