NEW DELHI—India’s state-run nuclear power producer said malware was discovered on a computer at its largest facility earlier this year but the computer wasn’t connected to the plant’s operations, which it said were unaffected.

The Nuclear Power Corporation of India Ltd., or NPCIL, said it was first alerted of the malicious software in its system by the government’s cybersecurity agency Sept. 4. The Department of Atomic Energy, which works directly under Prime Minister Narendra Modi’s office, then carried out a detailed investigation by specialists, a statement Wednesday from the power producer said.

The investigation revealed that the infected personal computer was part of the company’s network for administrative purposes, said the statement, which was signed by an associate director at NPCIL.

“This is isolated from the critical internal network,” the statement said.

The NPCIL’s statement came less than a day after an earlier release denied there was a cyberattack on the control system of the Kudankulam power project in Tamil Nadu state. That statement said it was refuting social media posts and some media reports of a cyberattack on the plant.


An attack on the facility’s control systems would be far more worrying. Those operate the reactor, control rods and cooling systems in the plant.

Cyber experts have become increasingly worried malicious actors may try to carry out such a destructive cyberattack. Those fears have been heightened since a Saudi Arabian petrochemical plant was knocked offline in 2017. That attack, later linked to Russian attackers, targeted the plant’s emergency shut-off systems.

Russian attackers have also been linked to a long-running campaign targeting electrical utilities in the U.S.

Russia has denied that it is hacking such infrastructure.


It wasn’t immediately clear who was behind the attack on the Indian nuclear plant. Cybersecurity experts said it appeared to be a targeted attack rather than an accidental virus infection. The malicious software has been used by an adversary involved in targeted attacks in the past. It also appeared to be designed specifically to penetrate the Kudankulam plant, said Sergio Caltagirone, director of threat intelligence at Dragos. It could have been targeted for purposes of reconnaissance or espionage, Mr. Caltagirone said.

Authorities in India couldn’t immediately be reached for comment about Mr. Caltagirone’s suspicions.

Tuesday’s statement by Indian authorities said the Kudankulam nuclear power project and other Indian nuclear power plants’ control systems aren’t connected to external computer networks.

“Any cyberattack on the nuclear power plant control system is not possible,” the company’s information officer at the Kudankulam plant, R. Ramdoss, said Tuesday.


NPCIL said that its two nuclear plants at Kudankulam were operating at 1,000-megawatt and 600-megawatt capacity each without any operational or safety concerns.

The government’s chief spokesperson declined to comment beyond NPCIL’s two news releases. A spokeswoman at the Department of Atomic Energy wasn’t immediately available for comment.

A second government official said a friendly country had warned India of the breach. A team was then sent to the southern Indian plant and eventually discovered malware in a computer used for administrative purposes. He declined to name the country that alerted India.

NPCIL is India’s largest nuclear-power producer with 21 operational commercial units with an installed capacity of 6,680 megawatts, according to its website.


Write to Rajesh Roy at rajesh.roy@wsj.com and Robert McMillan at Robert.Mcmillan@wsj.com