Security News

A look inside the hack of a nuclear reactor’s computer network

Jeff Elder, 2 November 2019

The threat analyst who alerted Indian government officials about a highly publicized threat discusses being at the center of a confusing viral news cycle

This week a report of hackers gaining access to an Indian nuclear power plant's computer network led to alarm, confusion, and denial before officials admitted the hack took place. The threat analyst who reported the issue experienced a unique vantage point in the middle of that furious cybersecurity news cycle. 

Threat analyst Pukhraj Singh (pictured) reported the breach of the domain controller at the Kudankulam Nuclear Power Plant to India's National Cyber Security Coordinator on Sept. 3, and follow-up emails were exchanged. But for nearly two months the government did not reveal the incident. When Singh disclosed the attack on Twitter on Oct. 28, the government appeared to deny it before confirming the attack a day later. 

new-mugshot-pukhrajThe hack was tied to North Korea, and is comparable to a Russian hack of American facilities disclosed last year by the U.S. government. Given the impact of state-sponsored attacks of power grids and utilities, the Indian government’s confusing response was central to a swirl of conflicting news reports and social media. In the eye of the storm was Singh, the former government cybersecurity analyst who brought the hack forward to the government and the public. (Singh emphasizes that he did not discover the intrusion, but helped threat researchers who did not wish to be named.)

“My Twitter profile is flooded,” he said, including tweets that misinterpreted the intrusion to be a hack of the nuclear reactor itself. “I have been repeatedly trying to clarify that. It’s not my job or motive to figure out if the control systems were compromised.” The Indian government has said that the plant and other Indian nuclear power plant control systems cannot be hacked because they stand alone and are not connected to outside cyber networks or the Internet.

But Singh says “extremely mission-critical targets were hit” in an attack that could have involved high-level espionage. “A domain controller authenticates and authorizes other resources and entities on the network. It’s the most privileged vantage point attackers can have. The intruders sat on it. They were onto something – probably espionage.”

Singh says he is “not in a position to talk about the government’s response. I did notify the topmost echelon of the cyber establishment.” But he does say his biggest takeaway from the entire episode is that “Communication is the key. Responsible disclosure is a win, and a strategic maneuver to turn the tables against the adversary.”

Luis Corrons, a security evangelist for Avast, said keeping nuclear reactors’ energy-production systems offline is critical. “Thank God humans are aware of their limitations and nuclear reactors are not connected to the Internet. But computer networks like this one and other industries and facilities are increasingly connected to the Internet, and public safety is involved. An example was the attacks suffered in Ukraine where portions of the population were without electricity in winter because of a cyberattack. Mr. Singh is correct: Information is the key, and government officials have a responsibility to keep citizens apprised of events as much as national security allows.” 

Learn more about how nations hack each other and how to respond to a data breach on The Avast Blog. You can find resources on national security cyberthreats and sign up for security alerts with the U.S. Cybersecurity and Infrastructure Security Agency.