Indian nuclear power plant refutes major cyber attack rumors, says all critical systems ‘air-gapped & impossible to hack’

An Indian state nuclear power plant operator issued a carefully worded statement after reports of malware at one of the power plants’ systems snowballed into rumors of a North Korean cyber attack that allegedly crippled a reactor.

“Any cyber attack on the Nuclear Power Plant Control System is not possible,” an information officer for the Kudankulam Nuclear Power Plant (KNPP) stated on Tuesday. Both KNPP’s reactors were operating nominally, he added, emphasizing that all critical systems at KNPP and other plants are “standalone and not connected to outside cyber network and Internet.”

The official statement, however, raised further questions, as many noted it neither confirmed nor denied whether any of the secondary non-critical systems might have been compromised in the alleged breach.

Cybersecurity expert Pukhraj Singh, whose tweets had triggered the avalanche of rumors, followed up with a clarification that he only spoke of an alleged lower level “domain controller” breach, instead of one on “control systems.” A hack on the domain level might affect a public-facing email address linked to the plant, for example, but would not touch its reactors or other sensitive equipment.

The former officer of the National Technical Research Organisation, Singh, also noted that he never said anything about possible culprits, because “false flags are so goddamn easy.”

Panicked rumors and headlines spread like fire after Singh tweeted on Monday that the breach had gone “public,” stating that “extremely mission-critical targets were hit” in the intrusion, which he called a “casus belli in the Indian cyberspace.”

Indian authorities were aware of the potential breach since at least early September, according to Singh who personally filed a report after he was first alerted by a third party. He also cited a report by independent cyber attack monitor VirusTotal, which said a form of malware known as “Dtrack” – which some linked to alleged North Korean hacking outfit, the Lazarus Group – was used against several Indian targets. The report matched an earlier finding by cybersecurity firm Kaspersky, which had detected Dtrack attacking “financial institutions and research centers” in India.

While Indian officials insist no intrusion took place and that the power plant’s systems were “air-gapped” – or totally isolated from other networks – that precaution has failed to stop other high-profile cyber attacks. Stuxnet, a virus developed by Washington (likely with help from Tel Aviv), is believed to have breached air-gapped Iranian nuclear systems in 2010, possibly by way of an infected USB drive.

Since its reactors went online in 2013, the KNPP has encountered some 70 shutdowns, with one reactor temporarily halting operations in mid-October due to faults in its steam generator. While some recalled the issue and quickly linked it to the alleged hack, KNPP officials say the problem was entirely unrelated and since resolved.

Like this story? Share it with a friend!