Malware suspected in Japanese nuclear plant control room – but don’t panic

library
crime | hacking | security

The control centre of a nuclear power plant really doesn’t sound like the sort of place you’d want to see a malware infection.

So, when we hear that an infection is suspected to have hit a machine at a Japanese plant, it raises immediate fears of cyber-terrorism, or at the very least advanced state-sponsored espionage.

But in this case at least there seems to be not too much to worry about. This was no Stuxnet, and no first-strike superweapon cruelly targeting a nation already overburdened with nuclear tragedies.

From the sound of it, it seems like little more than incompetence and lack of proper caution in what is without doubt a sensitive setting, but is perhaps not quite as dangerous a place as it might at first sound.

Piecing together what little information can be gleaned from local news sources and specialist nuclear industry watchers, it would appear that the machine in question was one of eight in the control room at the Monju plant near Tsuruga, Fukui Prefecture.

Unusual behaviour was spotted by an admin on January 2nd, with over 30 unexpected connections made, thought to originate from South Korea.

Investigations are still ongoing, but it seems the system in question was not pivotal to the safety of the plant. The shared-use machine did however contain data including a large amount of employee email and training information which may have been leaked by the compromise.

Monju is a prototype sodium-cooled fast breeder reactor, commissioned in the mid-1990s, but only managed a few months of running before a sodium leak led to a major fire, following which the reactor was shut down for fifteen years.

A restart in 2010 was also short-lived, and the whole project has teetered between tentative restart plans and total abandonment ever since.

So, a non-serious infection on a non-crucial machine at a non-operational plant. But there may still be some lessons to be learnt here.

The suspected infection is said to have occurred “after an employee updated free software”, with the product in question elsewhere described as “video playback software”.

Of course, when we hear “video” and “update” in a malware context, we immediately think of the “fake codec” attack technique which was so popular 4-5 years back, but surely this can’t be a revival?

Either way, it seems like the plant’s IT is not too well protected, and is running freeware video software which any user can tinker with at will.

It’s probably fairly tedious work manning a long-defunct and slowly dying plant, and maybe the odd cat video can help kill some time, but that’s no excuse for sloppy security practices.

In any business setting, software should only be running if it is approved and maintained by IT staff, who should keep a close eye on any updates to make sure they don’t include any connecting-repeatedly-to-somewhere-they-shouldn’t components. This applies to all machines, however non-mission-critical they may be.

And even if your nuclear plant isn’t running at full speed, you can’t just put your feet up and ignore safety matters, Homer Simpson style.

There’s going to be all kinds of dangerous material around that needs to be properly monitored and maintained, so your IT setup still needs to be held up to higher standards than most businesses.

The Monju plant sounds like it has a pretty shabby record of safety, with reports of thousands of items of equipment being missed off checking schedules, and even attempts to cover up incidents.

A minor malware infection may not sound as serious as leaking radioactive material, but it should be seen as an indicator of potentially bigger problems to come.

It’s a sign that admins are not keeping a tight enough rein on their IT systems, and that users are not treating them with the respect and caution they deserve.