Skip to content
Naked Security Naked Security

Breach at US nuclear plants raises concerns in wake of Petya

With Chernobyl among those hit by Petya and the US breach, concerns are rising about the potential effect of weaponised exploits being used against nuclear energy infrastructure

The Petya (or NotPetya) malware hit numerous prominent targets last week but one famous name jumped out of the victim list with eye-scorching immediacy –  the former Ukrainian nuclear power station at Chernobyl.

For anyone old enough to remember the 1980s, the Chernobyl accident and the radiation it released in a cloud across Europe is a byword for nuclear disaster, and the human tendency to underestimate the importance of having a plan B. The area around the plant (pictured)  is still an abandoned exclusion zone, 31 years after the disaster.

The site’s still-dangerous radiation levels are now monitored on a 24×7 basis, aided by an automated measurement system that reportedly had to be turned off after Petya infected computers used to manage this process.

With unsettling symmetry, at the height of the Petya scare, industry site E&E News got wind of a breach “affecting multiple nuclear power generation sites” in the US “in recent months”.

Said E&E:

No public authorities have issued word on who may be responsible, but agencies are looking at the possibility that another country may be behind the hack.

The timeline makes the direct involvement of Petya less likely but the timing of the revelation seems like more than coincidence, as does the thematic suspicion falling on a nation state as being behind the attacks.

Reportedly, the US nuclear breach wasn’t considered serious enough to warrant the filing of a full report with the International Atomic Energy Agency (IAEA) but it did, disconcertingly, end up being given its own ominous code name, “Nuclear 17”.

And then at the end of last week the US government warned of a hacking campaign targeting the nuclear and energy sectors, with a report from Department of Homeland Security and the FBI alerting companies to a phishing campaign designed to steal credentials and get access to networks.

At the moment, little is known about the dimensions of this incident but code names for cyberattacks are never a good sign in the security sector, let alone nuclear power.

The energy sector is still digesting the significance of two attacks on Ukrainian power systems a year apart from one another in 2015 and 2016. In an earlier story covering the later incident, Naked Security noted that it’s as if Ukraine had become a laboratory for probing energy systems for weakness.

With Petya apparently centred on a Ukrainian financial software suite called MeDoc – the malware’s so-called “patient zero” – the country still seems to be a useful crucible to trial increasingly advanced forms of hacking.

Chernobyl being caught up with Petya was probably coincidental but nevertheless symbolic. That catastrophe was an accident, but the thought that someone might come back to deliberately sow mayhem in a nuclear or energy system is one the world might yet have to come to terms with.

As with Petya, and WannaCry, the private worry about Nuclear 17 is that the unfolding EternalBlue leak of alleged NSA spying tools and vulnerabilities might be feeding attacks that are starting to manifest in all sorts of sectors.


5 Comments

If any nuclear country is stupid enough to not only connect their nuclear power station safety circuits to the internet, but to also use technology that is vulnerable to standard cyber attacks, they really missed performing an even basic safety audit. Although Japan came close when they decided a single point of failure (Tsunami higher than their sea wall) would never happen so they didn’t raise their critical infrastructure above the ground.
Currently the highest risk to nuclear safety is from the authorized ‘wetware’ that we still cant do without, which was the underlying fault with both Chernobyl and Three Mile Island.

They are usually isolated but not completely. Remember Stuxnet? That jumped across the air gap on USB sticks.

New Zealand has the answer. Their power systems run on RS232, so good luck hacking that from the internet.

Comments are closed.

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?