Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Concerns Raised Over Malware in German Nuclear Plant

It was reported today that multiple forms of malware have been found in a German nuclear energy plant in Gundremmingen, 75 miles north-west of Munich. Coming almost precisely 30 years after the Chernobyl disaster, with memories of recent European terrorist events, and the lingering memory of the Stuxnet worm as the world’s first cyberweapon, concerns are immediate and obvious.

It was reported today that multiple forms of malware have been found in a German nuclear energy plant in Gundremmingen, 75 miles north-west of Munich. Coming almost precisely 30 years after the Chernobyl disaster, with memories of recent European terrorist events, and the lingering memory of the Stuxnet worm as the world’s first cyberweapon, concerns are immediate and obvious.

In this event, the types of malware discovered are not those that would be used in a targeted attack. The threats found inside the engery operator, Conficker and W32 Ramnit, are more likely to have been picked up by accident rather than inserted by design. Indeed, F-Secure’s Mikko Hypponen said that infections of critical infrastructures are surprisingly common, but they are generally not dangerous unless the plant has been targeted specifically.

Gundremmingen Nuclear Power Plant in Germany (Credit: Felix König)Hypponen described an incident involving a European airplane manufacturer. It cleans the cockpits of its aircraft every week from malware designed for Android. The malware spread to the aircraft because engineers were charging their tablets on USB ports in the cockpits. The malware was harmless to the aircraft because they use a different operating system; but could still spread back to uninfected Android devices that were subsequently charged in the same manner.

While it seems unlikely that the Gundremmingen attack was targeted against the industrial control systems (ICS) that control the reactor, nevertheless a less sophisticated or even opportunistic data gathering attack against the associated information technology network cannot be ruled out.

Operated by RWE Power, the Gundremmingen Nuclear Plant is reportedly the highest-output nuclear power plant in Germany.

The plant operator told Reuters Tuesday that the malware did not threaten the facility’s operations because it is isolated from the Internet. The Reuters report does not specify that the facility’s operations network is air-gapped from everything else, only that it is isolated from the Internet. This could suggest that it is still connected to the information technology network, but isolated from it by a firewall. The IT network will probably have its own Internet connections.

Isolation and preferably air-gapping should be standard. Nevertheless, Ramnit spreads by USB stick, and was found on 18 removable drives within the facility. Stuxnet was delivered by an engineer using an infected USB stick. So the fact that the original infection probably dates back to a 2008 retrofitted server should ring alarm bells: highly portable infected devices have been within the facility for many years.

“It’s amazing how common it still is to find Conficker infections, long after the botnet to which its victims were recruited was effectively abandoned,” ESET senior research fellow David harley told SecurityWeek. “It’s less surprising to see Ramnit infections,” he added, “since the malware has become to some extent resurgent after it was taken down last year – it’s still in the top ten types of malcode detected by ESET’s telemetry in March 2016. It’s always alarming to see critical installations apparently less than optimally protected against common malware, but it doesn’t look like a targeted attack, and it’s certainly not the new Stuxnet.”

FireEye’s Global Threat Intel Liaison EMEA, Jens Monrad, comes to a similar conclusion. “The fact that malware which was active years ago, is still able to continuously spread and compromise inside organizations, illustrates that having visibility, as well as capability into detecting and remediating compromised endpoints, is still a very complex and challenging procedure,” he told SecurityWeek.

Advertisement. Scroll to continue reading.

Monrad doesn’t think the malware’s presence should simply be dismissed as a cost of doing business. It might not be a threat to data, but “it can still cause issues within an organization, as it can overshadow more severe incidents or compromises, or place an unnecessary burden on the security operations team.”

In reality this is probably not a dangerous situation. Nevertheless, two questions need to be asked and answered. Firstly, how can relatively well-known and old malware exist within a secure environment for so long without being detected; and secondly, if these ‘obvious’ forms of malware can be missed, can something more subtle and targeted still be undetected at Gundremmingen?

Learn More at the 2016 ICS Cyber Security Conference

Related: Cyberattack on German Steel Plant Caused Significant Damage

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

ICS/OT

Municipal Water Authority of Aliquippa in Pennsylvania confirms that hackers took control of a booster station, but says no risk to drinking water or...

ICS/OT

Mandiant's Chief analyst urges critical infrastructure defenders to work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in...

Cybercrime

Energy giants Schneider Electric and Siemens Energy confirm being targeted by the Cl0p ransomware group in the campaign exploiting a MOVEit zero-day.

ICS/OT

Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.