It was reported today that multiple forms of malware have been found in a German nuclear energy plant in Gundremmingen, 75 miles north-west of Munich. Coming almost precisely 30 years after the Chernobyl disaster, with memories of recent European terrorist events, and the lingering memory of the Stuxnet worm as the world’s first cyberweapon, concerns are immediate and obvious.
In this event, the types of malware discovered are not those that would be used in a targeted attack. The threats found inside the engery operator, Conficker and W32 Ramnit, are more likely to have been picked up by accident rather than inserted by design. Indeed, F-Secure’s Mikko Hypponen said that infections of critical infrastructures are surprisingly common, but they are generally not dangerous unless the plant has been targeted specifically.
Hypponen described an incident involving a European airplane manufacturer. It cleans the cockpits of its aircraft every week from malware designed for Android. The malware spread to the aircraft because engineers were charging their tablets on USB ports in the cockpits. The malware was harmless to the aircraft because they use a different operating system; but could still spread back to uninfected Android devices that were subsequently charged in the same manner.
While it seems unlikely that the Gundremmingen attack was targeted against the industrial control systems (ICS) that control the reactor, nevertheless a less sophisticated or even opportunistic data gathering attack against the associated information technology network cannot be ruled out.
Operated by RWE Power, the Gundremmingen Nuclear Plant is reportedly the highest-output nuclear power plant in Germany.
The plant operator told Reuters Tuesday that the malware did not threaten the facility’s operations because it is isolated from the Internet. The Reuters report does not specify that the facility’s operations network is air-gapped from everything else, only that it is isolated from the Internet. This could suggest that it is still connected to the information technology network, but isolated from it by a firewall. The IT network will probably have its own Internet connections.
Isolation and preferably air-gapping should be standard. Nevertheless, Ramnit spreads by USB stick, and was found on 18 removable drives within the facility. Stuxnet was delivered by an engineer using an infected USB stick. So the fact that the original infection probably dates back to a 2008 retrofitted server should ring alarm bells: highly portable infected devices have been within the facility for many years.
“It’s amazing how common it still is to find Conficker infections, long after the botnet to which its victims were recruited was effectively abandoned,” ESET senior research fellow David harley told SecurityWeek. “It’s less surprising to see Ramnit infections,” he added, “since the malware has become to some extent resurgent after it was taken down last year – it’s still in the top ten types of malcode detected by ESET’s telemetry in March 2016. It’s always alarming to see critical installations apparently less than optimally protected against common malware, but it doesn’t look like a targeted attack, and it’s certainly not the new Stuxnet.”
FireEye’s Global Threat Intel Liaison EMEA, Jens Monrad, comes to a similar conclusion. “The fact that malware which was active years ago, is still able to continuously spread and compromise inside organizations, illustrates that having visibility, as well as capability into detecting and remediating compromised endpoints, is still a very complex and challenging procedure,” he told SecurityWeek.
Monrad doesn’t think the malware’s presence should simply be dismissed as a cost of doing business. It might not be a threat to data, but “it can still cause issues within an organization, as it can overshadow more severe incidents or compromises, or place an unnecessary burden on the security operations team.”
In reality this is probably not a dangerous situation. Nevertheless, two questions need to be asked and answered. Firstly, how can relatively well-known and old malware exist within a secure environment for so long without being detected; and secondly, if these ‘obvious’ forms of malware can be missed, can something more subtle and targeted still be undetected at Gundremmingen?