The threat analyst who alerted Indian government officials about a highly publicized threat discusses being at the center of a confusing viral news cycle
This week a report of hackers gaining access to an Indian nuclear power plant's computer network led to alarm, confusion, and denial before officials admitted the hack took place. The threat analyst who reported the issue experienced a unique vantage point in the middle of that furious cybersecurity news cycle.
Threat analystPukhraj Singh (pictured) reported the breach of the domain controller at the Kudankulam Nuclear Power Plant to India's National Cyber Security Coordinator on Sept. 3, and follow-up emails were exchanged. But for nearly two months the government did not reveal the incident. When Singhdisclosed the attack on Twitter on Oct. 28, the government appeared todeny it beforeconfirming the attack a day later.
The hack was tied to North Korea, and is comparable toa Russian hack of American facilitiesdisclosed last year by the U.S. government. Given the impact of state-sponsored attacks of power grids and utilities, the Indian government’s confusing response was central to a swirl of conflicting news reports and social media. In the eye of the storm was Singh, the former government cybersecurity analyst who brought the hack forward to the government and the public. (Singh emphasizes that he did not discover the intrusion, but helped threat researchers who did not wish to be named.)
“My Twitter profile is flooded,” he said, including tweets that misinterpreted the intrusion to be a hack of the nuclear reactor itself. “I have been repeatedly trying to clarify that. It’s not my job or motive to figure out if the control systems were compromised.” The Indian government has said that the plant and other Indian nuclear power plant control systems cannot be hacked because they stand alone and are not connected to outside cyber networks or the Internet.
But Singh says “extremely mission-critical targets were hit” in an attack that could have involved high-level espionage. “A domain controller authenticates and authorizes other resources and entities on the network. It’s the most privileged vantage point attackers can have. The intruders sat on it. They were onto something – probably espionage.”
Singh says he is “not in a position to talk about the government’s response. I did notify the topmost echelon of the cyber establishment.” But he does say his biggest takeaway from the entire episode is that “Communication is the key. Responsible disclosure is a win, and a strategic maneuver to turn the tables against the adversary.”
Luis Corrons, a security evangelist for Avast, said keeping nuclear reactors’ energy-production systems offline is critical. “Thank God humans are aware of their limitations and nuclear reactors are not connected to the Internet. But computer networks like this one and other industries and facilities are increasingly connected to the Internet, and public safety is involved. An example was the attacks suffered in Ukraine where portions of the population were without electricity in winter because of a cyberattack. Mr. Singh is correct: Information is the key, and government officials have a responsibility to keep citizens apprised of events as much as national security allows.”