The Kudankulam Nuclear Power Project denied its control systems had been attacked. But government officials confirmed that an “incident” had occurred, though it did not affect the main operations of the plant.
There was speculation on social media that the malware in question was Dtrack, malware which the Russian company Kaspersky detailed in September and attributed to the Lazarus group which is claimed to have North Korean affiliation.
According to Kaspersky, Dtrack was derived from ATMDtrack, the latter being malware developed to attack ATMs and first seen in Seoul in 2013.
"And once again, we see that this group uses similar tools to perform both financially-motivated and pure espionage attacks."
In a statement released on Wednesday, the NPCIL said the infection was notified by the CERT-In [India's national computer emergency response team] which had noticed it on 4 September.
"The matter was immediately investigate by DAE (Department of Atomic Energy) specialists," the statement said. "The investigation revealed that the infected PC belonged to a user who was connected in the Internet-connected network used for administrative purposes.
"This is isolated from the critical internal network. The networks are continuously monitored. Investigation also confirms that the plan systems are not affected."
Commenting on the incident, Dave Weinstein, the chief security officer at network protection vendor Claroty, said: “This reporting is indicative of what we see as a growing threat to global critical infrastructure, especially within lifeline sectors.
"In some respects, it's reassuring that the attackers did not reach the plant's control systems, but it's a stark reminder that safety and cyber security go hand-in-hand these days.
"Organisations can no longer rely on the so-called 'air gap' to secure their control systems; they must perform continuous security monitoring.”