The attack against Kudankulam Nuclear Power Plant (KKNPP) and the Indian Space Research Organisation in early September this year by the North Korea-based Lazarus group triggered several concerns over the challenge posed by external cyber threats. The North Korean State, with a Stalinist regime at its helm, is starved of financial and technological resources. It is therefore obvious for them to undertake such kind of cyber intrusion activities to extract information as was done at the KKNPP.

There are two possibilities that could have driven the Lazarus group to deploy DTRACK - a spyware which allows access to data - to infiltrate the administrative network of the KKNPP facility. The first is purely technological: The DTRACK intrusion was to steal as much available technical data relating to the reactors’ design, coolant system, fuel handling and storage system, and ascertain the operating capacity of the reactors at the KKNPP. The second is perhaps to test both the cyber defences at the KKNPP facility, and Indian cyber operators’ response mechanisms when faced with a cyber intelligence penetration.

The KKNPP facility hosts two Unit-1 and Unit-2 Pressurised Water Reactors (PWRs) known as the VVER-1000, each with a 1000 Megawatt Electricity (MWe), which are among the most advanced reactors built by the Russian nuclear industry. Unit-3 and Unit-4 are two additional reactors of the VVER-100 type with more advanced safety features to be installed to expand the electricity power generation capacity of the KKNPP facility.

Pyongyang’s cyber espionage is potentially part of an effort to understand the technology and reactor design and the nature of the cyber defences at the KKNPP facility, or rather the Operating Environment (OE), and penetrating the administrative network was merely a dry run. A computer from the KKNPP infected by the DTRACK spyware attack could have compromised information relating to search and browser history, keylogging, Internet Protocols, and the data files stored on the system, which could be a stepping-stone for penetrating the computer controls that actually run the reactors. Any information about the software and computer controls transmitted across the administrative network at the time of the DTRACK penetration, wittingly or unwittingly, could serve as the source for future exploitation in the form of sabotage.

The Bhabha Atomic Research Centre (BARC) is developing its own computational code system and software for the Russian designed VVERs at the KKNPP. As of now, it is unclear what the extent of the breach was, and how much information was actually ex-filtrated. The press release by the Nuclear Power Corporation of India Limited (NPCIL) reveals scant information about the magnitude of the attack beyond the reassuring statement that the computer controls running the reactors were unaffected, and the infected system has been isolated from the remainder of the network.

Another objective of the Lazarus group’s cyber espionage goes beyond Pyongyang’s own needs of extracting information about the nuclear facility. It is possible that North Korea passed information on to interested third parties, which are inimical to Indian interests. Pakistan and China individually, or both, may be beneficiaries of the cyber intelligence exfiltration by the Lazarus group. If not immediately, both Beijing and Islamabad, in due course, could exploit the information provided by the North Korean cyber espionage mission against KKNPP. In the event of a crisis, the vulnerabilities of the VVERs could be exploited and their safe operation threatened. The only two centres that stand to strategically gain the most from the Lazarus group’s spyware intrusion are Beijing and Rawalpindi. Given their proximity to Pyongyang, China and Pakistan are plausible beneficiaries, because of their history of collusion with the North Koreans. Pyongyang may well have been a proxy, which lends plausible deniability to Chinese and Pakistani collusion.

Monetary gains could be another plausible motivation for the cash-strapped North Korea.

Conducting an act of cyber espionage of the kind conducted against Kudankulam is also a surprise. Few instances hitherto exist of Pyongyang pursuing cyber espionage missions of this nature against India’s nuclear infrastructure. New Delhi, after all, has formal diplomatic ties with Pyongyang, and is in a position to seek answers from the North Korean regime about the motivation behind Pyongyang’s use of cyber espionage against an Indian strategic facility. Cyber incidents involving nuclear facilities are not new. At least since 1990, there have been 20 recorded instances, but perpetration of the latest Kudankulam cyber incident on an Indian nuclear facility is the first of its kind, at least from North Korea.