German Nuclear Power Plant Confirms It Was Infected With Computer Viruses

Two days ago we reported an initial, unconfirmed report that in a deja vu occurrence of what happened in Iran several years ago when its nuclear enrichment plant was found infected with the infamous Stuxnet virus, a computer malware virus was discovered at the Gundremmingen nuclear power plant in Bavaria.

Today we finally have confirmation after Reuters reports that the nuclear power plant was indeed infected with not one but several computer viruses. But don’t worry, Reuters is quick to calm a concerned public, “they appear not to have posed a threat to the facility’s operations because it is isolated from the Internet, the station’s operator said on Tuesday.” The Gundremmingen plant in question is located about 120 km (75 miles) northwest of Munich, is run by the German utility RWE.

The nuclear power plant of Gundremmingen. Photo: Reuters

Ironically, this takes place just a week after the German government made an unprecedented request of Belgium to temporarily shut two nuclear reactors, citing technical issues involving possible safety defects. Last week Germany asked Belgium to take Engie SA’s Tihange-2 and Doel-3 atomic plants offline until the safety concerns can be addressed, Environment Minister Barbara Hendricks said last Wednesday.

It appears that the safety concern may have been Germany’s after all.


The viruses, which include “W32.Ramnit” and “Conficker”, were discovered at Gundremmingen’s B unit in a computer system retrofitted in 2008 with data visualization software associated with equipment for moving nuclear fuel rods, RWE said.

Just like in the case of Iran where USB sticks were used to infect the local nuclear facility, Reuters reports that malware was also found on 18 removable data drives, mainly USB sticks, in office computers maintained separately from the plant’s operating systems. RWE said it had increased cyber-security measures as a result.

W32.Ramnit is designed to steal files from infected computers and targets Microsoft Windows software, according to the security firm Symantec. First discovered in 2010, it is distributed through data sticks, among other methods, and is intended to give an attacker remote control over a system when it is connected to the Internet.

Conficker has infected millions of Windows computers worldwide since it first came to light in 2008. It is able to spread through networks and by copying itself onto removable data drives, Symantec said.

For now it remains unclear who is behind this latest viral attack.

In 2013, a computer virus attacked a turbine control system at a U.S. power company after a technician inserted an infected USB computer drive into the network, keeping a plant off line for three weeks.

RWE has informed Germany’s Federal Office for Information Security (BSI), which is working with IT specialists at the group to look into the incident. The BSI was not immediately available for comment.

And now damage control. Mikko Hypponen, chief research officer for Finland-based F-Secure, said that infections of critical infrastructure were surprisingly common, but that they were generally not dangerous unless the plant had been targeted specifically. The most common viruses spread without much awareness of where they are, he said.

As an example, Hypponen said he had recently spoken to a European aircraft maker that said it cleans the cockpits of its planes every week of malware designed for Android phones. The malware spread to the planes only because factory employees were charging their phones with the USB port in the cockpit. Because the plane runs a different operating system, nothing would befall it. But it would pass the virus on to other devices that plugged into the charger.

In retrospect, if trying to calm the public, it is perhaps not a great idea to say that the nuclear power plant is safe as a result of the infection just because various airplanes are also infected with comparable viruses.