German Nuclear Power Plant Confirms It Was Infected With Computer Viruses

Tyler Durden's picture

Two days ago we reported an initial, unconfirmed report that in a deja vu occurrence of what happened in Iran several years ago when its nuclear enrichment plant was found infected with the infamous Stuxnet virus, a computer malware virus was discovered at the Gundremmingen nuclear power plant in Bavaria.

Today we finally have confirmation after Reuters reports that the nuclear power plant was indeed infected with not one but several computer viruses. But don't worry, Reuters is quick to calm a concerned public, "they appear not to have posed a threat to the facility's operations because it is isolated from the Internet, the station's operator said on Tuesday." The Gundremmingen plant in question is located about 120 km (75 miles) northwest of Munich, is run by the German utility RWE.

The nuclear power plant of Gundremmingen. Photo: Reuters

Ironically, this takes place just a week after the German government made an unprecedented request of Belgium to temporarily shut two nuclear reactors, citing technical issues involving possible safety defects. Last week Germany asked Belgium to take Engie SA’s Tihange-2 and Doel-3 atomic plants offline until the safety concerns can be addressed, Environment Minister Barbara Hendricks said last Wednesday.

It appears that the safety concern may have been Germany's after all.

The viruses, which include "W32.Ramnit" and "Conficker", were discovered at Gundremmingen's B unit in a computer system retrofitted in 2008 with data visualization software associated with equipment for moving nuclear fuel rods, RWE said.

Just like in the case of Iran where USB sticks were used to infect the local nuclear facility, Reuters reports that malware was also found on 18 removable data drives, mainly USB sticks, in office computers maintained separately from the plant's operating systems. RWE said it had increased cyber-security measures as a result.

W32.Ramnit is designed to steal files from infected computers and targets Microsoft Windows software, according to the security firm Symantec. First discovered in 2010, it is distributed through data sticks, among other methods, and is intended to give an attacker remote control over a system when it is connected to the Internet.

Conficker has infected millions of Windows computers worldwide since it first came to light in 2008. It is able to spread through networks and by copying itself onto removable data drives, Symantec said. 

For now it remains unclear who is behind this latest viral attack.

In 2013, a computer virus attacked a turbine control system at a U.S. power company after a technician inserted an infected USB computer drive into the network, keeping a plant off line for three weeks.

RWE has informed Germany's Federal Office for Information Security (BSI), which is working with IT specialists at the group to look into the incident. The BSI was not immediately available for comment.

And now damage control. Mikko Hypponen, chief research officer for Finland-based F-Secure, said that infections of critical infrastructure were surprisingly common, but that they were generally not dangerous unless the plant had been targeted specifically. The most common viruses spread without much awareness of where they are, he said.

As an example, Hypponen said he had recently spoken to a European aircraft maker that said it cleans the cockpits of its planes every week of malware designed for Android phones. The malware spread to the planes only because factory employees were charging their phones with the USB port in the cockpit. Because the plane runs a different operating system, nothing would befall it. But it would pass the virus on to other devices that plugged into the charger.

In retrospect, if trying to calm the public, it is perhaps not a great idea to say that the nuclear power plant is safe as a result of the infection just because various airplanes are also infected with comparable viruses.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Zero Point's picture

How does one spell stuxnet or flame in Yiddish?

Boris Alatovkrap's picture

Obviously is plant personnel is visit website without proper proxy relay. Maybe should take lesson from SEC.

Sturm und Drang's picture

Dunno Boris. Word is the Germans know a thing or two about pr0n.

John Kich's picture

Obama will not finish his second term! Banned independent documentary reveals the truth. This will scare millions!

LasVegasDave's picture

Laugh all you want, schmuck; but it wont be Yids sabotaging the reactors, it will be your buds, the persians and arabs.

Boris Alatovkrap's picture

Persian and Arab IQ is too low for pose credible threat, but maybe is use oil money for acquire talent of good Israeli hacker.

PT's picture

No, I'm quite sure it was a North Korean Irani Russian Chinese hacker who had help from Crimean Syrian Iraqi Libyan Yemeni Afghan AlQuaeda ISIS member who accidentally left a copy of his passport on the host computer along with a receipt for a donation to Trump's campaign.

PT's picture

How many old-time programmers to we have on ZH?  How many young programmers know all the basics that the old timers take for granted?  (You young 'uns will have to tell me, I really don't know.)

For the uninitiated, a little Computer Virus 101:
You can have a billion viruses on your computer system.  As long as the CPU is not reading and processing the code, all is fine.  The code just sits there like all the other code that just sits there when you're not using it.  You can have your computer hooked up to the net.  Nothing comes down off the net unless your computer asks for it.  (Or has someone changed the hardware and now allows downloads and processing of code without your computer's permission?  Or what about the software - how safe are those Windows Upgrades and Anti-Virus updates after all?  Yes, yes, the companies tell me it is safe, by my mechanic* also tells me that he changed the oil.)  Computers might accidentally receive virus code as an input but that does not mean that the computer has to process that virus code.  Depending on the programming, it could easily decide that the virus code was not the information it was looking for, or it could quite happily process the virus code as if it was something else entirely - eg a bitmap.  The point being, it should be damn easy for a nuclear power plant to be programmed to ignore bad input from the net ..., err except it could be given false inputs.  In that case the information that a nuke power plant sends / receives over the net should be as safe as your credit card info (which should be as safe as bitcoin, but note that proviso word:  SHOULD.)

Okay, you can put a virus on a memory stick and slap it on a nuke computer, run the Virus Install program and away you go.  You need physical access to the computer, you need control of the computer to the point where you can install and run your naughty software.  And you probably stole a copy of the software six months earlier so you could plan the best way to hack into it.

That's as much as I can say.  Any experts got anything interesting to add?



*No offence to my mechanic.  He's probably honest.  Just using his trade as an easy-to-recognize cliche.

Boris Alatovkrap's picture

Boris is not expert, but maybe analogy is make sufficient. Computer Virus is like latent syphillic pathogen that is make residence in spinal column of toothless washup whore and just when you are think safe, BAM! is full transmission to client and nose is fall off face.

PT's picture

Close, if you just add that the syphillic pathogen does nothing unless either the whore or one of the clients deliberately activates it.

Boris Alatovkrap's picture

You are clear astute improvement of analog.

RogerMud's picture

hmm, there's a massive power outage in Zurich. coincidence?

Ghordius's picture

that's the gnomes undergroung revolting

now, a bit more seriously: the German Defense Minister has been granted some 3'000 new hires for... Cyber Defense

yes, she is a blonde gal. I know, the Russian Defense minister looks like he could go on after a few punches in the face, but this is not the usual way DefMins operate, catching punches in the face

PT's picture

Not by the time they become DefMins anyway, but it helps to have a little experience from the trenches.  What's that saying again?  Oh yeah, "I don't know how to do your job but I have a book here that says you are doing it wrong."

Ghordius's picture

disagree. give me an experienced political budget fighter and experienced administrator any time before an experienced soldier lacking those qualities

soldiers know what to ask for. the DefMin's job is to get them the money for it, and keep the admin as small as possible. a gal reinforces the civilian role

Germany pioneered the concept of "Auftrag", of Tasks given by civilians or generals, and then the lower ranks fulfilling that task while they find out how

PT's picture

I would like to agree with you but I come from an industry where the safety people make you wear a harness when you work one foot above ground.  No, I am not exaggerating.  That fighter might be good at winning but they'd better be able to recognize the difference between the real prize and the booby prize.

MalteseFalcon's picture

Overheard at German Nukuloor regulatory bureau:

Mann 1: "Wir shoulden das nukuloor plant zu das internet uphooken."

Mann 2: "Vhat?  Wir don't needen das internet zu das nukuloor plant runnenen.  Und die hackermanner coulden das nukuloor plant overtaken!"

Mann1:  "But das internet ist kuhler dann immigrationen!"

Mann2: "Das is richtig.  Hooken das nukuloor plant zu das internet!!"

MalteseFalcon's picture

Unterarrowmann ist dumbkopf!!!

thesonandheir's picture

Doesn't touch the PLC safety system (guessing Siemens S7) so no harm done and no need to panic.

buzzsaw99's picture

...and targets Microsoft Windows software

i'm shocked to hear this. /SARCASM

We're real sorry you didn't enjoy your free upgrade to Windows 10! [/Francis]

PT's picture

Headline should read, "German Nuclear Power Plant Confirms It Was Infected With Windows."

Don't worry, the computer will cool them fuel rods as soon as it has finished downloading the other 600 upgrades, and it utterly refuses to do anything if you have not downloaded your Anti Virus updates.  Besides, you haven't even activated your accounts with GMail, FaceBook and Twitter.  Them stupid power rods are just gonna have to wait!

SomethingSomethingDarkSide's picture

Virus files are types .exe, .zip, .cia, .fbi, .dod, .nsa, and .gov

Zero Point's picture

Seriously, who the fuck else would write the very large sophisticated ones. Flame is like 20 meg. Who would waste THAT much time?

Cognitive Dissonance's picture

"But don't worry, Reuters is quick to calm a concerned public, "they appear not to have posed a threat to the facility's operations because it is isolated from the Internet, the station's operator said on Tuesday."

And as we all know a computer virus will do no harm when it isn't connected to the Internet. Computer virus are not autonomous, therefore all is well at the controlled nuclear explosion facilities.  /sarc

Chernobyl, Three Mile Island and Fukushima were all one off events and will never happen again.  /double sarc

<The above comment brought to you by a former long haired hippie
who protested proposed and commissioned nuclear plants in the 70's to no
avail. Because the unthinkable can NEVER happen at nuclear plants.>

ghengis86's picture

Yeah, where are all those greenies that want to shut down coal, but utter nary a peep on nuke plants?
What's the half-life of the spent rods? Millions of years? And what's the plan for storing it? Burying it? Wow.
And if you lose power and run out of diesel for your back up generators?
And while not likely - but possible nonetheless, especially when getting into pissing matches with nuke nations - what would an EMP do to one plant? What would an EMP do if the nuke was detonated in the atmosphere and hit a bunch of plants?

So fucking stupid. Give me coal any day.

Urban Roman's picture

All us hippies were much hipper in the '70s. Maybe because Vietnam was still a fresh memory. Or the JFK/RFK/MLK assassinations. Or maybe there was actually a functioning education system.

Anyhoo, the global warming thing is going to be a passing fad. Just a pit stop on the road to civilization collapse, which is still more or less on schedule, thankyouverymuch.

Cognitive Dissonance's picture

Not to mention a 'natural' EMP from the sun a la the Carrington Event. It has happened in the past and will happen again in the future.

Urban Roman's picture

Having personally weeded the Shipup trojan out of a non-connected lab setting, I must admit it was interesting to watch it work. Long story as to why we couldn't run a virus scanner -- in short, virus scanners thought the lab software was suspicious and interfered with it..

You put a USB stick into the slot, and the disk light blinks for about two seconds, and it's done its stuff. In that time, it has tweaked the registry, placed its executables into obscure harmless sounding file names, started a service called sp00ler.exe as I recall, and retrieved any of its pilfered files back onto the USB stick. And after that, you can no longer view hidden/system files, even if you 'enable' them under file options.

And it does something I'm pretty sure Conficker and Stuxnet also do: it keeps a manifest of other malware, which is maintained, preened, and updated as new versions are released. This secondary malware does many of the various tasks one might want malware to do, such as grabbing browser cache files (which frequently have copies of passwords, etc). And this is why a virus is sometimes said to be '20 MB' in size. The actual executables are small, a few tens of K. In the case of Stuxnet, part of the payload on this manifest must have been the SCADA sabotage routine.

Microsoft, in its infinite stupidity, will simply run an autorun.inf if it finds one in the root directory of a USB device. You can disable this behavior, but there is a bit in the registry that re-enables it. Your virus is always going to go enable that registry setting straightaway. This is perhaps the greatest advantage of Linux: either it does not run the autorun, or it won't work because whatever was in it was written for Windows.

Cognitive Dissonance's picture

The fact they found several viruses might indicate they have not found all of them. The easy to find ones often put people back to sleep after assuming the problem is fixed.

When speaking of nuclear power plants, it only takes one major screw up to make for a very bad day, week, month, year, decade and century.

Urban Roman's picture

I'll second that.

When Chernobyl blew up, it was night-shift technicians screwing around with the reactor core. They probably knew what they had done wrong, right before they died.

Now we have a computer system, with the IQ of a cockroach, screwing around with the reactor.

Four and twenty black birds baked into a pie ...

PT's picture

I'm a little out of date here, so I apologize for asking you to spell it out a little slower:
You put the stick in the USB slot, and in about two seconds it has done its stuff.  I understand that bit.  Did the user have to manually run the little exe on the USB stick or did the host computer automatically decide that the most important thing to do with any new USB stick is to look for some code to run immediately?  Does the owner of the host computer have the option to turn the autorun off or is there always a little something that automatically runs no matter what?


TxExPat's picture

Charitably, someone was bypassing controls on software distribution at the powerplant.  Human Nature being what it is, Homer Simpsion was watching "Adult Movies" stored on the flash drive during slow moments on the Night shift...

Urban Roman's picture

Well, OK, Let's say you have a USB peripheral, such as, I dunno, maybe a nuclear reactor controller. Or a DVD burner.

When you first plug it in, the computer, assuming it's a standard M$ off the shelf stock PC, does not actually have a device driver for the DVD burner. But nonetheless, it shows up as a USB external disk drive. In its root directory is a file, autorun.inf. This file gets executed by the stock PC. It rummages around in the file system on that USB disk, queries the operating system for its version, 64 bits or 32 bits, etc. Then it installs a device driver for the DVD burner function. And maybe pops a browser page with some ads from the company that made it, though that 'feature' has proven quite unpopular.

Once the device driver has been installed, the device now shows up in your computers file system as a proper DVD burner (or nuke plant?).

In the case of the Conficker worm, the autorun.inf routine causes Conficker to silently hide on your PC's disk drive. It will also start a service on that PC, which is a program that runs in the background without any window or direct controls. Microsoft runs dozens of services. A service is always 'running' but may or may not be active depending on what signals it is looking for -- it might wake up on a time schedule or be triggered by a USB insertion. If it hogs 100% of the CPU, people will notice it and kill/delete it, so it has to only run a very small part of the time.

And that's pretty much all I know about it...

PT's picture


So the default "opinion" of a computer is that, on reception of USB stick it MUST run autorun.inf and not bother any human beings in the room becoz if they really cared then they'd get the AV software to check it out for them.  Security is let down by a simple software "fault".  (A good idea so idiots don't have to think but a bad idea when anyone with half a brain would prefer to control their own computer.)

Urban Roman's picture

That's pretty much it. Microsoft always errs on the side of easy. So your average user doesn't have to bother the IT department for support.

Running a nuke plant is supposed to be hard.

mc225's picture

yeah he was talking about autorun.inf, dude.

Son of Captain Nemo's picture

Message from your Anglo-American pals at NSA, Mossad and MI6...

Start increasing your numbers in places like Syria and Ukraine or you will be dealing with your very own 3/11!

peddling-fiction's picture

Breivik was a message of that kind to Norway.

Sturm und Drang's picture

[channeling Buzz] lulz

abyssinian's picture

Print more money and lower the negative rates even more.... Fix every problem usually.

Sandmann's picture

I thought Windows was a computer virus. Why do nuclear sets use Windows rather than Linux ?

lakecity55's picture

Hey, they have Windows 95, give them a break.

Urban Roman's picture

Some of the equipment has been upgraded to Windows 98.

Really, whatever engineering genius decided to use Microsoft for anything like this, needs to be taken out and shot.

peddling-fiction's picture

Windows in any of its manifestations is a no-no when security is needed.

lakecity55's picture

Hey, that's what happens when you buy Rods off the street and insert them into your Pile!

Last of the Middle Class's picture

Isolated from the internet, means only one or two addys and we watch them closely.  Usually, when we're not cutting back. I call Bullshit!

the.ghost.of.22wmr's picture
the.ghost.of.22wmr (not verified) Apr 27, 2016 7:59 AM



The joobashers are really active lately.


Then again, even Trump gives oral pleasure to Israel: