Cyber Incident Victim: Gundremmingen Nuclear Power Plant
Date:
Apr 2016
Location:
Germany
Summary
Malicious software including W32.Ramnit and Conficker was discovered at a German nuclear power plant in systems handling nuclear fuel rod data visualization and removable drives. The facility's operational systems remained unaffected due to isolation from the internet. The operator implemented enhanced cybersecurity protocols and reported the incident to national authorities. Analysis indicated the malware, capable of data theft and remote system access, likely spread via removable media rather than targeted attack. The event highlighted ongoing cybersecurity challenges in critical infrastructure environments, with parallels noted in other industrial sectors where unintentional malware introductions occurred through peripheral devices.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On April 26, 2016, operator RWE disclosed the discovery of computer malware infections at the Gundremmingen Nuclear Power Plant’s B unit, located approximately 120 kilometers northwest of Munich. The viruses, identified as W32.Ramnit and Conficker, were detected in a computer system retrofitted in 2008 with data visualization software linked to equipment handling nuclear fuel rods. RWE clarified that the infected system was isolated from the internet, preventing operational compromise. Malware was additionally found on 18 removable data drives—primarily USB sticks—connected to office computers maintained separately from the plant’s operational control systems. W32.Ramnit, first identified in 2010, is a Windows-based malware designed to steal files and grant attackers remote control over internet-connected systems, often spreading via USB devices. Conficker, a self-replicating worm active since 2008, propagates through networks and removable drives. RWE reported the incident to Germany’s Federal Office for Information Security (BSI), which collaborated with the utility’s IT specialists to investigate. The company implemented heightened cybersecurity measures following the discovery, though the BSI did not provide immediate public commentary.
The incident highlighted broader vulnerabilities in critical infrastructure cybersecurity. Mikko Hypponen of F-Secure noted such infections were surprisingly common but rarely dangerous unless systems were specifically targeted, as most viruses spread indiscriminately. He cited an unrelated example of European aircraft cockpit systems repeatedly infected with Android malware via employees charging phones through USB ports, though the plane’s operating system prevented direct harm. The article referenced a 2013 U.S. incident where a USB-introduced virus disrupted a power plant’s turbine control system, causing a three-week shutdown. Gundremmingen’s discovery occurred against a backdrop of heightened German nuclear safety concerns following the 2011 Fukushima disaster and coincided with the 30th anniversary of the Chernobyl catastrophe. RWE’s disclosure emphasized the plant’s operational isolation from external networks as a mitigating factor, with no evidence of targeted attacks or operational impacts.