Cyber Incident Victim: Indian Space Research Organisation
Date:
Nov 2019
Location:
India
Summary
The Indian Space Research Organisation was targeted by North Korean hackers during its lunar mission, with experts indicating phishing emails led to malware installation on employee systems. While officials denied the cyberattack compromised the mission, which ultimately failed after losing contact with the spacecraft, the incident raised concerns following similar attacks on other government entities, including a nuclear power plant. The hackers, associated with the Lazarus group, reportedly used DTrack malware, which U.S. authorities link to North Korean operations, though the space agency maintained its critical systems remained unaffected.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In September 2019, during India's Chandrayaan-2 lunar mission, the Indian Space Research Organisation (ISRO) was targeted in a cyber attack suspected to originate from North Korea. Cybersecurity experts identified ISRO among five Indian government agencies compromised by phishing emails distributed by North Korean operatives. Employees are believed to have inadvertently installed malware after interacting with these fraudulent communications. The Financial Times reported that ISRO received warnings about the intrusion attempt during the mission timeframe. Despite these alerts, the space agency publicly denied any compromise of its operational systems, asserting that mission-critical infrastructure remained unaffected. The Chandrayaan-2 mission ultimately failed when ground control lost contact with the Vikram lander during its final descent phase on September 6, 2019. Prime Minister Narendra Modi, who had publicly championed India's space ambitions, personally comforted ISRO's chairman during the nationally televised incident aftermath. ISRO initiated assessments of potential threats from North Korean hacking groups following the disclosure.
This incident occurred alongside a confirmed cyber attack on India's Kudankulam Nuclear Power Plant, which cybersecurity investigators attributed to the Lazarus Group—a hacking collective associated with North Korean intelligence. Forensic analysis of the nuclear plant breach revealed the use of DTrack malware, a tool previously linked to Lazarus operations. Nuclear officials clarified that only administrative workstations connected to non-critical networks were infected, with no penetration into industrial control systems. The U.S. government had imposed sanctions on Lazarus earlier in 2019 for targeting global financial and military institutions. While ISRO maintained its systems weren't breached, the dual disclosures regarding space and nuclear infrastructure raised concerns about coordinated targeting of Indian strategic assets. No technical evidence publicly confirmed whether the lunar mission failure resulted from cyber interference, as ISRO's investigation focused on engineering aspects of the spacecraft's crash landing.