cyber-4398481_960_720

Space-based technologies that have civil and military uses are drawing greater interest with more countries entering into this field. Development beyond peaceful uses i.e. weaponization of outer space is a growing concern for the modern world. Around forty countries are using space to provide information support to their communication systems, for scientific and industrial purposes or to develop weapons systems like anti-satellite weapons.

Countries like the US, Russia, China, France, Iran, North Korea, and Japan are engaged in space development programs. Currently, there are around 1,957 active spacecraft, 830 of which belong to the US. Around 280 belong to China and Russia has 147. Around 302 are used for military purposes, whereas 991 are in civil and commercial use.

The scope of war has diversified from land to sea and then air, eventually moving to space. The growing arms race lead to the militarization of outer space. These developments pose serious threats to international security and the prohibition of arms race movements. It has potential long-term political, economic, and military consequences. Countries like the US and Russia are in pursuit of the weaponization of space which will be carried out in numerous phases. There are two main

After the Indian nuclear power plant, it was the Indian space agency that was attacked by suspected North Korean hackers during the Chandrayaan-2 mission. India’s Space Research Organization (ISRO) was warned of the expected cyber-attack during Chandrayaan-2 failed moon mission. It is not the first time that India’s critical infrastructure came under attack. Earlier, on October 4th 2019, the cyber-attack on the Indian nuclear power plant was confirmed by India’s National Cyber Security Council. The malware was found on the Kundankulam Nuclear Power Plant (KNPP) in Tamil Nadu. The said attack was not admitted earlier when it was reported initially in September 2019, which provided a cause for concern over a month later. This cyber-attack on the Indian nuclear power plant poses serious questions regarding nuclear security. The attackers acquired high-level access and it is reported that sensitive targets, ‘mission-critical targets’, were hit.

In nuclear security, computer-based-systems provide nuclear safety and security, material accountancy, system controls, and sensitive information management systems. The cyber threat in nuclear security intends to target such computer-based systems with the intent of theft of information, modifying or destroying a specified target through unauthorized access. Computer security exercised within a nuclear security regime seeks to minimize risks of cyber-attacks that could contribute to nuclear security events. Cyber-attacks may put at risk the Confidentiality, Integrity and/or Availability (also known as CIA triad) of the information within computer-based systems. Cyber-attacks, therefore, jeopardize the ability of the systems to perform assigned functions. One of the main concerns are the Sensitive Digital Assets (SDAs), which are used to store, process, and control or transmit sensitive information. The compromise of an SDA could result in an adverse impact on nuclear security functions.

Nuclear security remains a national responsibility, but all states have an obligation under international arrangements to ensure that their nuclear security is not compromised. In this regard, the Convention on Physical Protection of Nuclear Material (CPPNM) makes it obligatory to ensure all nuclear facilities and material remains under stringent security at par with the best international practices. According to the CPPNM, states should establish mechanisms for the protection of the confidentiality of information, the unauthorized access to which could lead to the compromise of the physical protection of nuclear material and other related facilities. It also requires that the computer-based systems used for physical protection, nuclear security, and safety, nuclear material accountancy and control should be protected against compromise which should be consistent with threat assessment.

In 2016, the International Atomic Energy Agency (IAEA) member states highlighted the priorities and recognized the threat of cyber-attacks against nuclear facilities as a serious concern and showed commitment to work towards strengthening of information security and computer security. Computer-based-system vulnerabilities could be identified as technological, physical protection, and administrative process. Even if an organization takes measures to protect its system from any attack, sometimes the prevalent computer vulnerabilities can lead to cyber-attacks, setting digital assets at risk. To protect information and other supporting elements, it must be considered to protect Sensitive Digital Assets (SDAs) which store, process, control, or transmit sensitive information. The main aim of computer security is to protect the system from a cyber-attack which could result in any severe consequence, like degraded capability to prevent, detect, and respond to nuclear security events, or loss of sensitive information.

A computer-based-system when attacked by a virus or other malware with no specific focus against the system or organization is called a non-targeted attack. In such type of attacks, a compromised system is accessed by an unauthorized external connection which can compromise emails and other valuable data. Whereas, in a direct or targeted attack, a specific target is chosen which could be an organization, a system or even a specific person. In a direct attack, if the adversary is unable to achieve its objective in early attempts, it can target past employees of the organization as well. Persistent attacks are sustained and may involve an early compromise followed by a lengthy period of information collection. This kind of attack can compromise the record of individuals with key positions and keep track of the flow of the information as the attacker may even maintain a persistent presence in the system for months.

In the case of Indian cyber-attack, the virus known as Dtrack was identified, a version of which was also used to infiltrate Indian Automated Teller Machines (ATMs) to steal customers’ information. The developers were identified as the North Korean group, Lazarus. This seems a direct and targeted attack on such critical Indian infrastructure, happening thrice in two months. The breach of security and loss of information was evident in all these attacks. Linking the cyber-attack on the nuclear power plant to the security of the largest nuclear power plant in India poses grave concerns and raises serious questions regarding India’s implementation of the rules and regulations, which are binding for all member states as per the CPPNM.

India presents itself as a responsible nuclear weapons state which has exercised measures to prevent such incidents and has built its case for the Nuclear Suppliers Group (NSG) membership by claiming its unmatchable record on nonproliferation, nuclear security and safety. This cyber-attack has exposed India’s inherent susceptibilities and its culture of complacency. To cover up its follies, India initially claimed that the most recent cyber-attack was on the administrative side and not the operations side, but these exposed India’s vulnerabilities. In the field of nuclear security, a future attack could be on the reactor operations, which could potentially lead to nuclear reactor failure or a melt-down, has serious consequences for the region. Irrespective of where the attack happened, any such successful attempt in a nuclear facility is a serious issue.

The writer is the Researcher at the Centre for Aerospace and Security Studies (CASS) and her area of specialization is Nuclear and Strategic Affairs. She can be reached at [email protected]


Share this article

Facebook
Twitter
LinkedIn

Recent Publications

Browse through the list of recent publications.

How the Nature of Warfare Affects the AI Optimism

Since the advent of Artificial Intelligence (AI), a pressing question is being asked: Is Clausewitz still relevant? The game-changing potential of AI and the idea of human-machine teaming (centaur systems) have led many to doubt the seemingly unchanged nature of war. Apparently, it has given rise to the belief that AI-powered systems will replace humans (generals) in the command loop. However, this view is detached from the complex nature of warfare, which remains fundamentally a human endeavour guided by violence, chance and friction.

Just like other social institutions, war is generally an interpretivist paradigm rooted in complex human nature. It is a non-linear phenomenon whose conduct and outcomes cannot be determined by analytical predictions or algorithmic patterns. In other words, war usually does not proceed on pre-determined rules of engagement, prescriptive manuals, established patterns and predictive modelling. Instead, it is fought on judgment, adaptation to changing realities, commander’s intuition and paying attention to the unfolding of the unknown. 

Read More »

Two Faces of the Atom: India’s Nuclear Exceptionalism

ew examples capture the inconsistencies of the nuclear world order more starkly than the events of 2 March 2026: as Prime Ministers’ Mark Carney and Narendra Modi signed a landmark 1.9 billion USD uranium supply deal for India’s civil nuclear sector, Iran was subjected to the third day of indiscriminate airstrikes by the US and Israel under the banner of nuclear non-proliferation, despite Iran agreeing to zero stockpiling of enriched uranium just days prior. This event, unfortunately, was not an isolated one, rather it reflects a pattern of nuclear exceptionalism where certain states such as India, continue to be rewarded for non-compliance with international regulations, while others such as Iran, are censured and even subjected to military action based on hypothetical realities.

The latest deal would see Canada sell close to 22 million pounds of uranium concentrate to India over 8 years, starting in 2027, a sale more than ten times the last Canada-India uranium agreement of 2015, which supplied 7 million pounds of concentrate over 5 years.

Read More »

Data Centres as the New Military Targets in Modern Conflicts

The character of warfare has evolved in tandem with the changing nature of military targets. In early March 2026, Iran bypassed traditional military targets and struck the physical part of the digital infrastructure at Amazon Web Services (AWS) data centres in the UAE and Bahrain. Until now data centres had been considered an unassuming target, as they did not house any military equipment or hardware. However, the US-Israel war on Iran, has transformed these billion dollar sites into high-value targets because of their ability to act as server farms on which adversaries’ websites, apps, AI systems and the entire digital infrastructure run.

Data centres are digital ecosystems where the delivery of cloud services depends on the integrity of physical infrastructure. Disruption in any one part of the shared infrastructure does not remain isolated and risks triggering widespread systemic failure. In the case at hand, Amazon operated multiple availability zones within each region in the United Arab Emirates and Bahrain. Iran struck two of the three availability zones in the UAE, while in Bahrain, a zone was damaged by drone debris causing an extended power outage and connectivity problems that further disrupted service across the Gulf.

Read More »