When India’s Nuclear Secrets Were Hacked

19 years ago, India's premier atomic research institute was hacked into by teenagers from across the world.

As the world reels from the onset of the WannaCry ransomware, India’s cyber security division urged the government to patch critical infrastructure. Banks, airport, stock markets and major corporations alike were advised to download the latest patch.

India was one of the world’s first victims of a targeted mass hack. 19 years ago, on June 3, 1998, the home page of India’s premier nuclear plant, the Bhabha Atomic Research Centre (BARC), bore an unauthorised image and message. A mushroom cloud with the words:

If a nuclear war does start, you will be the first to scream …

Five megabytes of emails had been downloaded, containing weeks of correspondence between BARC scientists. The hackers routed their approach through American military servers. They called themselves ‘milw0rm’ and they had begun the era of hacking nuclear facilities.

At the time, it had only been a month since India had conducted a series of nuclear tests at Pokhran. An international team of teenage hackers had broken into the servers of the BARC. Going by the pseudonyms JF, Keystroke, ExtreemUK, savec0re, and VeNoMouS, they had exposed India’s cyber security infrastructure as non-existent.

As Adam L. Penenberg reported in Forbes, milw0rm weren’t the first to break into BARC; another teenage hacker named t3k-9 had laid the groundwork. t3k-9 was a 15-year old in the United Kingdom, who was watching the news break on India’s illegal nuclear tests.

He barely had to struggle to access BARC’s systems. The 1998 equivalent of googling “India atomic research” was typing “.in atomic” into Infoseek (a defunct search engine that later merged with Yahoo; another defunct search engine).

A Brute-force computer attack is one where the ‘hacker’ tries every possible combination of characters, letters and numbers until he stumbles upon the one you use as a password. In JF’s case, it didn’t take much time to find the right mix – “ANSI”. If you had a computer and some skills with in 1998, four characters was all that stood between you and a nuclear weapons programme. t3k-9 was 15. He had his heroes in cyberspace, and one of them was a hacker named IronLogik.

IronLogik gained even greater access. Many of the emails he read were encrypted, and those that were unencrypted were even more stunning. As the Forbes article describing his exploits states:

He read some of the unencrypted mail, eavesdropping on conversations between scientists at BARC, Los Alamos and other research centers. Some detailed the recent atomic detonations, including one that postulated that one of the blasts had been faked.

Neither t3k-9 nor IronLogik wanted to go overboard with this. But the 15-year-old couldn’t help himself, and leaked the password details on an Integrated Relay Chat (IRC) – a communication tool favoured by hackers for its anonymity. Soon, hundreds of people were breaking into the BARC website. Among them, a loosely-clung collective called milw0rm did the most defacing – and gained international credit for the hack.

As they told John Vranesevich from Anti Online in an interview:

It’s ironic that India has weapons capable of destroying the world, but they can’t secure a little web server which is connected to their networks.

They held an anti-nuclear agenda. But that wasn’t enough to stop them from bragging.

it’d be interesting to send some e-mail from the indian (sic) server to a pakistan (sic) server saying we’re india (sic) and we’re about to nuke them.

They weren’t entirely responsible for the hack – the backdoors were created by IronLogik and t3k-9. A sign that their claims were grandiose was the bit that the breach took “13 minutes and 56 seconds” to execute. The Indian media, doubtlessly familiar with the state of internet in the country at the time, knew this was untrue – five mb would have taken a lot more time to download in.

India’s response 

Publicly, BARC claimed that nothing of value was accessed or stolen. This, even as later reports said the hackers were approached by terrorists (who searched all over the web for the BARC data – offering a bounty).

Hackers from milw0rm went on to hack other websites. Rumours emerged that the United States had access to all of the data gathered from BARC. And India learned its lesson about keeping nuclear data safe?

Not exactly. In 2013, over 7,000 websites were ‘hacked‘ by Pakistani hackers. Many of these were defaced. While BARC’s website was untouched, data relating to it was stolen from the Electronics Corporation of India Limited (ECIL) site. A chain of data is unsafe as long as even a single link is broken.

Today, the government hopes to utilise a homegrown operating system for government and defence purposes. Bharat Operating System Solutions (BOSS) is a Linux distribution, which the government hopes will be free of the kind of loopholes and backdoors that commercially-available hardware is now known for.

Today, they’ll be hoping they’d installed it earlier. For the real impact of WannaCry in India is yet to be known at the time of writing. So far, hundreds of thousands of computers are supposed to be infected. With what is known about WannaCry so far, it’s not as much a hack as it is a lock placed over your data – with a $300 (Rs.19,228) fee charged for unlocking it.

By far, the worst that can happen already has. A nuclear facility was compromised while a nuclear-programme was in its infancy. Going forward, India can only tighten the gaps in its cyber infrastructure and hope to have learned a one-time lesson.


Copyright Madras Courier 2017. All rights reserved. You may share using our article tools. Please don't cut articles from madrascourier.com and redistribute by email, post to the web, mobile phone or social media.
Please send in your feed back and comments to editor@madrascourier.com