By Sankar Ray :
The hackers, obviously keen on eliciting information about the plant including technical information pertaining to the design of the facility, might inflict major damage to some nuclear installation. THE October 2019 cyber attack on a computer system at the Kudankulam Nuclear Power Plant that has two Russian Pressurised Water Reactors at Kudankulam in Tirunelvelli district, Tamil Nadu, by Dtrack virus paved ‘new pathways to severe accidents that can result in widespread radioactive fallout. Attempts to lower this risk would further increase the cost of nuclear power’, according to M. V. Ramana, Professor and Simons Chair in Disarmament, Global and Human Security and director, Liu Institute for Global Issues, School of Public Policy and Global Affairs, University of British Columbia and Lauren J. Borja, postdoctoral research fellow MacArthur Nuclear Security Fellow at the Centre for International Security and Cooperation, University of Stanford, USA.
The two nuclear reactors were connected to the electric grid in October 2013 and August 2016 and hence the danger of collapse and destruction of a large segment of national power transmission and distribution network looms large. It was disclosed by Pukhraj Singh, a former security analyst for India’s National Technical Research Organisation spotting a VirusTotal upload, linked to a malware infection at the KKNPP. The matter is “public now.
Domain controller-level access at Kudankulam Nuclear Power Plant. The Government was notified way back. Extremely mission-critical targets were hit. Earlier in the first week of September last year, he tweeted sensing a casus belli (an act or situation that provokes or justifies a war) in the Indian cyberspace that ‘sucks at every level’.
The malware, a version of Dtrack virus, is a backdoor trojan developed by the Lazarus Group, an elite hacking unit, based in North Korea, allowed to function by the North Korean Government. KKNPP authorities initially pooh-poohed Singh’s tweet and with nod a priori from its parent company, Nuclear Power Corporation of India Limited released a statement forthwith denying that sensitive systems were compromised. ‘Any cyber attack on the Nuclear Power Plant Control System is not possible’, they wrote and got it published in the major national dailies but KNPP had to eat its words on the same day to confirm the cyber attack. The Dtrack virus is not new to India as it invaded the banking and financial sectors but never targeted power plants.
The NPCIL confirmed that the “Identification of malware in NPCIL system is correct,” but tried to cover up saying that the malware infected its administrative network only, but was at bay from the critical internal network and also that the two networks were isolated. Borja joined Ramana to question NPCIL’s argument. Borja’s research covers cyber insider threat to the US nuclear arsenal and goes into the effect of new technology on nuclear security issues and constructed an ultrafast laser apparatus for studying fundamental interactions inside semiconductor materials with unprecedented resolution while doing her Ph.D. at the University of Berkeley.
Ramana, whose stature as a scientist is globally recognised in the same scholastic area, warned against complacency of combating cyber threat earlier too, stating that the malware was more sophisticated than initially thought as also potentially targeted at retrieving information specifically from KKNPP. Lazarus has antecedents of attacking power plants of different countries including South Korea, including “the infamous WannaCry and Sony Breach”. Kaspersky (anti-virus makers) points out ‘connected activity from Lazarus to IP addresses in North Korea. Interestingly, the cyber security firm acknowledges that this may be a ‘false flag’ operation intended to obfuscate the cyber criminal’s true location,” but this too is very doubtful. The targeted nature of the malware version, detected on KKNPP computers suggests there ‘might actually be a second version of the virus, created from information gathered during an initial infection.
By coding in information specific to KNPP networks, hackers might have tried to make the second round of malware more lethal. There is precedent for hackers using a persistent presence on a network to successively unleash more complex and devastating attacks: one example was the devastating cyber attacks in 2015 and 2016 on Ukraine power grid, pointed out Ramana and Borja. The hackers, obviously keen on eliciting information about the plant including technical information pertaining to the design of the facility, might inflict major damage to some nuclear installation.
The case of the Stuxnet attack, launched by US and Israeli Intelligence services to attempt to sabotage Iran’s uranium enrichment programme, is fresh in mind. The possibility of espionage component, although the most expensive aspect of the entire operation, cannot be ruled out. German control system security consultant Ralph Langner deserves praise for deciphering the Stuxnet attack whose development cost was roughly estimated at “around ten million dollars”. Dtrack virus, aimed at gathering information, might be less costly. But quantitative and financial assay is still nebulous.
Rebecca Slayton in a paper, What Is the Cyber Offence-Defence Balance? Conceptions, Causes, and Assessment, published in the MIT- journal International Security mentioned differences among scholars on threat to cyberspace. “Sweeping claims about the offence-defence balance in cyberspace are misguided because the balance can be assessed only with respect to specific organisational skills and technologies. The balance is defined in dyadic terms, that is, the value less the costs of offensive operations and the value less the costs of defensive operations. The costs of cyber operations are shaped primarily by the organisational skills needed to create and manage complex information technology efficiently”, she inferred. (IPA)