How India’s Kudankulam Nuclear Power Plant (KNPP) got hacked

How a nuclear plant got hacked, Plugging nuclear plants into the internet makes them vulnerable targets for nation-state attack. By J.M. Porup, Senior Writer, CSO December 9, 2019 If you think attacking civilian infrastructure is a war crime, you’d be right, but spies from countries around the world are fighting a silent, dirty war to pre-position themselves on civilian infrastructure — like energy-producing civilian nuclear plants — to be able to commit sabotage during a moment of geopolitical tension.

What follows is an explanation of how India’s Kudankulam Nuclear Power Plant (KNPP) got hacked — and how it could have been easily avoided.

The KNPP hack The news came to light, as it so often does these days, on Twitter. Pukhraj Singh (@RungRage), a “noted cyber intelligence specialist” who was “instrumental in setting up of the cyber-warfare operations centre of the National Technical Research Organisation (NTRO),” according to The New Indian Express, tweeted: “So, it’s public now. Domain controller-level access Kudankulam Nuclear Power Plant. The government was notified way back. Extremely mission-critical targets were hit,” noting in a quote tweet that he was aware of the attack as early as September 7, 2019, calling it a “causus belli” (an attack sufficiently grave to provoke a war).

In a later tweet, Singh clarified that he did not discover the malware himself. A third party “contacted me & I notified National Cyber Security Coordinator on Sep 4 (date is crucial). The 3rd party then shared the IoCs with the NCSC’s office over the proceeding days. Kaspersky reported it later, called it DTrack.”

At first the Nuclear Power Plant Corporation of India (NPCI) denied it. In a press release they decried “false information” on social media and insisted the KNPP nuclear power plant is “stand alone and not connected to outside cyber network and internet” and that “any cyber attack on the Nuclear

Power Plant Control System is not possible.”

Then they backtracked. On October 30, the NPCI confirmed that malware was in fact discovered on their systems, and that CERT-India first noticed the attack on September 4, 2019. In their statement, they claimed the infected PC was connected to the administrative network, which they say is “isolated from the critical internal network.”

“Investigation also confirms that the plant systems are not affected,” their statement concludes.

Power Plant Control System is not possible.”

“Investigation also confirms that the plant systems are not affected,” their statement concludes.

A targeted attack

Contrary to some initial reporting, the malware appears to have been targeted specifically at the KNPP facility, according to researchers at CyberBit. Reverse-engineering of the malware sample revealed hard-coded administrator credentials for KNPP’s networks (username: /user:KKNPP\\administrator password: su.controller5kk) as well as RFC 1918 IP addresses (172.22.22.156, 10.2.114.1, 172.22.22.5, 10.2.4.1, 10.38.1.35), which are by definition not internet-routable.

That means it is highly likely the attacker previously broke into KNPP networks, scanned for NAT’ed devices, stole admin credentials, and then incorporated those details into this new malware, a second-stage payload designed for deeper and more thorough reconnaissance of KNPP’s networks.

“This was a very targeted attack on just this plant,” Hod Gavriel, a malware analyst at CyberBit, tells CSO. “Probably this was the second stage of an attack.”

The malware discovered, however, did not include Stuxnet-like functionality to destroy any of KNPP’s systems. “This phase was only for collection of information, it wasn’t sabotageware,” Gavriel says. ….. https://www.csoonline.com/article/3488816/how-a-nuclear-plant-got-hacked.html

December 16, 2019 - Posted by Christina Macpherson | incidents, India

No comments yet.

nuclear-news

The News That Matters about the Nuclear Industry Fukushima Chernobyl Mayak Three Mile Island Atomic Testing Radiation Isotope