After the Government of India admitted that a cyber-attack on TN’s Kudankulam nuclear plant’s admin block had affected the external systems, do we have a new State or Non-State Enemy? Though no group has taken claim of this attack that happened in September 2019, the speculations and cues are directed towards The Lazarus Group based out of North Korea.
Who is this Lazarus Group: Lazarus Group was once termed as the ‘the armed robbers of the Internet’. This organisation traces back to its origin in North Korea in the year 2009, on the background of North Korea’s vision of conquering the world through Cyber Weaponry. The North Korean “Electronic Warfare Reference Guide” published by the Korean People’s Army’s Military Publishing House in 2005; states and quoted by Kim Jongil, the former North Korean leader, as, “If the Internet is like a gun, cyber-attacks are like atomic bombs”; and “modern war is decided by one’s conduct of electronic warfare,” thus “cyber units are my detached force and backup power.” Kim Jong-un’s interest in cyber warfare predated the start of his regime. He perceived the advantage of having a networked military after monitoring the 1991 Gulf War, the 1999 Kosovo War, and the 2003 Iraq War. North Korea’s Military Command structure is Cyber Offensive heavy and is organised to undertake Cyber Operations even of the menial form.
There are several recognisable state-sponsored actors in North Korea, such as: Lazarus, Bluenoroff, Hidden Cobra, Andariel, Bureau 121, APT37, ScarCruft, Reaper, Group123, DarkHotel, etc. These groups have been named by various security analysts to identify them as actors by the malware and tactics they used. In fact, in September 2018, the US, Department of Justice (DOJ), formally charged the North Korean, Park Jin Hyok, a 34-year-old North Korean programmer for some of the biggest cyber-attacks in recent years. The DOJ says “Park was an active member of a government-sponsored hacking team known in the private cyber-security sector as the Lazarus Group”.
The Other Attacks: The Lazarus Group, directly or indirectly have been on the mission of Cyber Crime since its inception. Unconfirmed, yet traceable links of Cyber Crime can be attributed to this group with regard to the under mentioned incidents:
- Operation Troy (2009)
- Ten Days of Rain (2013)
- Sony Pictures Entertainment breach (Late 2014)
- US movie theatre chains AMC Theatres breach (Late 2014)
- Operation Blockbuster (Early 2016)
- Attempts of hacking US defense contractor Lockheed Martin (2016)
- Bangladesh Central Bank cyber-heist (2016)
- The WannaCry ransomware outbreak (2017)
- Cryptocurrency attacks (2017)
- A long string of hacks of South Korean news media organizations, banks, and military entities across several years, and; Hacks of banks all over the world (from 2015 through 2018)
- Attempted five major cyber-thefts world-wide, including a successful $49 million theft from an institution in Kuwait (Since the beginning of 2019)
- Attack on US through malware dubbed ELECTRICFISH (Since mid-September 2019)
So what really happened at Kudankulam? Here’s what you need to know
The Kudankulam Nuclear Power Plant (KKNPP) is the biggest nuclear power plant in India, equipped with two Russian-designed and supplied VVER pressurized water reactors with a capacity of 1,000 megawatts each. The Nuclear Power Corporation of India Limited (NPCIL) statement issued on the malware attack on KKNPP said that “it had noticed the Cyber Attack on 04 September 2019 and was detected by the CERT-In (Indian Computer Emergency Response Team) and no damage has been caused to any part of the Plant”. The ensuing investigation by India’s Department of Atomic Energy revealed that a user had connected a malware-infected personal computer to the plant’s administrative network. While the plant’s operational network and systems are separate from and not connected to the administrative network. This Cyberattacks may have resulted in physical effects, especially if the network that runs the machines and software controlling the nuclear reactor are compromised. However, this attack was probably directed to undertake theft of some proprietary codes or processes in the plant. The Plant is well “AirGaped” between the cyber networks of the Internal Operations and the External Administration Networks. The reports are that the attempt to breach was made by North Korean hackers who were looking for information on thorium-based reactors which is in operations at the plant.
Some researchers suggest that the KKNPP attack was caused by a variant of the DTRACK virus, developed by the North Korea-linked Lazarus group – a cyber-arm of the North Korean government. The NPCIL has not challenged these claims. India maintains good diplomatic and economic relations with North Korea, so if Pyongyang did sponsor the attack, expect diplomatic fallout.
However, tracing a cyberattack to North Korea won’t be easy. Studies indicate that most state-sponsored North Korean cyberoperations are perpetrated from abroad. Nearly one-fifth are launched from India, where North Korea nationals have a considerable presence. North Korean students are present in India’s universities and other centers of higher education. The Indian Technical and Economic Cooperation program trains many North Korean students in India across several technical fields. This means that a cyber attack from North Korea could even originate from Indian Territory.
The way forward
While the Kudankulam attack did not cause any critical systems damage or, apparently, affect the reactors, we need to carry out a study and identify such critical assets that need to be addressed in the future. The Philosophy of maintaining ‘AirGap”, is though an essential aspect, but it is old and need many more such strategies. Hardware control is also a matter of concern in India, EAL certified labs for testing of embedded software is not available in India and so are the absence of framework and standards.