The cybersecurity breach at the Kudankulam Nuclear Power Plant (KKNPP) may have remained undetected for more than six months, reveals a report from Singapore-based cybersecurity firm Group-IB.
Experts from Group-IB, who discovered and analysed an archive containing dtrack, a remote-administration tool attributed to North Korean group Lazarus, says that analysis “revealed that the logs contained data from a compromised machine running Windows that belonged to an employee of the Nuclear Power Corporation of India Limited (NPCIL).”
The report, Hi-Tech Crime Trends 2020/2021, further reveals that “all the files in the archive were compiled at different times, but the main file with the compromised data is dated January 30, 2019, i.e. more than six months before they were detected. This suggests that the hackers remained unnoticed in the victim’s network for a long time.”
News of the breach was first made public by Pukhraj Singh, a former analyst at the National Technical Research Organisation NTRO. At that point, NPCIL had admitted that, “identification of malware in NPCIL system is correct. The matter was conveyed by CERT-In (Computer Emergency Response Team) when it was noticed by them on September 4, 2019.”
But this retraction came only after the plant’s information officer had initially issued a press release stating that a cyberattack was not possible at the plant. They classified Singh’s tweets as false information only to retract within a day.