Decoding motives behind the Kudankulam intrusion

The North Korea-based Lazarus group’s attack against Kudankulam Nuclear Power Plant (KKNPP) and the Indian Space Research Organisation in early September this year triggered considerable concerns over the challenge posed by external cyber threats. The North Korean State, with a Stalinist regime at its helm, is starved of financial and technological resources. It has considerable incentive to undertake the kind of cyber intrusion to extract information as was done at the KKNPP.

There are two possibilities that could have driven the Lazarus group to deploy DTRACK — a spyware which allows access to data — to infiltrate the administrative network of the KKNPP facility. The first is purely technological: The DTRACK intrusion was to steal as much available technical data relating to the reactors’ design, coolant system, fuel handling and storage system, and ascertain the operating capacity of the reactors at the KKNPP. The corollary was perhaps as much to test both the cyber defences at the KKNPP facility, and Indian cyber operators’ response mechanisms when faced with a cyber intelligence penetration.

The KKNPP facility hosts two Unit-1 and Unit-2 Pressurised Water Reactors (PWRs) known as the VVER-1000, each with a 1000 Megawatt Electricity (MWe), which are among the most advanced reactors built by the Russian nuclear industry. Unit-3 and Unit-4 are two additional reactors of the VVER-100 type with more advanced safety features to be installed to expand the electricity power generation capacity of the KKNPP facility.

Pyongyang’s cyber espionage is potentially part of an effort to understand the technology and reactor design and the nature of the cyber defences at the KKNPP facility, or rather the Operating Environment (OE), and penetrating the administrative network was merely a dry run. A computer from the KKNPP infected by the DTRACK spyware attack could have compromised information relating to search and browser history, keylogging, Internet Protocols, and the data files stored on the system, which could be a stepping-stone for penetrating the computer controls that actually run the reactors. The browser history or technical information stored on the infected system could have possibly contained information about some node or technical data regarding the operation of the reactor. Any information about the software and computer controls transmitted across the administrative network at the time of the DTRACK penetration, wittingly or unwittingly, could serve as the source for future exploitation in the form of sabotage.

Indeed, the Bhabha Atomic Research Centre (BARC) is developing its own computational code system and software for the Russian designed VVERs at the KKNPP. Any leakage of computational or software data potentially create vulnerabilities. As of now, it is unclear what the extent of the breach was, and how much information was actually ex-filtrated. The press release by the Nuclear Power Corporation of India Limited (NPCIL) reveals scant information about the magnitude of the attack beyond the reassuring statement that the computer controls running the reactors were unaffected, and the infected system has been isolated from the remainder of the network.

The other objective of the Lazarus group’s cyber espionage goes beyond Pyongyang’s own needs of extracting information about the nuclear facility. It is plausible North Korea passed information on to interested third parties, which are inimical to Indian interests. Pakistan and China individually, or both, may be beneficiaries of the cyber intelligence exfiltration by the Lazarus group. If not immediately, both Beijing and Islamabad, in due course, could exploit the information provided by the North Korean cyber espionage mission against KKNPP. In the event of a crisis, the vulnerabilities of the VVERs could be exploited and their safe operation threatened. The only two centres that stand to strategically gain the most from the Lazarus group’s spyware intrusion are Beijing and Rawalpindi. Given their proximity to Pyongyang, China and Pakistan are plausible beneficiaries, because of their history of collusion with the North Koreans. Pyongyang may well have been a proxy, which lends plausible deniability to Chinese and Pakistani collusion.

Monetary gains could be another plausible motivation for the cash-strapped North Korea.

Conducting an act of cyber espionage of the kind conducted against Kudankulam is also a surprise. Few instances hitherto exist of Pyongyang pursuing cyber espionage missions of this nature against India’s nuclear infrastructure. New Delhi, after all, has formal diplomatic ties with Pyongyang, and is in a position to seek answers from the North Korean regime about the motivation behind Pyongyang’s use of cyber espionage against an Indian strategic facility. Cyber incidents involving nuclear facilities are not new. At least since 1990, there have been 20 recorded instances, but perpetration of the latest Kudankulam cyber incident on an Indian nuclear facility is the first of its kind, at least from North Korea.

India’s nuclear security managers cannot afford to let their guards down, enabling such cyber intrusion. It is possible that this time the damage was not significant, and India’s cyber operators were effective in containing and neutralising the threat. However, lapses are costly if the targets are strategic facilities. New Delhi faces motivated non-State and State adversarial actors. The challenge from the cyber nuclear nexus has the potential to alter India’s security calculus significantly.

Harsh V Pant is professor, King’s College, London, and director of studies, Observer Research Foundation, New Delhi. Kartik Bommakanti is an associate fellow at the Observer Research Foundation, New Delhi

The views expressed are personal