India News
Leave a comment

Not the first data breach at Kudankulam: Recalling 2019 cyberattack that targeted thorium info | Explained News

Not the first data breach at Kudankulam: Recalling 2019 cyberattack that targeted thorium info | Explained News


5 min readNew DelhiUpdated: Jul 18, 2026 07:48 PM IST

A data breach has exposed information linked to the Kudankulam Nuclear Power Plant (KKNP), India’s flagship nuclear project located in Tamil Nadu’s Tirunelveli district.

For nearly a month, numerous documents purportedly linked to the plant — including engineering drawings, inspection records, minutes of meetings, technical reports and official correspondence — have been circulating on the dark web after it was leaked by ransomware group World Leaks.

The Nuclear Power Corporation of India Ltd (NPCIL), which operates the plant, has downplayed the leak, maintaining that documents relate only to non-critical facilities outside the ‘reactor island’ and pose no risk to nuclear safety. Reactor island refers to the central, highly protected section of a nuclear power plant where all nuclear processes and critical safety operations take place.

Yet, the breach has renewed cybersecurity concerns over India’s critical and strategic infrastructure, particularly at a time when the government has begun opening up the tightly regulated civil nuclear sector to private participation.

The incident has also drawn particular attention because it is not the first time the Kudankulam plant has been linked to a cyber incident. In 2019, malware attributed to a North Korean hacking group was detected within the plant’s administrative network, highlighting the persistent cyber risks facing India’s strategic nuclear assets.

What happened in 2019?

The 2019 cyber incident was not confined to the KKNP. It also affected the Indian Space Research Organisation (ISRO). The breach became public on October 28, 2019, after some of the plant’s data showed up on virustotal.com, an online malware scanning service..

Subsequent investigations by multiple cybersecurity agencies and experts attributed the intrusion to DTrack malware, which was linked to the North Korea-backed Lazarus Group, “an umbrella name that typically describes hacking activity which advances Pyongyang’s interests”.

Story continues below this ad

According to cybersecurity analysts, Dtrack belongs to the same family of malware that was linked to the 2016 cyberattack on an Indian private bank’s ATM network. It spread across the banking system and forced the replacement of an estimated 2.9-3.2 million compromised debit and credit cards.

The Dtrack malware reportedly targeted the ‘domain controller’ of KKNP’s online network, exposing credentials such as passwords. A domain controller is a central server that acts as the ‘gatekeeper’ of a network and verifies the authenticity of all the other devices on the network.

Following the intrusion, Seoul-based IssueMakersLab, an expert group of malware analysts, had claimed that the attack was meant to steal information on India’s thorium-based nuclear power, a technology which Indian scientists have been working on for decades.

According to IssueMakersLab, the primary entry point for the cyberattack was a group of senior Indian nuclear scientists associated with the atomic energy programme, including scientists who continued to use official institutional email accounts for research work after retirement.

Story continues below this ad

It claimed that the attackers sent malware-laced links to their official and personal email accounts. It claimed that once the links were opened while connected to the Kudankulam plant’s network, the malware spread through the plant’s IT systems. IssueMakersLab also claimed that the attackers had prior knowledge of the plant’s IP network, helping them penetrate its IT infrastructure.

Little information on official findings

A day after the information about the 2019 breach became public, KKNP officials issued denials, saying no cyber-attack was possible on the plant’s standalone control system. A day later, however, NPCIL admitted an intrusion and said the matter was immediately investigated by specialists from the government’s Department of Atomic Energy.

In a statement, the NPCIL said the matter was conveyed by the Computer Emergency Response Team-India (CERT-In) when it was noticed by them on September 4, 2019.

“The investigation revealed that the infected Personal Computer (PC) belonged to a user who was connected in the internet connected network used for administrative purposes. This is isolated from the critical internal network. The networks were being monitored continuously. Investigation also confirms that the plant systems are not affected,” the statement read.

How high-security setups work

Story continues below this ad

Most high-security setups operate on two “air-gapped”, or separate, networks. The first is a standalone control system that runs the core function — reactors in the case of a nuclear power plant. The other is an online network responsible for the rest of the functions.

Air-gapped networks, however, are not considered foolproof. Such systems have been compromised in the past, including at the Davis–Besse Nuclear Power Station in Ohio in 2003, and in breaches involving classified US military networks in 2008.

Beyond the NPCIL’s brief acknowledgement and its emphasis on the plant’s air-gapped architecture, little is available in the public domain, even today, about the findings of the investigation into the 2019 malware attack.





Disclaimer: We do not own any of the content, ideas, images, or text presented here. All rights belong to their respective owners. For more information and to view the original source, please visit the following link:

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *