This week it was reported that the 1000MW Kudankulam Nuclear Power Plant (KKNPP), owned by the Nuclear Power Corporation of India, had been hit by a cyber-attack. Two generators were taken offline.
The company initially denied that an attack had taken place; however, shortly afterwards, it confirmed that one of its internet-connected administrator PCs was infected with malware, adding that the machine was isolated from its critical internal network.
Security researchers identified the malware as DTrack, a tool used by North Korea’s Lazarus group. DTrack functions by harvesting information including browser history and security settings; it can carry out reconnaissance and move laterally inside a network.
Lazarus is the state-sponsored hacker group most commonly associated with the Pyongyang regime; it is also known by a variety of other names, such as HiddenCobra, GuardiansOfPeace, Unit121, LabyrinthChollima, Bureau121 and Group77. Active for a number of years, its most widely attributed attacks include the breach of Sony in 2014 when personal and business data was stolen, the theft of 81 million dollars from Bangladesh Central Bank in 2016, the compromise of Polish banks in 2016, and the Wannacry ransomware infections in 2017.
The fact that DTrack was used in this attack has led investigators to conclude that Lazarus must have been responsible for it. Kaspersky researchers have noted that DTrack has also been found infecting a wide range of Indian financial institutions and research centres. It is a strain of the ARMDtrack malware that was originally created for attacks on ATMs to steal customer card data. In addition, ATMDtrack and DTrack “share similarities” with the 2013 DarkSeoul campaign which was traced back to Lazarus.
However, despite the above, it is by no means certain that this group is responsible for targeting the nuclear plant.
Very few countries maintain a cordial relationship with North Korea, which is generally seen as a pariah in world politics. India is among the small group of nations that has chosen to foster relatively close ties and a working relationship with Pyongyang. The historical basis for this lies in the post-cold war era, when Delhi took steps to enhance its own interests in the region and increase trading links with North Korea.
It is therefore perhaps a little odd that Lazarus would jeopardise this relationship by attacking India’s nuclear industry. If it is indeed responsible, it demonstrates that North Korean hacker groups intent on gaining technological information useful to the regime are not averse to targeting ‘friendly’ nations.
Attacks on nuclear power networks present a particularly dramatic opportunity for media publicity, but this is just one recent example of hackers targeting the energy sector.
Moving away from the focus on this particular incident, it is worth mentioning just a couple of brief, unrelated examples of attacks on other energy facilities.
It was reported this week that sPower, a renewable energy provider in Utah, had not only been hit by a cyber-attack earlier this year, but also now holds the distinction of being the first solar and wind energy company to have been targeted in this way; further, it is claimed to be the “first US power grid operator that is known to have lost connection with its power generation installations as a result of a cyberattack”.
In this case, it appears the attacker took advantage of a vulnerability in an unpatched Cisco firewall: the motive for the attack was unclear, and no evidence of a breach beyond the first intrusion was found. This suggests that the hackers may not have known they were targeting the power grid.
In July, South African electrical utility, City Power, owned and operated by the City of Johannesburg, left some residents without electricity for days after being hit by a ransomware attack that encrypted all of its systems, including databases and applications. It is not known whether any ransom demands were paid; nor has the perpetrator of this attack been publicly identified. And just this week it has been reported that other systems in the city have been affected by further, similar attacks, leading to the suspicion that the same threat actor is continuing to target the networks.
The entire energy sector is particularly susceptible to cyber-attacks, carried out not only by enemy states, but also by private individuals, who may target companies for any variety of reasons, including the desire to make a fast buck by holding an organisation to ransom. When it comes to cyber-espionage, the motives will range from attempts to steal technological and classified information through to details about future corporate plans. Cyber-attacks launched by terrorists pose a different threat.
Companies operating in the energy sector are also at risk because of increased automation: fewer personnel operating the systems could lead to problems going unnoticed. In addition, budget constraints due to highs and lows in world gas and oil prices can result in organisations cutting back on investment in cyber-security measures.
Modern nation states cannot function without reliable and constant power supplies: chaos would quickly ensue if these networks were taken offline by a hostile nation state or a terrorist group. Cyber-attacks can and will happen; the goal of all energy companies should therefore be to ensure that the impact of such an attack can be dealt with as quickly as possible. To that end, all organisations should ensure they have policies and incident response plans in place, and that staff are fully trained in the implementation of emergency procedures should an attack take place.