Authorities from the Nuclear Power Corporation of India
Limited (NPCIL) have admitted that malware, believed to originate from the
Lazarus Group, infected the administrative network of the Kudankulam Nuclear
Power Plant.
Initial reports about possible problems with the
Kudankulam Nuclear Power Plant (KKNPP) surfaced a couple of days ago when a
researcher who used to work for India’s National Technical Research
Organization (NTRO) made the connection by using published results from
VirusTotal. Now, the NPCIL has admitted that intruders had access to an
administrative network.
Pukhraj Singh, the researcher who discovered the
intrusion, referred to the event as casus belli, a Latin term used to describe
an act of war. Talking
with Ars Technica, Singh explained that he called the event an act of war because
of a second target, which he also reported to the government, but didn’t want name
publicly.
“Indication of malware in the NPCIL system is
correct,” said NPCIL Associate Director A. K. Nema in a communique.
“The matter was conveyed by CERT-in when it was noticed by them on September 4,
2019. The matter was immediately investigated by DAE specialists.”
“The investigation revealed that the infected PC
belonged to a user who was connected to an Internet-connected network used for
administrative purposes. This is isolated from the critical internal network.
The networks are being continuously monitored.”
The attackers used malware called DTrack, which is a tool
commonly employed by the Lazarus Group, a North Korean state actor. The fact
that the intrusion was found accidentally could mean the hackers didn’t want to
make their presence known. It’s unclear whether any information was stolen, and
there’s no indication of what the second target might be.