Security Experts:

German Nuke Plant Hit by Disruptive Cyber Attack: Report

A German nuclear power plant suffered a disruptive cyber attack within the last few years, International Atomic Energy Agency (IAEA) Director Yukiya Amano told Reuters during a visit to Germany on Monday.

Disruptive is a term used to distinguish attacks that are not destructive: the attack on Sony Corp in 2014 is classed as disruptive; the Stuxnet attack on Iran's nuclear program is classed as destructive.

It is sometimes considered that the difference between disruptive and destructive is the difference between cyber espionage and cyber war. Talking about the OPM breach, the Director of National Intelligence James Clapper said it wasn't an attack "since it was entirely passive and it didn't result in destruction or any of those kinds of effects. There was no destruction of data or manipulation of data. It was simply stolen." Using the same logic, the attack on the German nuclear plant was not an act of cyber war, but more likely an act of cyber espionage.

Nevertheless, Amano stressed that the even should not be taken lightly. "This is not an imaginary risk," he said. "This issue of cyber attacks on nuclear-related facilities or activities should be taken very seriously. We never know if we know everything or if it's the tip of the iceberg."

ICS Cyber Security Conference

There are three publically known attacks against nuclear power plants: Monju NPP in Japan (which involved the compromise of the control room and a release of data in 2014); the Korea Hydro and Nuclear Power plant (involving a computer compromise and the release of nuclear power plant -- NPP -- documents in 2014); and the Gundremmingen NPP (where mawlare was found on plant IT systems in April 2016).

It is possible, but would seem unlikely, that the incident referred to by Amano was the Gundremmingen incident. That happened earlier this year, and is likely to have been less worrying than it immediately appeared. Conficker and Ramnit viruses were found at Gundremmingen, but F-Secure's Mikko Hypponen said at the time that the infection was more likely by accident than design.

The Amano incident, however, occurred "two to three years ago"; thus predating the Gundremmingen incident. Amano flagged the issue at an IAEA cyber security conference in June 2015, and said it will be key topic at a broader nuclear security summit in Vienna in December.

A recent example of a 'destructive' attack was discussed in a new BBC report Monday. In April 2015 French television company TV5Monde was hit by a destructive attack at first thought to be ISIS-linked following the Charlie Hebdo shootings. By June 2015, however, blame had switched to the APT28 Russian hacking team.

The new BBC report comes at a time of heightened publicity against the 'Russian' threat. Yesterday, the Telegraph reported that UK ministers have been banned from wearing Apple Watches during Cabinet meetings for fear they might be hacked by Russian spies. "One source said: 'The Russians are trying to hack everything'," reports the Telegraph. Both of the Telegraph and BBC reports follow the US government officially accusing Russia of being behind the recent attacks against American political organizations.

The BBC's report on TV5Monde comments, "The issue as to why Russian hackers targeted the company is one that has occupied intelligence analysts in the UK and US, as well as France. In London, the conclusion was that it was most likely an attempt to test forms of cyber-weaponry as part of an increasingly aggressive posture."

Although there is no suggestion from Amano that the 'disruption' he describes emanates from Russia, it is clear that western authorities are ramping up propaganda against Russia. A successful destructive attack against a nuclear power plant would be devastating.

In Dec. 2014 it was reported that an attack launched by an advanced persistent threat group against an unnamed steel plant in Germany resulted in significant damage. According to the report, control components and entire production machines suffered outages due to the attackers' actions. The outages prevented the plant from appropriately shutting down a blast furnace, leaving it in an undetermined state and causing in significant damage to the plant.

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.